From cc41470d81a9ca54a113d4f8197db40acd6b8a8d Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 18 Jun 2026 16:50:48 +0000 Subject: [PATCH 1/3] ci(publish): gate Maven Central release behind explicit publish_release flag Add a workflow_dispatch boolean input 'publish_release' (default false) and require it on the publish-release job in addition to the existing v* tag guard. A v* tag push alone no longer auto-publishes to Maven Central; releasing now requires running the Publish workflow on the v* tag with publish_release enabled (tag AND flag). publish-snapshot is unchanged. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01JGZdUCy6YnTzKSJKA6B6KZ --- .github/workflows/publish.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 9b705e0b..49d445f4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -10,6 +10,11 @@ on: tags: ['v*'] pull_request: workflow_dispatch: + inputs: + publish_release: + description: "Publish a RELEASE to Maven Central. Off by default; the release publish runs only when this is true AND the workflow is run on a v* tag." + type: boolean + default: false env: JAVA_VERSION: '21' MODEL_URL: "https://huggingface.co/TheBloke/CodeLlama-7B-GGUF/resolve/main/codellama-7b.Q2_K.gguf" @@ -945,7 +950,7 @@ jobs: publish-release: name: Publish Release to Central - if: needs.check-tag.result == 'success' + if: needs.check-tag.result == 'success' && inputs.publish_release needs: [check-tag, crosscompile-linux-x86_64-cuda, crosscompile-android-aarch64-opencl, code-style] runs-on: ubuntu-latest environment: maven-central From 53204f2b720c1507c4acffb585e45bc0f43aaff1 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 18 Jun 2026 18:37:10 +0000 Subject: [PATCH 2/3] ci(publish): abort snapshot publish unless the POM version is a -SNAPSHOT Add a guard step to the publish-snapshot job that resolves project.version via `mvn help:evaluate` and fails the job unless the version ends in -SNAPSHOT. central-publishing routes purely by version: a release version (no -SNAPSHOT) deployed through the snapshot path lands in the permanent Maven Central release store, not the snapshot store. This guard stops that from ever happening from the snapshot job; releases continue to go through the v* tag path. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01JGZdUCy6YnTzKSJKA6B6KZ --- .github/workflows/publish.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 49d445f4..bc97bace 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -906,6 +906,15 @@ jobs: server-password: MAVEN_PASSWORD gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} gpg-passphrase: MAVEN_GPG_PASSPHRASE + - name: Guard - require a -SNAPSHOT version + shell: bash + run: | + VERSION=$(mvn -q -DforceStdout help:evaluate -Dexpression=project.version | tail -n1) + echo "Resolved project version: $VERSION" + case "$VERSION" in + *-SNAPSHOT) echo "OK: -SNAPSHOT version, continuing snapshot deploy." ;; + *) echo "::error::Refusing to publish non-SNAPSHOT version '$VERSION' from the snapshot job. Snapshot publishing requires a -SNAPSHOT version; releases go through the v* tag path."; exit 1 ;; + esac - name: Publish snapshot run: mvn --batch-mode --no-transfer-progress -P release,cuda,opencl-android -Dmaven.test.skip=true deploy env: From 02c02d019cf7242ca63444dac1eddd577f7b251c Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 18 Jun 2026 18:53:01 +0000 Subject: [PATCH 3/3] ci(publish): gate all Maven Central publishing behind explicit publish_to_central flag Generalize the release-only publish_release input into a general publish_to_central boolean and require it on BOTH publish-snapshot and publish-release, matching the BitcoinAddressFinder sibling pipeline. Central publishing now runs only from a manual workflow_dispatch with the flag enabled; pushes to main and v* tag pushes no longer auto-deploy. Snapshot vs release is still decided by the POM version, and the -SNAPSHOT guard added in the previous commit blocks a release version from ever shipping via the snapshot job. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01JGZdUCy6YnTzKSJKA6B6KZ --- .github/workflows/publish.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index bc97bace..973042f4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -11,8 +11,8 @@ on: pull_request: workflow_dispatch: inputs: - publish_release: - description: "Publish a RELEASE to Maven Central. Off by default; the release publish runs only when this is true AND the workflow is run on a v* tag." + publish_to_central: + description: "Deploy to Maven Central (snapshot if -SNAPSHOT, release if a vX.Y.Z tag)" type: boolean default: false env: @@ -876,7 +876,7 @@ jobs: publish-snapshot: name: Publish Snapshot to Central needs: [check-snapshot, crosscompile-linux-x86_64-cuda, crosscompile-android-aarch64-opencl, code-style] - if: needs.check-snapshot.result == 'success' + if: needs.check-snapshot.result == 'success' && inputs.publish_to_central runs-on: ubuntu-latest environment: maven-central permissions: @@ -959,7 +959,7 @@ jobs: publish-release: name: Publish Release to Central - if: needs.check-tag.result == 'success' && inputs.publish_release + if: needs.check-tag.result == 'success' && inputs.publish_to_central needs: [check-tag, crosscompile-linux-x86_64-cuda, crosscompile-android-aarch64-opencl, code-style] runs-on: ubuntu-latest environment: maven-central