From 38c9df6d7ebd70080b2acfd270c4f206fe981bba Mon Sep 17 00:00:00 2001 From: Bert Scholten Date: Fri, 20 Mar 2026 12:35:34 +0100 Subject: [PATCH 1/7] Prepare for releasing through github actions Use maven-enforcer-plugin to make sure there are no snapshot dependencies when releasing --- source/pom.xml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/source/pom.xml b/source/pom.xml index 360b290b..b943dae8 100644 --- a/source/pom.xml +++ b/source/pom.xml @@ -125,6 +125,26 @@ + + + org.apache.maven.plugins + maven-enforcer-plugin + + + enforce-no-snapshot-deps + + enforce + + + + + true + + + + + + From 23b306c2da5d4109726b61140ddd016b202f0eb7 Mon Sep 17 00:00:00 2001 From: Bert Scholten Date: Fri, 20 Mar 2026 12:46:48 +0100 Subject: [PATCH 2/7] Add workflow to release automatically --- .github/workflows/maven-release.yml | 71 +++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/maven-release.yml diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml new file mode 100644 index 00000000..bed9bd6f --- /dev/null +++ b/.github/workflows/maven-release.yml @@ -0,0 +1,71 @@ +name: Maven Release + +on: + workflow_dispatch: + inputs: + release_version: + description: 'Release version (e.g. 1.2.0)' + required: true + next_dev_version: + description: 'Next development version (e.g. 1.3.0-SNAPSHOT)' + required: true + +jobs: + release: + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Java & Maven + uses: actions/setup-java@v4 + with: + java-version: '21' + distribution: 'temurin' + cache: maven + + - name: Configure git author + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + + - name: Set release version + run: | + mvn --batch-mode versions:set \ + -DnewVersion=${{ github.event.inputs.release_version }} \ + -DgenerateBackupPoms=false + + # At this point, all internal SNAPSHOT refs should be resolved and updated to the release version. + # Any remaining SNAPSHOT are genuine external dependencies that should not be a snapshot. + - name: Check for SNAPSHOT dependencies + run: | + mvn --batch-mode enforcer:enforce -Denforcer.rules=requireReleaseDeps + + - name: Commit release version + run: | + git add -A + git commit -m "Release: set version to ${{ github.event.inputs.release_version }}" + git push origin HEAD + + - name: Tag release commit + run: | + git tag -a "${{ github.event.inputs.release_version }}" \ + -m "Release ${{ github.event.inputs.release_version }}" + git push origin "${{ github.event.inputs.release_version }}" + + - name: Set next development version + run: | + mvn --batch-mode versions:set \ + -DnewVersion=${{ github.event.inputs.next_dev_version }} \ + -DgenerateBackupPoms=false + + - name: Commit next development version + run: | + git add -A + git commit -m "Release: set next development version to ${{ github.event.inputs.next_dev_version }}" + git push origin HEAD From d51913846732d1bd1ee5423a4cffd369caf7cb4c Mon Sep 17 00:00:00 2001 From: Bert Scholten Date: Fri, 20 Mar 2026 12:56:49 +0100 Subject: [PATCH 3/7] Use information from user that triggered action as author Not sure which is better, having an indication that a bot did it, or if the user should be linked to it. Looking back, would probably want to know the user that did it, so went with that. --- .github/workflows/maven-release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index bed9bd6f..c266a1dd 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -31,8 +31,8 @@ jobs: - name: Configure git author run: | - git config user.name "github-actions[bot]" - git config user.email "github-actions[bot]@users.noreply.github.com" + git config user.name "${{ github.actor }}" + git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - name: Set release version run: | From 0c776e45b754652857900c60be695d15bf6eb4b1 Mon Sep 17 00:00:00 2001 From: Bert Scholten Date: Fri, 20 Mar 2026 13:03:08 +0100 Subject: [PATCH 4/7] use the proper profile sonar is the one that includes everything that should be released Should consider a profile that defines all modules... --- .github/workflows/maven-release.