Open
Conversation
Use maven-enforcer-plugin to make sure there are no snapshot dependencies when releasing
Not sure which is better, having an indication that a bot did it, or if the user should be linked to it. Looking back, would probably want to know the user that did it, so went with that.
sonar is the one that includes everything that should be released Should consider a profile that defines all modules...
Member
|
Nice improvement! It's different from our usual flow as it will only create a tag (which isn't an issue) but just making sure it's on purpose. Testing it here first before merging it into If we do want to release, we could use something like https://github.com/elgohr/Github-Release-Action or simply call |
Using github cli instead of git to create the release + tag in github
This deploy key should be a secret containing the ssh key that is configured as a deploy key. By using the new rules on github, and allowing bypass for deploy keys in the `main` (or default) branch protection, it should become possible to add the required commits on `main`. This does introduce a new possible vulnerable vector security-wise. If a action is added that contains malicious code that reads the key, it could be exposed and someone could get access to the repeository with that. This risk would be mitigated by restricting actions being updatable by random people, and being aware on this when reviewing, but it does remain a risk. GitHub Apps might be an alternative, but didn't look into that yet. That could at least make it more fine-grained, ensuring only specific actions could be taken.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In an attempt to automate releases a bit more, reckon that for our public repositories we might as well use a github action.
Could move part of this to our github-actions repo as well, but perhaps first lets check if it actually works the way we want?
Testing it might be a bit tricky. Currently there is no snapshot dependency, so it should just work, but would want to check that it does actually stop when there is such a dependency, for instance if the root pom used is on snapshot.