Skip to content

Commit 72ee376

Browse files
jeffjensenclaude
andcommitted
ci: Harden deploy-snapshot with least-privilege token, concurrency, and pinned checkout
Bring deploy-snapshot in line with core's workflow hygiene: * permissions: contents: read — the job only reads the repo and deploys externally, so it needs no write scope. * concurrency group snapshot-deploy (cancel-in-progress: false) — serialize snapshot deploys so two runs cannot race to publish to Central. * checkout the exact commit that passed CI (workflow_run head_sha) and stop persisting the GITHUB_TOKEN in the local git config. source:jar-no-fork is intentionally not adopted: the archetype has no Java sources, so a sources jar would be empty and Central does not require one for maven-archetype artifacts. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01DGSbyBPTxsj73xhYpnxcse
1 parent 9ed56b9 commit 72ee376

1 file changed

Lines changed: 11 additions & 0 deletions

File tree

.github/workflows/deploy-snapshot.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,17 +6,28 @@ on:
66
types: [completed]
77
branches: [main]
88

9+
permissions:
10+
contents: read
11+
912
env:
1013
MAVEN_COMMAND: ./mvnw
1114
MAVEN_CLI_COMMON: "-e -B"
1215

16+
concurrency:
17+
group: snapshot-deploy
18+
cancel-in-progress: false
19+
1320
jobs:
1421
deploy-snapshot:
1522
if: github.event.workflow_run.conclusion == 'success'
1623
runs-on: ubuntu-latest
1724
timeout-minutes: 20
1825
steps:
1926
- uses: actions/checkout@v7
27+
with:
28+
ref: ${{ github.event.workflow_run.head_sha }}
29+
persist-credentials: false
30+
2031
- uses: ./.github/actions/jdk-setup
2132
with:
2233
server-id: central-publish

0 commit comments

Comments
 (0)