Skip to content

fix: disable Maven cache and enforce checksum verification#4414

Merged
SylvainJuge merged 2 commits intomainfrom
fix/cache-poisoning-mitigation
Apr 24, 2026
Merged

fix: disable Maven cache and enforce checksum verification#4414
SylvainJuge merged 2 commits intomainfrom
fix/cache-poisoning-mitigation

Conversation

@mallendem
Copy link
Copy Markdown
Contributor

@mallendem mallendem commented Mar 6, 2026
edited
Loading

Summary

  • Removed cache: 'maven' from .github/workflows/maven-goal/action.yml to disable Maven dependency caching across all workflows
  • Added -Daether.checksumPolicy=fail to .mvn/maven.config as defense in depth
  • Mitigates cache poisoning risk where a compromised GHA cache could inject malicious Maven dependencies into release artifacts (particularly the AWS Lambda layer via release-step-3.yml)

Impact

  • Build time: All Maven workflows will download dependencies fresh. CI builds will be slower (~2-5 minutes), but release integrity is prioritized
  • Functional: Builds will now fail-fast on checksum mismatches rather than warning

🤖 Generated with Claude Code

@mallendem @claude
fix: disable Maven cache and enforce checksum verification to mitigat…
58439bb 
…e cache poisoning

Remove `cache: 'maven'` from the maven-goal composite action to prevent
potential cache poisoning attacks where a compromised GHA cache could
inject malicious Maven dependencies into release artifacts (particularly
the AWS Lambda layer published via release-step-3.yml).

Also add `-Daether.checksumPolicy=fail` to maven.config as defense in
depth to fail builds on checksum mismatches.

Ref: elastic/observability-robots#3264

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 6, 2026

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mallendem mallendem marked this pull request as ready for review April 24, 2026 09:06
Copilot AI review requested due to automatic review settings April 24, 2026 09:06
@mallendem mallendem requested review from a team as code owners April 24, 2026 09:06
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the Maven build pipeline in GitHub Actions by disabling Maven dependency caching and enforcing checksum validation during dependency resolution to reduce cache-poisoning risk for release artifacts.

Changes:

  • Disabled Maven dependency caching by removing cache: 'maven' from the shared composite action used by Maven workflows.
  • Enforced checksum mismatch failures by adding -Daether.checksumPolicy=fail to Maven’s global .mvn/maven.config.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.mvn/maven.config Adds strict checksum failure policy for Maven artifact resolution.
.github/workflows/maven-goal/action.yml Removes actions/setup-java Maven caching from the shared composite action to prevent cross-workflow cache reuse.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@SylvainJuge SylvainJuge enabled auto-merge (squash) April 24, 2026 09:13
@SylvainJuge SylvainJuge merged commit cd7fc41 into main Apr 24, 2026
29 of 31 checks passed
@SylvainJuge SylvainJuge deleted the fix/cache-poisoning-mitigation branch April 24, 2026 09:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SylvainJuge SylvainJuge SylvainJuge approved these changes

Assignees

@mallendem mallendem

Labels

agent-java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mallendem @SylvainJuge