chore: Add proper testing of -P release of pull requests (#559)

Remove the -Pjavadoc profile and workaround

Author: kabir

.github/workflows/build-and-test.yml

@@ -26,7 +26,7 @@ jobs:
         distribution: 'temurin'
         cache: maven
     - name: Build with Maven and run tests
-      run: mvn -Pjavadoc -B package --file pom.xml -fae
+      run: mvn -B package --file pom.xml -fae
     - name: Upload Test Reports
       if: failure()
       uses: actions/upload-artifact@v4

.github/workflows/build-with-release-profile-run.yml

@@ -0,0 +1,108 @@
+name: Build with '-Prelease' (Run)
+
+# Workflow_run job for release profile build verification.
+# This workflow has access to secrets and runs the actual build.
+# Triggered by build-with-release-profile.yml completion.
+# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests
+
+on:
+  workflow_run:
+    workflows: ["Build with '-Prelease' (Trigger)"]
+    types:
+      - completed
+
+permissions: {}
+
+jobs:
+  build:
+    # Only run for successful trigger workflow from main repository
+    if: >
+      ${{ github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.repository.full_name == 'a2aproject/a2a-java' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read  # Required to download artifacts
+
+    steps:
+      - name: Download PR info
+        uses: actions/download-artifact@v4
+        with:
+          name: pr-info
+          github-token: ${{ github.token }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Extract PR info
+        id: pr_info
+        run: |
+          if [ -f pr_number ]; then
+            PR_NUMBER=$(cat pr_number)
+            echo "pr_number=${PR_NUMBER}" >> $GITHUB_OUTPUT
+            echo "PR Number: ${PR_NUMBER}"
+          else
+            echo "No PR number (push event)"
+          fi
+
+          PR_SHA=$(cat pr_sha)
+          echo "pr_sha=${PR_SHA}" >> $GITHUB_OUTPUT
+          echo "PR SHA: ${PR_SHA}"
+
+          PR_REF=$(cat pr_ref)
+          echo "pr_ref=${PR_REF}" >> $GITHUB_OUTPUT
+          echo "PR Ref: ${PR_REF}"
+
+      - name: Checkout PR code
+        uses: actions/checkout@v4
+        with:
+          # Checkout the exact commit from the PR (or push)
+          # This is safe because the workflow code (this file) is always from main
+          ref: ${{ steps.pr_info.outputs.pr_sha }}
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+          cache: maven
+
+      # Use secrets to import GPG key
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }}
+          passphrase: ${{ secrets.GPG_SIGNING_PASSPHRASE }}
+
+      # Create settings.xml for Maven since it needs the 'central-a2asdk-temp' server.
+      # Populate with username and password from secrets
+      - name: Create settings.xml
+        run: |
+          mkdir -p ~/.m2
+          echo "<settings><servers><server><id>central-a2asdk-temp</id><username>${{ secrets.CENTRAL_TOKEN_USERNAME }}</username><password>${{ secrets.CENTRAL_TOKEN_PASSWORD }}</password></server></servers></settings>" > ~/.m2/settings.xml
+
+      # Build with the same settings as the deploy job
+      # -s uses the settings file we created.
+      - name: Build with same arguments as deploy job
+        run: >
+          mvn -B install
+          -s ~/.m2/settings.xml
+          -P release
+          -DskipTests
+          -Drelease.auto.publish=true
+        env:
+          # GPG passphrase is set as an environment variable for the gpg plugin to use
+          GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }}
+
+      - name: Build Summary
+        if: always()
+        run: |
+          if [ "${{ job.status }}" = "success" ]; then
+            echo "✅ Release profile build succeeded"
+            if [ -n "${{ steps.pr_info.outputs.pr_number }}" ]; then
+              echo "   PR #${{ steps.pr_info.outputs.pr_number }} is ready for release"
+            fi
+          else
+            echo "❌ Release profile build failed"
+            if [ -n "${{ steps.pr_info.outputs.pr_number }}" ]; then
+              echo "   PR #${{ steps.pr_info.outputs.pr_number }} has release profile issues"
+            fi
+          fi

.github/workflows/build-with-release-profile.yml

@@ -1,12 +1,13 @@
-name: Build with '-Prelease'
-
-# Simply runs the build with -Prelease to avoid nasty surprises when running the release-to-maven-central workflow.
+name: Build with '-Prelease' (Trigger)
 
+# Trigger workflow for release profile build verification.
+# This workflow runs on PRs and uploads the PR info for the workflow_run job.
+# The actual build with secrets happens in build-with-release-profile-run.yml
+# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests
 
 on:
-  # Handle all branches for now
+  pull_request:  # Changed from pull_request_target for security
   push:
-  pull_request_target:
   workflow_dispatch:
 
 # Only run the latest job
@@ -15,47 +16,35 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  build:
+  trigger:
     # Only run this job for the main repository, not for forks
     if: github.repository == 'a2aproject/a2a-java'
     runs-on: ubuntu-latest
     permissions:
       contents: read
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Set up JDK 17
-        uses: actions/setup-java@v4
-        with:
-          java-version: '17'
-          distribution: 'temurin'
-          cache: maven
-
-      # Use secrets to import GPG key
-      - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v6
-        with:
-          gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }}
-          passphrase: ${{ secrets.GPG_SIGNING_PASSPHRASE }}
-
-      # Create settings.xml for Maven since it needs the 'central-a2asdk-temp' server.
-      # Populate wqith username and password from secrets
-      - name: Create settings.xml
+      - name: Prepare PR info
         run: |
-          mkdir -p ~/.m2
-          echo "<settings><servers><server><id>central-a2asdk-temp</id><username>${{ secrets.CENTRAL_TOKEN_USERNAME }}</username><password>${{ secrets.CENTRAL_TOKEN_PASSWORD }}</password></server></servers></settings>" > ~/.m2/settings.xml
-
-      # Build with the same settings as the deploy job
-      # -s uses the settings file we created.
-      - name: Build with same arguments as deploy job
-        run: >
-          mvn -B install
-          -s ~/.m2/settings.xml
-          -P release
-          -DskipTests
-          -Drelease.auto.publish=true
-        env:
-          # GPG passphrase is set as an environment variable for the gpg plugin to use
-          GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }}
+          mkdir -p pr_info
+
+          # Store PR number for workflow_run job
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            echo ${{ github.event.number }} > pr_info/pr_number
+            echo ${{ github.event.pull_request.head.sha }} > pr_info/pr_sha
+            echo ${{ github.event.pull_request.head.ref }} > pr_info/pr_ref
+          else
+            # For push events, store the commit sha
+            echo ${{ github.sha }} > pr_info/pr_sha
+            echo ${{ github.ref }} > pr_info/pr_ref
+          fi
+
+          echo "Event: ${{ github.event_name }}"
+          cat pr_info/*
+
+      - name: Upload PR info
+        uses: actions/upload-artifact@v4
+        with:
+          name: pr-info
+          path: pr_info/
+          retention-days: 1

pom.xml

@@ -511,20 +511,6 @@
     </modules>
 
     <profiles>
-        <profile>
-            <!--
-                 This profile generates the required javadoc.
-            -->
-            <id>javadoc</id>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-javadoc-plugin</artifactId>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
         <profile>
             <!--
                 This profile generates the required sources and javadoc in order to be able to deploy.