From 2fa001ea9af39cb37e99a73f5017e80eb459c079 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 18 Jun 2026 16:50:48 +0000 Subject: [PATCH 1/3] ci(publish): gate Maven Central release behind explicit publish_release flag Add a workflow_dispatch boolean input 'publish_release' (default false) and require it on the publish-release job in addition to the existing v* tag guard. A v* tag push alone no longer auto-publishes to Maven Central; releasing now requires running the Publish workflow on the v* tag with publish_release enabled (tag AND flag). publish-snapshot is unchanged. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01JGZdUCy6YnTzKSJKA6B6KZ --- .github/workflows/publish.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d6df78b..16c8599 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -9,6 +9,11 @@ on: tags: ['v*'] pull_request: workflow_dispatch: + inputs: + publish_release: + description: "Publish a RELEASE to Maven Central. Off by default; the release publish runs only when this is true AND the workflow is run on a v* tag." + type: boolean + default: false permissions: contents: read @@ -257,7 +262,7 @@ jobs: publish-release: name: Publish Release to Central needs: [check-tag, code-style] - if: needs.check-tag.result == 'success' + if: needs.check-tag.result == 'success' && inputs.publish_release runs-on: ubuntu-latest environment: maven-central permissions: From 12cb25b43e2773f219428a9cc659505466a33bf9 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 18 Jun 2026 18:37:10 +0000 Subject: [PATCH 2/3] ci(publish): abort snapshot publish unless the POM version is a -SNAPSHOT Add a guard step to the publish-snapshot job that resolves project.version via `mvn help:evaluate` and fails the job unless the version ends in -SNAPSHOT. central-publishing routes purely by version: a release version (no -SNAPSHOT) deployed through the snapshot path lands in the permanent Maven Central release store, not the snapshot store. This guard stops that from ever happening from the snapshot job; releases continue to go through the v* tag path. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01JGZdUCy6YnTzKSJKA6B6KZ --- .github/workflows/publish.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 16c8599..c3247f9 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -217,6 +217,15 @@ jobs: server-password: MAVEN_PASSWORD gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} gpg-passphrase: MAVEN_GPG_PASSPHRASE + - name: Guard - require a -SNAPSHOT version + shell: bash + run: | + VERSION=$(mvn -q -DforceStdout help:evaluate -Dexpression=project.version | tail -n1) + echo "Resolved project version: $VERSION" + case "$VERSION" in + *-SNAPSHOT) echo "OK: -SNAPSHOT version, continuing snapshot deploy." ;; + *) echo "::error::Refusing to publish non-SNAPSHOT version '$VERSION' from the snapshot job. Snapshot publishing requires a -SNAPSHOT version; releases go through the v* tag path."; exit 1 ;; + esac - name: Deploy snapshot run: mvn --batch-mode --no-transfer-progress -P release deploy -DskipTests env: From a44fe1f6d061a04a50a9ae707f5b03af8eeea0dc Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 18 Jun 2026 18:52:58 +0000 Subject: [PATCH 3/3] ci(publish): gate all Maven Central publishing behind explicit publish_to_central flag Generalize the release-only publish_release input into a general publish_to_central boolean and require it on BOTH publish-snapshot and publish-release, matching the BitcoinAddressFinder sibling pipeline. Central publishing now runs only from a manual workflow_dispatch with the flag enabled; pushes to main and v* tag pushes no longer auto-deploy. Snapshot vs release is still decided by the POM version, and the -SNAPSHOT guard added in the previous commit blocks a release version from ever shipping via the snapshot job. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01JGZdUCy6YnTzKSJKA6B6KZ --- .github/workflows/publish.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index c3247f9..52ce68f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -10,8 +10,8 @@ on: pull_request: workflow_dispatch: inputs: - publish_release: - description: "Publish a RELEASE to Maven Central. Off by default; the release publish runs only when this is true AND the workflow is run on a v* tag." + publish_to_central: + description: "Deploy to Maven Central (snapshot if -SNAPSHOT, release if a vX.Y.Z tag)" type: boolean default: false @@ -202,7 +202,7 @@ jobs: publish-snapshot: name: Publish Snapshot to Central needs: [check-snapshot, code-style] - if: needs.check-snapshot.result == 'success' + if: needs.check-snapshot.result == 'success' && inputs.publish_to_central runs-on: ubuntu-latest environment: maven-central steps: @@ -271,7 +271,7 @@ jobs: publish-release: name: Publish Release to Central needs: [check-tag, code-style] - if: needs.check-tag.result == 'success' && inputs.publish_release + if: needs.check-tag.result == 'success' && inputs.publish_to_central runs-on: ubuntu-latest environment: maven-central permissions: