ci: update release workflow#2322
Conversation
|
My recommendation:
|
There is one issue with the YAML files. I couldn't find a way to switch the |
|
If at all possible, I want everything related to a release located in Enterprise. I have a good reason for it - our releases require secrets, and the community repository allows untrusted forks. This is ultimately a bad situation, and causes a lot of compromises in the CI, and constant worries if the mitigations are enough or if we're still at risk of leaking anything. Another reason is that our release process is nobody's business - people needn't know anything about JFrog, or the two-step process. By exposing this information here, you are giving adversaries clues for possible attacks. I think the following should happen:
This is perfectly achievable. You do not need to run JReleaser as a Maven plugin. You can run JReleaser as a command-line app - just like we did until now. This will allow you to centralize all config. |
|
Personally, I see doing a release with something that will never be used again as a waste of time. But if you insist, I won't stop you. |
There was a problem hiding this comment.
Pull request overview
This PR updates the project’s release automation by removing the previously centralized release workflow/JReleaser configuration from this repository and tightening the remaining “finish release” steps by extracting version-updating logic into a dedicated script.
Changes:
- Removed
jreleaser.ymland theReleaseworkflow (.github/workflows/release.yml) from this repository. - Updated
.github/workflows/finish_release.ymlto use a safer tag reference handoff and to call a shared version-change script. - Added
.github/scripts/change_versions.shto centralize Maven/POM version updates used during the “finish release” process.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
jreleaser.yml |
Removes repo-local JReleaser release configuration as part of moving release automation elsewhere. |
.github/workflows/release.yml |
Removes the old release entrypoint workflow from this repository. |
.github/workflows/finish_release.yml |
Adjusts finish-release behavior and tag ref handling while keeping branch update logic. |
.github/scripts/change_versions.sh |
Adds a reusable version-update script for release-finishing steps. |
Comments suppressed due to low confidence (1)
.github/workflows/finish_release.yml:41
- The branch existence check uses
grep -w $versionwhere$versioncontains dots and is treated as a regular expression, which can match unintended branch names and cause the workflow to take the wrong path.
tag="$TAG_REF"
tag_version=${tag##*/}
version=${tag_version%.*}
version="${version:1}.x"
echo $version
(cherry picked from commit 72ff34c)
|
This PR updates the release workflow:
.github/scripts/change_versions.sh— new reusable script that updates the Maven project version.finish_release.yml— replaced inlinemvn versions:setcall with the newchange_versions.shscript, and fixed a shell injection risk by passing${{ github.ref }}through an env.