Build with '-Prelease' (Run) #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build with '-Prelease' (Run) | |
| # Workflow_run job for release profile build verification. | |
| # This workflow has access to secrets and runs the actual build. | |
| # Triggered by build-with-release-profile.yml completion. | |
| # See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests | |
| on: | |
| workflow_run: | |
| workflows: ["Build with '-Prelease' (Trigger)"] | |
| types: | |
| - completed | |
| permissions: {} | |
| jobs: | |
| build: | |
| # Only run for successful trigger workflow from main repository | |
| if: > | |
| ${{ github.event.workflow_run.conclusion == 'success' && | |
| github.event.workflow_run.repository.full_name == 'a2aproject/a2a-java' }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| actions: read # Required to download artifacts | |
| steps: | |
| - name: Download PR info | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: pr-info | |
| github-token: ${{ github.token }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| - name: Extract PR info | |
| id: pr_info | |
| run: | | |
| if [ -f pr_number ]; then | |
| PR_NUMBER=$(cat pr_number) | |
| echo "pr_number=${PR_NUMBER}" >> $GITHUB_OUTPUT | |
| echo "PR Number: ${PR_NUMBER}" | |
| else | |
| echo "No PR number (push event)" | |
| fi | |
| PR_SHA=$(cat pr_sha) | |
| echo "pr_sha=${PR_SHA}" >> $GITHUB_OUTPUT | |
| echo "PR SHA: ${PR_SHA}" | |
| PR_REF=$(cat pr_ref) | |
| echo "pr_ref=${PR_REF}" >> $GITHUB_OUTPUT | |
| echo "PR Ref: ${PR_REF}" | |
| - name: Checkout PR code | |
| uses: actions/checkout@v4 | |
| with: | |
| # Checkout the exact commit from the PR (or push) | |
| # This is safe because the workflow code (this file) is always from main | |
| ref: ${{ steps.pr_info.outputs.pr_sha }} | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| cache: maven | |
| # Use secrets to import GPG key | |
| - name: Import GPG key | |
| uses: crazy-max/ghaction-import-gpg@v6 | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }} | |
| passphrase: ${{ secrets.GPG_SIGNING_PASSPHRASE }} | |
| # Create settings.xml for Maven since it needs the 'central-a2asdk-temp' server. | |
| # Populate with username and password from secrets | |
| - name: Create settings.xml | |
| run: | | |
| mkdir -p ~/.m2 | |
| echo "<settings><servers><server><id>central-a2asdk-temp</id><username>${{ secrets.CENTRAL_TOKEN_USERNAME }}</username><password>${{ secrets.CENTRAL_TOKEN_PASSWORD }}</password></server></servers></settings>" > ~/.m2/settings.xml | |
| # Build with the same settings as the deploy job | |
| # -s uses the settings file we created. | |
| - name: Build with same arguments as deploy job | |
| run: > | |
| mvn -B install | |
| -s ~/.m2/settings.xml | |
| -P release | |
| -DskipTests | |
| -Drelease.auto.publish=true | |
| env: | |
| # GPG passphrase is set as an environment variable for the gpg plugin to use | |
| GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }} | |
| - name: Build Summary | |
| if: always() | |
| run: | | |
| if [ "${{ job.status }}" = "success" ]; then | |
| echo "✅ Release profile build succeeded" | |
| if [ -n "${{ steps.pr_info.outputs.pr_number }}" ]; then | |
| echo " PR #${{ steps.pr_info.outputs.pr_number }} is ready for release" | |
| fi | |
| else | |
| echo "❌ Release profile build failed" | |
| if [ -n "${{ steps.pr_info.outputs.pr_number }}" ]; then | |
| echo " PR #${{ steps.pr_info.outputs.pr_number }} has release profile issues" | |
| fi | |
| fi |