Skip to content

Conversation

@wtx-labs
Copy link
Owner

No description provided.

Comment on lines +12 to +94
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Set up JDK 8
uses: actions/setup-java@v4
with:
java-version: '8'
distribution: 'temurin'
cache: maven

- name: Setup GPG
run: |
echo "Setting up GPG..."
mkdir -p ~/.gnupg
chmod 700 ~/.gnupg

# Import private key
echo "${{ secrets.GPG_PRIVATE_KEY }}" > private.key
echo "Importing GPG key..."
gpg --batch --import private.key
rm private.key

# Configure GPG
echo "Configuring GPG..."
cat > ~/.gnupg/gpg.conf << EOF
default-key ${{ secrets.GPG_KEYNAME }}
use-agent
pinentry-mode loopback
EOF

# Debug information
echo "=== GPG Keys ==="
gpg --list-secret-keys --keyid-format LONG
gpg --list-keys --keyid-format LONG

- name: Configure Maven
run: |
mkdir -p ~/.m2
cat > ~/.m2/settings.xml << EOF
<settings>
<servers>
<server>
<id>central</id>
<username>${{ secrets.OSSRH_USERNAME_TOKEN }}</username>
<password>${{ secrets.OSSRH_PASSWORD_TOKEN }}</password>
</server>
</servers>
<profiles>
<profile>
<id>central</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<gpg.executable>gpg</gpg.executable>
<gpg.passphrase>${{ secrets.GPG_PASSPHRASE }}</gpg.passphrase>
</properties>
</profile>
</profiles>
</settings>
EOF

- name: Build and Publish
env:
OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME_TOKEN }}
OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD_TOKEN }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
run: |
echo "Starting Maven build and deploy..."
mvn clean deploy -P release \
-Dmaven.javadoc.skip=false \
-Dmaven.deploy.skip=false \
-Dgpg.keyname=${{ secrets.GPG_KEYNAME }} \
-Dgpg.useagent=true \
-Dmaven.test.failure.ignore=false \
-DaltDeploymentRepository=ossrh::default::https://central.sonatype.com/api/v1/publisher/upload \
-DrepositoryId=ossrh \
-Dusername=${{ secrets.OSSRH_USERNAME_TOKEN }} \
-Dpassword=${{ secrets.OSSRH_PASSWORD_TOKEN }} No newline at end of file

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix the issue, we need to add a permissions block to the workflow. This block should specify the minimal permissions required for the workflow to function correctly. Based on the workflow's tasks, the following permissions are appropriate:

  • contents: read to allow the workflow to read repository contents.
  • packages: write to allow publishing to Maven Central.

The permissions block can be added at the root level of the workflow to apply to all jobs or within the specific job (publish) to limit permissions to that job.


Suggested changeset 1
.github/workflows/maven-central.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/maven-central.yml b/.github/workflows/maven-central.yml
--- a/.github/workflows/maven-central.yml
+++ b/.github/workflows/maven-central.yml
@@ -9,2 +9,6 @@
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
EOF
@@ -9,2 +9,6 @@

permissions:
contents: read
packages: write

jobs:
Copilot is powered by AI and may make mistakes. Always verify output.
@wtx-labs wtx-labs merged commit e74aa10 into main Jun 14, 2025
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants