Skip to content

DAT-21154: fix dry runs #435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 42 commits into from
Nov 17, 2025
+187 −67
Merged

DAT-21154: fix dry runs #435

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
cc9d3a3
Update dry run version input in workflow
sayaliM0412 Nov 4, 2025
a8e2a7f
Update dry-run version input for release artifacts
sayaliM0412 Nov 4, 2025
03c70b7
feat: extract release version from POM and handle dry run versioning …
sayaliM0412 Nov 4, 2025
109c0b2
fix: remove conditional check for dry run in Get Release Version step
sayaliM0412 Nov 4, 2025
09af19c
refactor: streamline release version handling and dry run logic in wo…
sayaliM0412 Nov 5, 2025
3a7b737
refactor: simplify dry run logic by using GitHub's default branch set…
sayaliM0412 Nov 5, 2025
0c6a2ac
fix: handle fallback for last commit hash retrieval in artifact relea…
sayaliM0412 Nov 5, 2025
e33f147
refactor: use current branch name for dry runs instead of default bra…
sayaliM0412 Nov 5, 2025
b3acd18
fix: dynamically retrieve project version for artifact signing instea…
sayaliM0412 Nov 5, 2025
e1b1711
feat: add generation of source and javadoc jars, and versioned POM fi…
sayaliM0412 Nov 5, 2025
a275c21
feat: add version retrieval for dry-run releases in artifact attachme…
sayaliM0412 Nov 5, 2025
c1c6bab
fix: enhance dry-run deployment logging and use environment variables…
sayaliM0412 Nov 5, 2025
66a386c
debug: add credential validation before Maven deploy
sayaliM0412 Nov 5, 2025
c9c8ca5
fix: enable snapshots for extension release in workflow configuration
sayaliM0412 Nov 5, 2025
dd5f8f8
fix: update dry-run deployment to strip -SNAPSHOT suffix and rename a…
sayaliM0412 Nov 5, 2025
2f35844
fix: update dry-run release version retrieval to use input parameter …
sayaliM0412 Nov 10, 2025
0c70e67
fix: streamline dry-run deployment by removing unnecessary steps and …
sayaliM0412 Nov 10, 2025
e99f9bb
fix: update artifact path in release attachment step to use relative …
sayaliM0412 Nov 10, 2025
af41605
fix: update artifact file paths in release step to use dynamic inputs
sayaliM0412 Nov 10, 2025
ed92431
fix: add preparation step for dry-run release artifacts and update at…
sayaliM0412 Nov 10, 2025
cf2f2e3
fix: update dry-run artifact preparation by removing redundant steps …
sayaliM0412 Nov 10, 2025
f1dcc7b
fix: enhance dry-run artifact handling by detecting multi-module proj…
sayaliM0412 Nov 10, 2025
29544b4
fix: simplify dry-run artifact path detection and streamline artifact…
sayaliM0412 Nov 10, 2025
1d13c6a
fix: enhance dry-run artifact handling for multi-module projects and …
sayaliM0412 Nov 10, 2025
85f942f
fix: adjust indentation for GPG key conversion step in artifact relea…
sayaliM0412 Nov 10, 2025
e70bbf1
fix: streamline dry-run artifact generation and signing process
sayaliM0412 Nov 10, 2025
14df2ea
fix: append '-SNAPSHOT' to dry_run version in Maven versioning step
sayaliM0412 Nov 10, 2025
7e60f65
fix: rename SNAPSHOT files to match dry_run version in artifact relea…
sayaliM0412 Nov 10, 2025
fdf7323
fix: update POM files to remove '-SNAPSHOT' from version tags during …
sayaliM0412 Nov 10, 2025
098cdaa
fix: update POM file versioning to use dry_run_version instead of ver…
sayaliM0412 Nov 10, 2025
dccd3cc
fix: update POM file versioning to remove '-SNAPSHOT' from version ta…
sayaliM0412 Nov 10, 2025
670a327
fix: remove unnecessary empty string argument from sed command in ver…
sayaliM0412 Nov 10, 2025
db83e15
fix: changes for dry-runs especially for bigquery workflow (#438)
sayaliM0412 Nov 14, 2025
4db36bf
Potential fix for code scanning alert no. 672: Code injection
sayaliM0412 Nov 14, 2025
6a34e45
Potential fix for code scanning alert no. 689: Code injection
sayaliM0412 Nov 14, 2025
c351fee
fix: use GitHub context for current branch in dry run process
sayaliM0412 Nov 14, 2025
3539c28
Potential fix for code scanning alert no. 671: Code injection
sayaliM0412 Nov 14, 2025
5c52ff6
fix: validate and sanitize dry_run_version input in Maven deployment …
sayaliM0412 Nov 14, 2025
bf8ff7a
Potential fix for code scanning alert no. 674: Code injection
sayaliM0412 Nov 14, 2025
3c29300
Potential fix for code scanning alert no. 698: Code injection
sayaliM0412 Nov 14, 2025
d5a2381
Potential fix for code scanning alert no. 696: Code injection
sayaliM0412 Nov 14, 2025
bd3ae2c
Merge branch 'main' into DAT-21154
sayaliM0412 Nov 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
119 changes: 74 additions & 45 deletions .github/workflows/extension-attach-artifact-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,18 +166,22 @@
- name: Build and Package
if: ${{ inputs.dry_run == false }}
shell: bash
env:
MAVEN_PROFILES: ${{ inputs.mavenProfiles }}
run: |
mvn -B release:clean release:prepare -Darguments="-Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" -DcheckModificationExcludeList=** -DignoreSnapshots=true -DreleaseVersion=${{ github.event.inputs.liquibaseVersion }} -DpushChanges=false -P '${{ inputs.mavenProfiles }}' -DscmServerId=liquibase
mvn -B release:clean release:prepare -Darguments="-Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" -DcheckModificationExcludeList=** -DignoreSnapshots=true -DreleaseVersion=${{ github.event.inputs.liquibaseVersion }} -DpushChanges=false -P "$MAVEN_PROFILES" -DscmServerId=liquibase
git reset HEAD~ --hard
mvn -B dependency:go-offline clean package -DskipTests=true ${{ inputs.extraMavenArgs }} -P '${{ inputs.mavenProfiles }}'
mvn -B dependency:go-offline clean package -DskipTests=true ${{ inputs.extraMavenArgs }} -P "$MAVEN_PROFILES"

- name: Build and Package (dry-run)
if: ${{ inputs.dry_run == true }}
shell: bash
env:
MAVEN_PROFILES: ${{ inputs.mavenProfiles }}
DRY_RUN_VERSION: ${{ inputs.dry_run_version }}
run: |
mvn -B release:clean release:prepare -Darguments="-Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" -DcheckModificationExcludeList=** -DignoreSnapshots=true -DreleaseVersion=${{ inputs.dry_run_version }} -DpushChanges=false -P '${{ inputs.mavenProfiles }}' -DscmServerId=liquibase
git reset HEAD~ --hard
mvn -B dependency:go-offline clean package -DskipTests=true ${{ inputs.extraMavenArgs }} -P '${{ inputs.mavenProfiles }}'
mvn -B release:clean release:prepare -DdryRun=true -Darguments="-Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" -DcheckModificationExcludeList=** -DignoreSnapshots=true -DreleaseVersion=$DRY_RUN_VERSION -DpushChanges=false -P "$MAVEN_PROFILES" -DscmServerId=liquibase
mvn -B dependency:go-offline clean package -DskipTests=true ${{ inputs.extraMavenArgs }} -P "$MAVEN_PROFILES"

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${ inputs.extraMavenArgs }
Loading
, which may be controlled by an external user.

Copilot Autofix

AI 3 days ago

To fix this issue, we should avoid using the input directly as an inline expression within the shell command. Instead, we set the value of the untrusted input to an environment variable and use the environment variable via native shell variable expansion syntax (e.g., $EXTRA_MAVEN_ARGS) inside the script. This transformation prevents code injection attacks by leveraging the shell’s handling of environment variables, ensuring that special characters are not interpreted as executable commands. The change should be made in both spots using ${{ inputs.extraMavenArgs }}: the non-dry-run build (line 174) and the dry-run build (line 184). This requires adding an environment variable mapping for EXTRA_MAVEN_ARGS in both relevant job steps, and using $EXTRA_MAVEN_ARGS in the shell scripts instead of ${{ inputs.extraMavenArgs }}.

Suggested changeset 1
.github/workflows/extension-attach-artifact-release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/extension-attach-artifact-release.yml b/.github/workflows/extension-attach-artifact-release.yml
--- a/.github/workflows/extension-attach-artifact-release.yml
+++ b/.github/workflows/extension-attach-artifact-release.yml
@@ -168,10 +168,11 @@
         shell: bash
         env:
           MAVEN_PROFILES: ${{ inputs.mavenProfiles }}
+          EXTRA_MAVEN_ARGS: ${{ inputs.extraMavenArgs }}
         run: |
           mvn -B release:clean release:prepare -Darguments="-Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" -DcheckModificationExcludeList=** -DignoreSnapshots=true -DreleaseVersion=${{ github.event.inputs.liquibaseVersion }} -DpushChanges=false -P "$MAVEN_PROFILES" -DscmServerId=liquibase
           git reset HEAD~ --hard
-          mvn -B dependency:go-offline clean package -DskipTests=true ${{ inputs.extraMavenArgs }} -P "$MAVEN_PROFILES"
+          mvn -B dependency:go-offline clean package -DskipTests=true $EXTRA_MAVEN_ARGS -P "$MAVEN_PROFILES"
 
       - name: Build and Package (dry-run)
         if: ${{ inputs.dry_run == true }}
@@ -179,9 +177,10 @@
         env:
           MAVEN_PROFILES: ${{ inputs.mavenProfiles }}
           DRY_RUN_VERSION: ${{ inputs.dry_run_version }}
+          EXTRA_MAVEN_ARGS: ${{ inputs.extraMavenArgs }}
         run: |
           mvn -B release:clean release:prepare -DdryRun=true -Darguments="-Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" -DcheckModificationExcludeList=** -DignoreSnapshots=true -DreleaseVersion=$DRY_RUN_VERSION -DpushChanges=false -P "$MAVEN_PROFILES" -DscmServerId=liquibase
-          mvn -B dependency:go-offline clean package -DskipTests=true ${{ inputs.extraMavenArgs }} -P "$MAVEN_PROFILES"
+          mvn -B dependency:go-offline clean package -DskipTests=true $EXTRA_MAVEN_ARGS -P "$MAVEN_PROFILES"
 
       - name: Get Artifact ID
         working-directory: ${{ inputs.artifactPath }}
EOF
@@ -168,10 +168,11 @@
shell: bash
env:
MAVEN_PROFILES: ${{ inputs.mavenProfiles }}
EXTRA_MAVEN_ARGS: ${{ inputs.extraMavenArgs }}
run: |
mvn -B release:clean release:prepare -Darguments="-Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" -DcheckModificationExcludeList=** -DignoreSnapshots=true -DreleaseVersion=${{ github.event.inputs.liquibaseVersion }} -DpushChanges=false -P "$MAVEN_PROFILES" -DscmServerId=liquibase
git reset HEAD~ --hard
mvn -B dependency:go-offline clean package -DskipTests=true ${{ inputs.extraMavenArgs }} -P "$MAVEN_PROFILES"
mvn -B dependency:go-offline clean package -DskipTests=true $EXTRA_MAVEN_ARGS -P "$MAVEN_PROFILES"

- name: Build and Package (dry-run)
if: ${{ inputs.dry_run == true }}
@@ -179,9 +177,10 @@
env:
MAVEN_PROFILES: ${{ inputs.mavenProfiles }}
DRY_RUN_VERSION: ${{ inputs.dry_run_version }}
EXTRA_MAVEN_ARGS: ${{ inputs.extraMavenArgs }}
run: |
mvn -B release:clean release:prepare -DdryRun=true -Darguments="-Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" -DcheckModificationExcludeList=** -DignoreSnapshots=true -DreleaseVersion=$DRY_RUN_VERSION -DpushChanges=false -P "$MAVEN_PROFILES" -DscmServerId=liquibase
mvn -B dependency:go-offline clean package -DskipTests=true ${{ inputs.extraMavenArgs }} -P "$MAVEN_PROFILES"
mvn -B dependency:go-offline clean package -DskipTests=true $EXTRA_MAVEN_ARGS -P "$MAVEN_PROFILES"

- name: Get Artifact ID
working-directory: ${{ inputs.artifactPath }}
Copilot is powered by AI and may make mistakes. Always verify output.

- name: Get Artifact ID
working-directory: ${{ inputs.artifactPath }}
Expand All @@ -193,22 +197,19 @@
echo "artifact_id=$artifact_id" >> $GITHUB_OUTPUT

- name: Get Artifact Version
if: ${{ inputs.dry_run == false }}
working-directory: ${{ inputs.artifactPath }}
id: get-artifact-version
shell: bash
env:
DRY_RUN_VERSION: ${{ inputs.dry_run_version }}
run: |
artifact_version=$(mvn help:evaluate "-Dexpression=project.version" -q -DforceStdout)
if [ "${{ inputs.dry_run }}" == "true" ]; then

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${ inputs.dry_run }
Loading
, which may be controlled by an external user.

Copilot Autofix

AI 3 days ago

The best way to fix this issue is to avoid directly interpolating ${{ inputs.dry_run }} into the shell script. Instead, set an intermediate environment variable—DRY_RUN—whose value comes from ${{ inputs.dry_run }} and reference it only using shell variable syntax ($DRY_RUN) within the shell script. This avoids injection risk by ensuring that the shell treats the input as a variable value and not as executable code. The fix should be made in the step under lines 205-212 (run: block of "Get Artifact Version"). Add DRY_RUN: ${{ inputs.dry_run }} under the env: section, and replace ${{ inputs.dry_run }} with $DRY_RUN in the shell script.

No additional imports or definitions are needed. The required code changes are limited to the workflow file: adding the env variable and referencing it safely.

Suggested changeset 1
.github/workflows/extension-attach-artifact-release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/extension-attach-artifact-release.yml b/.github/workflows/extension-attach-artifact-release.yml
--- a/.github/workflows/extension-attach-artifact-release.yml
+++ b/.github/workflows/extension-attach-artifact-release.yml
@@ -202,8 +202,9 @@
         shell: bash
         env:
           DRY_RUN_VERSION: ${{ inputs.dry_run_version }}
+          DRY_RUN: ${{ inputs.dry_run }}
         run: |
-          if [ "${{ inputs.dry_run }}" == "true" ]; then
+          if [ "$DRY_RUN" == "true" ]; then
             artifact_version="$DRY_RUN_VERSION"
           else
             artifact_version=$(mvn help:evaluate "-Dexpression=project.version" -q -DforceStdout)
EOF
@@ -202,8 +202,9 @@
shell: bash
env:
DRY_RUN_VERSION: ${{ inputs.dry_run_version }}
DRY_RUN: ${{ inputs.dry_run }}
run: |
if [ "${{ inputs.dry_run }}" == "true" ]; then
if [ "$DRY_RUN" == "true" ]; then
artifact_version="$DRY_RUN_VERSION"
else
artifact_version=$(mvn help:evaluate "-Dexpression=project.version" -q -DforceStdout)
Copilot is powered by AI and may make mistakes. Always verify output.
artifact_version="$DRY_RUN_VERSION"
else
artifact_version=$(mvn help:evaluate "-Dexpression=project.version" -q -DforceStdout)
fi
echo "artifact_version=$artifact_version" >> $GITHUB_OUTPUT

- name: Get Artifact Version
if: ${{ inputs.dry_run == true }}
working-directory: ${{ inputs.artifactPath }}
id: get-artifact-version-dry-run
shell: bash
run: |
echo "artifact_version=${{ inputs.dry_run_version }}" >> $GITHUB_OUTPUT

- name: Save Artifacts
uses: actions/upload-artifact@v4
with:
Expand Down Expand Up @@ -248,23 +249,23 @@
- name: Create multiplatform jar
run: |
rm -rf /tmp/combined/ubuntu /tmp/combined/windows /tmp/combined/macos
mkdir -p /tmp/combined/ubuntu /tmp/combined/windows /tmp/combined/macos

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
unzip -d /tmp/combined/ubuntu /tmp/ubuntu/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}.jar

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
unzip -d /tmp/combined/windows /tmp/windows/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}.jar

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
unzip -d /tmp/combined/macos /tmp/macos/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}.jar

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
rm -r -f /tmp/combined/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
mkdir /tmp/combined/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
cp -a /tmp/combined/ubuntu/* /tmp/combined/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}/

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
cp -a /tmp/combined/windows/* /tmp/combined/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}/

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
cp -a /tmp/combined/macos/* /tmp/combined/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}/

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
rm /tmp/combined/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}/org.graalvm.python.vfs/fileslist.txt

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
cat /tmp/combined/ubuntu/org.graalvm.python.vfs/fileslist.txt /tmp/combined/windows/org.graalvm.python.vfs/fileslist.txt /tmp/combined/macos/org.graalvm.python.vfs/fileslist.txt > /tmp/combined/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}/org.graalvm.python.vfs/fileslist.txt

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
rm -f /tmp/combined/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}.jar

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
cd /tmp/combined/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}/

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
zip -r ../${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}.jar *
cd ..

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
cp /tmp/ubuntu/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}-sources.jar /tmp/combined/

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
cp /tmp/ubuntu/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}-javadoc.jar /tmp/combined/

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
Potential code injection in
${needs.build-multi-architecture.outputs.artifact_version}
Loading
, which may be controlled by an external user.
cp /tmp/ubuntu/${{needs.build-multi-architecture.outputs.artifact_id}}-${{needs.build-multi-architecture.outputs.artifact_version}}.pom /tmp/combined/

- name: Upload multiplatform artifact
Expand Down Expand Up @@ -422,37 +423,52 @@
if: ${{ env.ARTIFACT_FOUND == '0' && inputs.dry_run == false }}
id: build-release-artifacts
run: |
mvn -B release:clean release:prepare -Darguments="-Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" -DcheckModificationExcludeList=** -DignoreSnapshots=true -DreleaseVersion=${{ github.event.inputs.liquibaseVersion }} -DpushChanges=false -P '${{ inputs.mavenProfiles }}' -DscmServerId=liquibase
mvn -B release:clean release:prepare -Darguments="-Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" \
-DcheckModificationExcludeList=** -DignoreSnapshots=true -DreleaseVersion=${{ github.event.inputs.liquibaseVersion }} -DpushChanges=false -P '${{ inputs.mavenProfiles }}' \
-DscmServerId=liquibase
git reset HEAD~ --hard
# Determine the default branch (master or main)
if git rev-parse --verify origin/master >/dev/null 2>&1; then
DEFAULT_BRANCH="master"
elif git rev-parse --verify origin/main >/dev/null 2>&1; then
DEFAULT_BRANCH="main"
else
echo "Neither master nor main branch found. Exiting."
exit 1
fi
LAST_COMMIT_HASH=$(git rev-parse origin/$DEFAULT_BRANCH)
mvn clean install -DskipTests -P '${{ inputs.mavenProfiles }}' -DbuildNumber=$LAST_COMMIT_HASH
# Use GitHub's default branch from repository settings
DEFAULT_BRANCH="${{ github.event.repository.default_branch }}"
echo "Using default branch: $DEFAULT_BRANCH"
mvn clean install -DskipTests -P '${{ inputs.mavenProfiles }}' -DbuildNumber=$DEFAULT_BRANCH

# Generate source and javadoc jars
mvn source:jar javadoc:jar -Dmaven.javadoc.skip=false

# Copy POM to target directory with versioned name
ARTIFACT_ID=$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout)
VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
cp pom.xml target/${ARTIFACT_ID}-${VERSION}.pom
echo "Generated artifacts for ${ARTIFACT_ID}-${VERSION}"

- name: Set pom version to dry_run version
if: ${{ inputs.dry_run == true }}
env:
DRY_RUN_VERSION: ${{ inputs.dry_run_version }}
run: |
mvn versions:set -DnewVersion=$DRY_RUN_VERSION-SNAPSHOT -DgenerateBackupPoms=false -DprocessAllModules=true

- name: Build release artifacts (dry-run)
if: ${{ inputs.dry_run == true }}
id: build-release-artifacts-dry-run
env:
CURRENT_BRANCH: ${{ github.head_ref || github.ref_name }}
run: |
mvn -B release:clean release:prepare -Darguments="-Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" -DcheckModificationExcludeList=** -DignoreSnapshots=true -DreleaseVersion=${{ inputs.dry_run_version }} -DpushChanges=false -P '${{ inputs.mavenProfiles }}' -DscmServerId=liquibase
git reset HEAD~ --hard
# Determine the default branch (master or main)
if git rev-parse --verify origin/master >/dev/null 2>&1; then
DEFAULT_BRANCH="master"
elif git rev-parse --verify origin/main >/dev/null 2>&1; then
DEFAULT_BRANCH="main"
else
echo "Neither master nor main branch found. Exiting."
exit 1
fi
LAST_COMMIT_HASH=$(git rev-parse origin/$DEFAULT_BRANCH)
mvn clean install -DskipTests -P '${{ inputs.mavenProfiles }}' -DbuildNumber=$LAST_COMMIT_HASH
mvn -B release:clean release:prepare -DdryRun=true -Darguments="-Dmaven.javadoc.skip=true -Dmaven.test.skipTests=true -Dmaven.test.skip=true -Dmaven.deploy.skip=true" \
-DcheckModificationExcludeList=** -DignoreSnapshots=true -DreleaseVersion=${{ inputs.dry_run_version }} -DpushChanges=false -P '${{ inputs.mavenProfiles }}' \
-DscmServerId=liquibase
# Use current branch name for dry runs
echo "Using current branch: $CURRENT_BRANCH"
mvn clean install -DskipTests -P '${{ inputs.mavenProfiles }}' -DbuildNumber=$CURRENT_BRANCH

