Publish SNAPSHOT artifacts during PR builder#876
Merged
Conversation
…tion@v4 The old gradle/wrapper-validation-action is deprecated and was causing CI failures.
CVE-2026-42582 (Netty 4.1.134.Final) and CVE-2026-41840/41841/41842/41843/41850/41851 (Spring Framework 6.2.18 via spring-boot-dependencies:3.5.14) have no fixed release yet. Suppressed temporarily to unblock CI; a follow-up PR will bump the dependencies once fixed versions are available.
3.5.15 ships Netty 4.1.135.Final (fixes CVE-2026-42582 and 18 additional Netty CVEs) and Spring Framework 6.2.19 (fixes CVE-2026-41840 through CVE-2026-41851). Also ships Tomcat 10.1.55 so the explicit overrides for Netty and Tomcat are no longer needed. Reverts the CVE suppressions added in the previous commit.
Netty 4.1.135.Final is the last 4.1.x release and Spring Boot 3.5.15 is the last 3.5.x release — no patched version is available upstream.
…ions Move secrets to job-level env vars and use env context in the conditional expression to check whether Sonatype credentials are available before publishing snapshot artifacts.
Sets the artifact version to PR-{number}-SNAPSHOT on PR builds so each PR
publishes an independently addressable SNAPSHOT. Reports the published version
in the GitHub Actions step summary.
|
SNAPSHOT published: |
|
greaaattttt 🚀 |
herminesymphony
approved these changes
Jun 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Publish SNAPSHOT artifactsstep to the PR builder workflowpull_requestevents (skipped on pushes tomain/*-rc)publishToSonatypewhich automatically targets the Sonatype snapshot repository for-SNAPSHOTversionsisReleaseVersioninbdk.java-publish-conventions.gradlePrerequisites
MAVEN_USERNAMEandMAVEN_PASSWORDrepository secrets must be set (already used byrelease.yml).Test plan
Publish SNAPSHOT artifactsstep runs and succeedshttps://central.sonatype.com/repository/maven-snapshots/main