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index c266a1dd..0991031c 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -38,13 +38,16 @@ jobs: run: | mvn --batch-mode versions:set \ -DnewVersion=${{ github.event.inputs.release_version }} \ - -DgenerateBackupPoms=false + -DgenerateBackupPoms=false \ + -Psonar # At this point, all internal SNAPSHOT refs should be resolved and updated to the release version. # Any remaining SNAPSHOT are genuine external dependencies that should not be a snapshot. - name: Check for SNAPSHOT dependencies run: | - mvn --batch-mode enforcer:enforce -Denforcer.rules=requireReleaseDeps + mvn --batch-mode enforcer:enforce \ + -Denforcer.rules=requireReleaseDeps \ + -Psonar - name: Commit release version run: | @@ -62,7 +65,8 @@ jobs: run: | mvn --batch-mode versions:set \ -DnewVersion=${{ github.event.inputs.next_dev_version }} \ - -DgenerateBackupPoms=false + -DgenerateBackupPoms=false \ + -Psonar - name: Commit next development version run: | From fa6d0a5ae91cad622bcec22c76687399567eba2e Mon Sep 17 00:00:00 2001 From: Bert Scholten Date: Fri, 20 Mar 2026 13:17:37 +0100 Subject: [PATCH 5/7] use more imaer-java specific version examples --- .github/workflows/maven-release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 0991031c..87490ae3 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -4,10 +4,10 @@ on: workflow_dispatch: inputs: release_version: - description: 'Release version (e.g. 1.2.0)' + description: 'Release version (e.g. 6.0.1-7)' required: true next_dev_version: - description: 'Next development version (e.g. 1.3.0-SNAPSHOT)' + description: 'Next development version (e.g. 6.0.1-8-SNAPSHOT)' required: true jobs: From c6e9541b6b025e542d4a0e20f6a64f2d6ca85edd Mon Sep 17 00:00:00 2001 From: Bert Scholten Date: Mon, 23 Mar 2026 10:35:03 +0100 Subject: [PATCH 6/7] Changes based on testing on fork Using github cli instead of git to create the release + tag in github --- .github/workflows/maven-release.yml | 32 ++++++++++++++++++----------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 87490ae3..be6f9e6a 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -18,12 +18,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 - name: Set up Java & Maven - uses: actions/setup-java@v4 + uses: actions/setup-java@v5 with: java-version: '21' distribution: 'temurin' @@ -36,18 +36,22 @@ jobs: - name: Set release version run: | - mvn --batch-mode versions:set \ + mvn --batch-mode --no-transfer-progress \ -DnewVersion=${{ github.event.inputs.release_version }} \ -DgenerateBackupPoms=false \ - -Psonar + -Psonar \ + -f source/pom.xml \ + versions:set # At this point, all internal SNAPSHOT refs should be resolved and updated to the release version. # Any remaining SNAPSHOT are genuine external dependencies that should not be a snapshot. - name: Check for SNAPSHOT dependencies run: | - mvn --batch-mode enforcer:enforce \ + mvn --batch-mode --no-transfer-progress \ -Denforcer.rules=requireReleaseDeps \ - -Psonar + -Psonar \ + -f source/pom.xml \ + enforcer:enforce - name: Commit release version run: | @@ -55,18 +59,22 @@ jobs: git commit -m "Release: set version to ${{ github.event.inputs.release_version }}" git push origin HEAD - - name: Tag release commit + - name: Create release in github, tagging the commit. + env: + GITHUB_TOKEN: ${{ github.token }} run: | - git tag -a "${{ github.event.inputs.release_version }}" \ - -m "Release ${{ github.event.inputs.release_version }}" - git push origin "${{ github.event.inputs.release_version }}" + gh release create ${{ github.event.inputs.release_version }} \ + -t "Release ${{ github.event.inputs.release_version }}" \ + --generate-notes - name: Set next development version run: | - mvn --batch-mode versions:set \ + mvn --batch-mode --no-transfer-progress \ -DnewVersion=${{ github.event.inputs.next_dev_version }} \ -DgenerateBackupPoms=false \ - -Psonar + -Psonar \ + -f source/pom.xml \ + versions:set - name: Commit next development version run: | From 6e1b67736c2ddf2a067d80891e9fee52c4847b8e Mon Sep 17 00:00:00 2001 From: Bert Scholten Date: Fri, 27 Mar 2026 17:10:21 +0100 Subject: [PATCH 7/7] Use/expect deploy key to bypass normal rules when releasing This deploy key should be a secret containing the ssh key that is configured as a deploy key. By using the new rules on github, and allowing bypass for deploy keys in the `main` (or default) branch protection, it should become possible to add the required commits on `main`. This does introduce a new possible vulnerable vector security-wise. If a action is added that contains malicious code that reads the key, it could be exposed and someone could get access to the repeository with that. This risk would be mitigated by restricting actions being updatable by random people, and being aware on this when reviewing, but it does remain a risk. GitHub Apps might be an alternative, but didn't look into that yet. That could at least make it more fine-grained, ensuring only specific actions could be taken. --- .github/workflows/maven-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index be6f9e6a..311e5faf 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -21,6 +21,7 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 0 + ssh-key: ${{ secrets.DEPLOY_KEY }} - name: Set up Java & Maven uses: actions/setup-java@v5