Build with '-Prelease' (Run) #11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build with '-Prelease' (Run) | |
| # Workflow_run job for release profile build verification. | |
| # This workflow has access to secrets and runs the actual build. | |
| # Triggered by build-with-release-profile.yml completion. | |
| # See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests | |
| on: | |
| workflow_run: | |
| workflows: ["Build with '-Prelease' (Trigger)"] | |
| types: | |
| - completed | |
| permissions: {} | |
| jobs: | |
| build: | |
| # Only run for successful trigger workflow from main repository | |
| if: > | |
| ${{ github.event.workflow_run.conclusion == 'success' && | |
| github.event.workflow_run.repository.full_name == 'a2aproject/a2a-java' }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| actions: read # Required to download artifacts | |
| statuses: write # Required to report status back to PR | |
| steps: | |
| - name: Download PR info | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: pr-info | |
| github-token: ${{ github.token }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| - name: Extract PR info | |
| id: pr_info | |
| run: | | |
| if [ -f pr_number ]; then | |
| PR_NUMBER=$(cat pr_number) | |
| echo "pr_number=${PR_NUMBER}" >> $GITHUB_OUTPUT | |
| echo "PR Number: ${PR_NUMBER}" | |
| else | |
| echo "No PR number (push event)" | |
| fi | |
| PR_SHA=$(cat pr_sha) | |
| echo "pr_sha=${PR_SHA}" >> $GITHUB_OUTPUT | |
| echo "PR SHA: ${PR_SHA}" | |
| PR_REF=$(cat pr_ref) | |
| echo "pr_ref=${PR_REF}" >> $GITHUB_OUTPUT | |
| echo "PR Ref: ${PR_REF}" | |
| - name: Report pending status to PR | |
| if: steps.pr_info.outputs.pr_sha | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| await github.rest.repos.createCommitStatus({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| sha: '${{ steps.pr_info.outputs.pr_sha }}', | |
| state: 'pending', | |
| context: 'Build with -Prelease', | |
| description: 'Building with release profile...', | |
| target_url: 'https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}' | |
| }); | |
| - name: Checkout PR code | |
| uses: actions/checkout@v4 | |
| with: | |
| # Checkout the exact commit from the PR (or push) | |
| # This is safe because the workflow code (this file) is always from main | |
| ref: ${{ steps.pr_info.outputs.pr_sha }} | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| cache: maven | |
| # Use secrets to import GPG key | |
| - name: Import GPG key | |
| uses: crazy-max/ghaction-import-gpg@v6 | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }} | |
| passphrase: ${{ secrets.GPG_SIGNING_PASSPHRASE }} | |
| # Create settings.xml for Maven since it needs the 'central-a2asdk-temp' server. | |
| # Populate with username and password from secrets | |
| - name: Create settings.xml | |
| run: | | |
| mkdir -p ~/.m2 | |
| echo "<settings><servers><server><id>central-a2asdk-temp</id><username>${{ secrets.CENTRAL_TOKEN_USERNAME }}</username><password>${{ secrets.CENTRAL_TOKEN_PASSWORD }}</password></server></servers></settings>" > ~/.m2/settings.xml | |
| # Build with the same settings as the deploy job | |
| # -s uses the settings file we created. | |
| - name: Build with same arguments as deploy job | |
| run: > | |
| mvn -B install | |
| -s ~/.m2/settings.xml | |
| -P release | |
| -DskipTests | |
| -Drelease.auto.publish=true | |
| env: | |
| # GPG passphrase is set as an environment variable for the gpg plugin to use | |
| GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }} | |
| - name: Build Summary | |
| if: always() | |
| run: | | |
| if [ "${{ job.status }}" = "success" ]; then | |
| echo "✅ Release profile build succeeded" | |
| if [ -n "${{ steps.pr_info.outputs.pr_number }}" ]; then | |
| echo " PR #${{ steps.pr_info.outputs.pr_number }} is ready for release" | |
| fi | |
| else | |
| echo "❌ Release profile build failed" | |
| if [ -n "${{ steps.pr_info.outputs.pr_number }}" ]; then | |
| echo " PR #${{ steps.pr_info.outputs.pr_number }} has release profile issues" | |
| fi | |
| fi | |
| - name: Report status to PR | |
| if: always() && steps.pr_info.outputs.pr_sha | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const state = '${{ job.status }}' === 'success' ? 'success' : 'failure'; | |
| const description = state === 'success' | |
| ? '✅ Release profile build passed' | |
| : '❌ Release profile build failed'; | |
| await github.rest.repos.createCommitStatus({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| sha: '${{ steps.pr_info.outputs.pr_sha }}', | |
| state: state, | |
| context: 'Build with -Prelease', | |
| description: description, | |
| target_url: 'https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}' | |
| }); |