# Generate source and javadoc jars
mvn source:jar javadoc:jar -Dmaven.javadoc.skip=false

# Copy POM to target directory with versioned name
ARTIFACT_ID=$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout)
VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
cp pom.xml target/${ARTIFACT_ID}-${VERSION}.pom
echo "Generated artifacts for ${ARTIFACT_ID}-${VERSION}"

- name: Download multiarchitecture release artifacts
if: inputs.combineJars
Expand All @@ -468,7 +484,6 @@
LATEST_DRAFT_RELEASE=$(curl -X GET -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "https://api.github.com/repos/${{ github.repository }}/releases?per_page=1" | jq -r 'if .[].draft == true then .[].id else empty end')
echo "Latest Draft Release ID: $LATEST_DRAFT_RELEASE"
echo "RELEASE_ID=$LATEST_DRAFT_RELEASE" >> $GITHUB_ENV


- name: List artifacts in release
if: ${{ env.RELEASE_ID != '' && env.RELEASE_ID != null && inputs.dry_run == false }}
Expand All @@ -490,7 +505,6 @@
curl -X DELETE -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "https://api.github.com/repos/${{ github.repository }}/releases/assets/$value"
echo "Deleted artifact ID: $value"
done

- name: Convert escaped newlines and set GPG key
run: |
GPG_KEY_CONTENT="$(printf '%b' "${{ env.GPG_SECRET }}")"
Expand Down Expand Up @@ -531,7 +545,8 @@
working-directory: ${{ inputs.artifactPath }}
run: |
gpg -K
version=${{ inputs.dry_run_version }}
version=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
echo "Signing artifacts for version: $version"
${{ env.REPO_ROOT }}/.github/sign_artifact.sh ${{ env.REPO_ROOT }}/${{ inputs.artifactPath }}/target/${{ env.artifact_id }}-${version}.jar
${{ env.REPO_ROOT }}/.github/sign_artifact.sh ${{ env.REPO_ROOT }}/${{ inputs.artifactPath }}/target/${{ env.artifact_id }}-${version}.pom
${{ env.REPO_ROOT }}/.github/sign_artifact.sh ${{ env.REPO_ROOT }}/${{ inputs.artifactPath }}/target/${{ env.artifact_id }}-${version}-javadoc.jar
Expand All @@ -557,6 +572,20 @@
ASSET_NAME_PREFIX: "${{ env.artifact_id }}-"
ASSET_DIR: ./target

- name: Set artifact path
id: set-artifact-path
if: ${{ inputs.dry_run == true }}
run: echo "ARTIFACT_PATH=${{ inputs.artifactPath || '.' }}" >> $GITHUB_OUTPUT

- name: Collect artifacts for release (dry-run)
if: ${{ inputs.dry_run == true }}
run: |
mkdir -p /tmp/release-artifacts
# Find and copy all artifacts from target directories (supports multi-module)
find ${{ steps.set-artifact-path.outputs.ARTIFACT_PATH }} -type f \( -name "*.jar" -o -name "*.pom" -o -name "*.asc" \) -path "*/target/*" ! -name "original-*" -exec cp {} /tmp/release-artifacts/ \;
echo "Collected artifacts:"
ls -lh /tmp/release-artifacts/

- name: Attach Files to Draft Release (dry-run)
id: attach-files-dry-run
if: ${{ inputs.dry_run == true }}
Expand All @@ -567,7 +596,7 @@
body: Dry Run ${{ inputs.dry_run_version }}
generate_release_notes: true
draft: true
files: ./target/*
files: /tmp/release-artifacts/*

- name: Get upload_zip.sh Script File
if: inputs.zip == 'true'
Expand All @@ -582,4 +611,4 @@
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ASSET_NAME_PREFIX: "${{ env.artifact_id }}-"
ASSET_DIR: ./target
ASSET_DIR: ./target
Loading
Loading