Skip to content

Harden CI: Artifactory OIDC, fork-aware workflows, tightened permissions#538

Open
MichaelGHSeg wants to merge 7 commits into
masterfrom
ci/harden-build-publish
Open

Harden CI: Artifactory OIDC, fork-aware workflows, tightened permissions#538
MichaelGHSeg wants to merge 7 commits into
masterfrom
ci/harden-build-publish

Conversation

@MichaelGHSeg

Copy link
Copy Markdown
Contributor

Summary

  • Add Artifactory OIDC composite action — exchanges GitHub OIDC token for short-lived Artifactory access token, writes `~/.m2/settings.xml` mirroring `virtual-maven-thirdparty`
  • Add `ci.yml` — replaces `publish.yaml`, fork-aware runner selection, Java 11/17/21 matrix, spotless + animal-sniffer checks, SHA-pinned actions
  • Add `deploy.yml` — tag-triggered, `environment: maven-central` gate, GPG signing, tightened permissions
  • Update `e2e-tests.yml` — remove `E2E_TESTS_TOKEN` (sdk-e2e-tests going public), fork-aware

Notes

  • Maven Central has no OIDC trusted publishing — GPG signing + Sonatype credentials remain required
  • Old `publish.yaml`, `java8.yml`, `java11.yml`, `java17.yml`, `e2e.yaml` can be deleted once new workflows are validated

Test plan

  • CI runs on this PR
  • Artifactory OIDC exchange succeeds on same-repo CI
  • Before merging: set `ARTIFACTORY_URL` repository variable
  • Before merging: create `maven-central` GitHub environment with protection rules
  • Before merging: migrate GPG + Sonatype credentials to environment-scoped secrets

- Add Artifactory OIDC composite action (writes ~/.m2/settings.xml mirroring virtual-maven-thirdparty)
- Add ci.yml: fork-aware, Java 11/17/21 matrix, spotless/animal-sniffer, SHA-pinned actions
- Add deploy.yml: tag-triggered, environment: maven-central gate, GPG signing
- Update e2e-tests.yml: remove E2E_TESTS_TOKEN, fork-aware
didiergarcia
didiergarcia previously approved these changes Jul 10, 2026
Rewrite composite action to use single-script pattern matching
analytics-python: audience=${ARTIFACTORY_URL}, provider_name=
github-actions-segmentio, and add JWT claim logging for debugging.
The plugin is a build extension resolved on every mvn invocation,
causing CI test jobs to fail when Artifactory doesn't have the
Sonatype Central plugin. Gate it behind -P release so it only
loads during actual deploys.
Switch default repo to virtual-maven-twilio (includes
remote-maven-maven-central-cache, which virtual-maven-thirdparty
doesn't). Add pluginRepositories in settings.xml so Maven resolves
build plugins (spotless, central-publishing, etc.) through Artifactory
rather than falling back to Maven Central directly. Also broaden
mirrorOf from 'central' to '*' to catch all repos.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants