Commit 72ee376
ci: Harden deploy-snapshot with least-privilege token, concurrency, and pinned checkout
Bring deploy-snapshot in line with core's workflow hygiene:
* permissions: contents: read — the job only reads the repo and deploys
externally, so it needs no write scope.
* concurrency group snapshot-deploy (cancel-in-progress: false) — serialize
snapshot deploys so two runs cannot race to publish to Central.
* checkout the exact commit that passed CI (workflow_run head_sha) and stop
persisting the GITHUB_TOKEN in the local git config.
source:jar-no-fork is intentionally not adopted: the archetype has no Java
sources, so a sources jar would be empty and Central does not require one for
maven-archetype artifacts.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01DGSbyBPTxsj73xhYpnxcse1 parent 9ed56b9 commit 72ee376
1 file changed
Lines changed: 11 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
9 | 12 | | |
10 | 13 | | |
11 | 14 | | |
12 | 15 | | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
13 | 20 | | |
14 | 21 | | |
15 | 22 | | |
16 | 23 | | |
17 | 24 | | |
18 | 25 | | |
19 | 26 | | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
20 | 31 | | |
21 | 32 | | |
22 | 33 | | |
| |||
0 commit comments