Refactor .github/workflows/build.yml

[overheadhunter]

This refactors the CI build, facilitating the ability to publish SNAPSHOTs to both Maven repos, when the commit message contains [deploy].

[Copilot]

Pull Request Overview

This PR consolidates three separate GitHub Actions workflows into a single unified workflow file. The previous publish-github.yml and publish-central.yml workflows that were triggered by release events are being removed, and their functionality is being merged into build.yml as new jobs that trigger on push events with tag checks.

• Consolidated deployment workflows into a single build.yml workflow
• Added build attestation for tagged releases
• Introduced environment variable for Java version management

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/publish-github.yml	Deleted standalone workflow for GitHub Packages publishing
.github/workflows/publish-central.yml	Deleted standalone workflow for Maven Central publishing
.github/workflows/build.yml	Consolidated all build, deployment, and release logic; added attestation and changed trigger mechanism

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The github.event.release.tag_name will be null/empty when this workflow is triggered by a push event (the current trigger). The old publish-central.yml workflow was triggered by release events which made this context available. Since the workflow now triggers on push with tag checking via startsWith(github.ref, 'refs/tags/'), you should use ${GITHUB_REF##*/} instead or extract the tag name from github.ref directly, similar to how it's done in line 23.

[overheadhunter]

fixed in bbded71

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Consolidates CI workflows: removes .github/workflows/publish-central.yml and .github/workflows/publish-github.yml and refactors publishing into three public jobs (deploy-central, deploy-github, release) inside .github/workflows/build.yml. build.yml now parameterizes JAVA_VERSION (25), replaces mvn -B clean install with mvn -B verify --no-transfer-progress, removes the commit-message build skip guard, adds an attestation step for tag builds, and moves tag/version verification and deployment gating into the new deploy jobs with explicit secret and GPG handling.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Verify deploy-central and deploy-github replicate prior publish steps (version/tag verification, signing, maven profiles).
• Confirm mvn -B verify --no-transfer-progress produces required artifacts compared to previous clean install.
• Inspect attestation step and permissions for tag builds.
• Review secret handling: MAVEN_CENTRAL_*, GPG keys, GITHUB_TOKEN, and any environment propagation.
• Check removal of commit-message guard for unintended build triggers.
• Review deleted files for any subtle differences lost from original workflows.

Files/areas needing extra attention:

• .github/workflows/build.yml (new jobs, JAVA_VERSION, Maven change, attest step)
• Deleted .github/workflows/publish-central.yml and .github/workflows/publish-github.yml (ensure no lost behavior)
• Tag/version verification and GPG signing steps

Possibly related PRs

• bump JDK to 25 #73 — also modifies GitHub Actions Java setup to use JDK 25; directly related to the JAVA_VERSION/JDK change in the build workflow.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title describes the primary action (refactoring build.yml) but is too generic. While related to the main change, it doesn't highlight the actual objective of enabling SNAPSHOT deployments with [deploy] trigger.
Description check	✅ Passed	The description clearly explains the main objective: refactoring the CI workflow to enable SNAPSHOT deployments to Maven repos when [deploy] is in the commit message, directly aligning with the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/deploy-snapshots

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 050bf4c and bbded71.

📒 Files selected for processing (1)

• .github/workflows/build.yml (1 hunks)

🔇 Additional comments (3)

.github/workflows/build.yml (3)

7-8: Centralized Java version configuration applied correctly.

The new JAVA_VERSION: 25 environment variable is properly referenced throughout the workflow and simplifies version management across all jobs.

---

14-16: Attestation support properly integrated for tag-based builds.

Permissions are correctly scoped (id-token: write, attestations: write), the step condition appropriately targets only tag builds, and the artifact paths cover both JAR and POM artifacts. The implementation aligns with GitHub's provenance attestation requirements.

Also applies to: 29-35

---

26-26: Tag name extraction correctly fixed using github.ref parsing.

The workflow properly derives the tag name from ${GITHUB_REF##*/} instead of relying on github.event.release.tag_name (which is unavailable for push events triggering on tags). This fix is consistently applied across both deploy jobs and maintains functional parity with the original workflows.

Also applies to: 61-61, 89-89

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

.github/workflows/build.yml (2)

47-47: Inconsistent quoting style for distribution parameter.

Line 47 quotes the value ('temurin'), while line 79 does not. Standardize the format for consistency.

--- deploy-github (around line 79)
- distribution: temurin
+ distribution: 'temurin'

Also applies to: 79-79

---

53-59: Refactor: Extract duplicate version verification logic.

The version verification steps are identical in both deploy-central and deploy-github jobs. Consider extracting this to a reusable workflow or composite action to reduce duplication and maintenance burden.

Also applies to: 81-87

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e3d50e9 and 050bf4c.

📒 Files selected for processing (3)

• .github/workflows/build.yml (1 hunks)
• .github/workflows/publish-central.yml (0 hunks)
• .github/workflows/publish-github.yml (0 hunks)

💤 Files with no reviewable changes (2)

• .github/workflows/publish-github.yml
• .github/workflows/publish-central.yml

🔇 Additional comments (4)

.github/workflows/build.yml (4)

24-25: Good improvement in Maven command.

Using verify instead of install is more appropriate for CI workflows (avoids unnecessary local repo installation), and --no-transfer-progress improves log clarity.

---

26-32: LGTM: Build attestation for provenance.

The addition of build attestation for tag-based releases is a good security practice for supply-chain integrity.

---

96-108: LGTM: Release job structure.

The release job correctly depends on both deploy jobs and is properly gated to tags only. Once the version verification issues in the deploy jobs are fixed, this should work as intended.

---

7-8: Java 25 compatibility is properly configured.

Java 25 is an LTS release with support until September 2033, and the build is already well-prepared:

• maven-compiler-plugin 3.14.0 and maven-surefire-plugin 3.5.4 are recent versions known to support Java 25
• jdk.version=25 is explicitly set in pom.xml, matching the workflow's JAVA_VERSION: 25
• No Lombok or other known incompatible dependencies found

[Copilot]

Pull Request Overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@overheadhunter I've opened a new pull request, #75, to work on those changes. Once the pull request is ready, I'll request review from you.