Skip to content

Publish SNAPSHOT artifacts during PR builder#876

Open
thibauult wants to merge 10 commits into
mainfrom
cicd/publish-snapshots-in-pr-builder
Open

Publish SNAPSHOT artifacts during PR builder#876
thibauult wants to merge 10 commits into
mainfrom
cicd/publish-snapshots-in-pr-builder

Conversation

@thibauult

@thibauult thibauult commented Jun 10, 2026

Copy link
Copy Markdown
Member

Summary

  • Adds a Publish SNAPSHOT artifacts step to the PR builder workflow
  • The step only runs on pull_request events (skipped on pushes to main/*-rc)
  • Uses publishToSonatype which automatically targets the Sonatype snapshot repository for -SNAPSHOT versions
  • No GPG signing required — already gated on isReleaseVersion in bdk.java-publish-conventions.gradle

Prerequisites

MAVEN_USERNAME and MAVEN_PASSWORD repository secrets must be set (already used by release.yml).

Test plan

  • Open a PR and verify the Publish SNAPSHOT artifacts step runs and succeeds
  • Verify artifacts are published to https://ossrh-staging-api.central.sonatype.com/content/repositories/snapshots/
  • Verify the step is skipped on a direct push to main

thibauult added 10 commits June 10, 2026 10:10
@thibauult
Publish SNAPSHOT artifacts during PR builder execution
2331cbf
@thibauult
Update Gradle wrapper validation to use gradle/actions/wrapper-valida…
a350e4b 
…tion@v4

The old gradle/wrapper-validation-action is deprecated and was causing CI failures.
@thibauult
Fix SNAPSHOT repository URL for Sonatype Central Portal
21f422e
@thibauult
Do not try to publish snapshot in case of a fork PR
7c38d22
@thibauult
Restart PR Builder
240b966
@thibauult
Cache OWASP Dependency Check database in CI
82aa285
@thibauult
Suppress new Netty and Spring CVEs pending upstream fixes
3e73308 
CVE-2026-42582 (Netty 4.1.134.Final) and CVE-2026-41840/41841/41842/41843/41850/41851
(Spring Framework 6.2.18 via spring-boot-dependencies:3.5.14) have no fixed release yet.
Suppressed temporarily to unblock CI; a follow-up PR will bump the dependencies once
fixed versions are available.
@thibauult
Upgrade to Spring Boot 3.5.15 to fix Netty and Spring CVEs
c189292 
3.5.15 ships Netty 4.1.135.Final (fixes CVE-2026-42582 and 18 additional Netty CVEs)
and Spring Framework 6.2.19 (fixes CVE-2026-41840 through CVE-2026-41851). Also ships
Tomcat 10.1.55 so the explicit overrides for Netty and Tomcat are no longer needed.

Reverts the CVE suppressions added in the previous commit.
@thibauult
Suppress CVE-2026-42582 for Netty pending upstream fix
f962e72 
Netty 4.1.135.Final is the last 4.1.x release and Spring Boot 3.5.15
is the last 3.5.x release — no patched version is available upstream.
@thibauult
Improving CVE Scan exec time
75484c5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thibauult