Skip to content

chore: Add proper testing of -P release of pull requests #559

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kabir merged 1 commit into from
Dec 23, 2025
Merged

chore: Add proper testing of -P release of pull requests #559

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/build-and-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
distribution: 'temurin'
cache: maven
- name: Build with Maven and run tests
run: mvn -Pjavadoc -B package --file pom.xml -fae
run: mvn -B package --file pom.xml -fae
- name: Upload Test Reports
if: failure()
uses: actions/upload-artifact@v4
Expand Down
108 changes: 108 additions & 0 deletions .github/workflows/build-with-release-profile-run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
name: Build with '-Prelease' (Run)

# Workflow_run job for release profile build verification.
# This workflow has access to secrets and runs the actual build.
# Triggered by build-with-release-profile.yml completion.
# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests

on:
workflow_run:
workflows: ["Build with '-Prelease' (Trigger)"]
types:
- completed

permissions: {}

jobs:
build:
# Only run for successful trigger workflow from main repository
if: >
${{ github.event.workflow_run.conclusion == 'success' &&
github.event.workflow_run.repository.full_name == 'a2aproject/a2a-java' }}
runs-on: ubuntu-latest
permissions:
contents: read
actions: read # Required to download artifacts

steps:
- name: Download PR info
uses: actions/download-artifact@v4
with:
name: pr-info
github-token: ${{ github.token }}
run-id: ${{ github.event.workflow_run.id }}

- name: Extract PR info
id: pr_info
run: |
if [ -f pr_number ]; then
PR_NUMBER=$(cat pr_number)
echo "pr_number=${PR_NUMBER}" >> $GITHUB_OUTPUT
echo "PR Number: ${PR_NUMBER}"
else
echo "No PR number (push event)"
fi

PR_SHA=$(cat pr_sha)
echo "pr_sha=${PR_SHA}" >> $GITHUB_OUTPUT
echo "PR SHA: ${PR_SHA}"

PR_REF=$(cat pr_ref)
echo "pr_ref=${PR_REF}" >> $GITHUB_OUTPUT
echo "PR Ref: ${PR_REF}"

- name: Checkout PR code
uses: actions/checkout@v4
with:
# Checkout the exact commit from the PR (or push)
# This is safe because the workflow code (this file) is always from main
ref: ${{ steps.pr_info.outputs.pr_sha }}

- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
cache: maven

# Use secrets to import GPG key
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }}
passphrase: ${{ secrets.GPG_SIGNING_PASSPHRASE }}

# Create settings.xml for Maven since it needs the 'central-a2asdk-temp' server.
# Populate with username and password from secrets
- name: Create settings.xml
run: |
mkdir -p ~/.m2
echo "<settings><servers><server><id>central-a2asdk-temp</id><username>${{ secrets.CENTRAL_TOKEN_USERNAME }}</username><password>${{ secrets.CENTRAL_TOKEN_PASSWORD }}</password></server></servers></settings>" > ~/.m2/settings.xml

# Build with the same settings as the deploy job
# -s uses the settings file we created.
- name: Build with same arguments as deploy job
run: >
mvn -B install
-s ~/.m2/settings.xml
-P release
-DskipTests
-Drelease.auto.publish=true
env:
# GPG passphrase is set as an environment variable for the gpg plugin to use
GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }}

- name: Build Summary
if: always()
run: |
if [ "${{ job.status }}" = "success" ]; then
echo "✅ Release profile build succeeded"
if [ -n "${{ steps.pr_info.outputs.pr_number }}" ]; then
echo " PR #${{ steps.pr_info.outputs.pr_number }} is ready for release"
fi
else
echo "❌ Release profile build failed"
if [ -n "${{ steps.pr_info.outputs.pr_number }}" ]; then
echo " PR #${{ steps.pr_info.outputs.pr_number }} has release profile issues"
fi
fi
71 changes: 30 additions & 41 deletions .github/workflows/build-with-release-profile.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
name: Build with '-Prelease'

# Simply runs the build with -Prelease to avoid nasty surprises when running the release-to-maven-central workflow.
name: Build with '-Prelease' (Trigger)

# Trigger workflow for release profile build verification.
# This workflow runs on PRs and uploads the PR info for the workflow_run job.
# The actual build with secrets happens in build-with-release-profile-run.yml
# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests

on:
# Handle all branches for now
pull_request: # Changed from pull_request_target for security
push:
pull_request_target:
workflow_dispatch:

# Only run the latest job
Expand All @@ -15,47 +16,35 @@ concurrency:
cancel-in-progress: true

jobs:
build:
trigger:
# Only run this job for the main repository, not for forks
if: github.repository == 'a2aproject/a2a-java'
runs-on: ubuntu-latest
permissions:
contents: read

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
cache: maven

# Use secrets to import GPG key
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }}
passphrase: ${{ secrets.GPG_SIGNING_PASSPHRASE }}

# Create settings.xml for Maven since it needs the 'central-a2asdk-temp' server.
# Populate wqith username and password from secrets
- name: Create settings.xml
- name: Prepare PR info
run: |
mkdir -p ~/.m2
echo "<settings><servers><server><id>central-a2asdk-temp</id><username>${{ secrets.CENTRAL_TOKEN_USERNAME }}</username><password>${{ secrets.CENTRAL_TOKEN_PASSWORD }}</password></server></servers></settings>" > ~/.m2/settings.xml

# Build with the same settings as the deploy job
# -s uses the settings file we created.
- name: Build with same arguments as deploy job
run: >
mvn -B install
-s ~/.m2/settings.xml
-P release
-DskipTests
-Drelease.auto.publish=true
env:
# GPG passphrase is set as an environment variable for the gpg plugin to use
GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }}
mkdir -p pr_info

# Store PR number for workflow_run job
if [ "${{ github.event_name }}" = "pull_request" ]; then
echo ${{ github.event.number }} > pr_info/pr_number
echo ${{ github.event.pull_request.head.sha }} > pr_info/pr_sha
echo ${{ github.event.pull_request.head.ref }} > pr_info/pr_ref
else
# For push events, store the commit sha
echo ${{ github.sha }} > pr_info/pr_sha
echo ${{ github.ref }} > pr_info/pr_ref
fi

echo "Event: ${{ github.event_name }}"
cat pr_info/*

- name: Upload PR info
uses: actions/upload-artifact@v4
with:
name: pr-info
path: pr_info/
retention-days: 1
14 changes: 0 additions & 14 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -511,20 +511,6 @@
</modules>

<profiles>
<profile>
<!--
This profile generates the required javadoc.
-->
<id>javadoc</id>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
</plugin>
</plugins>
</build>
</profile>
<profile>
<!--
This profile generates the required sources and javadoc in order to be able to deploy.
Expand Down