[MOSIP-37901]: Exclude mosip services being published to nexus (develop)#1701
[MOSIP-37901]: Exclude mosip services being published to nexus (develop)#1701NidhiKumari0201 wants to merge 1 commit into
Conversation
Signed-off-by: Nidhi0201 <nidhi.k@cyberpwn.com>
WalkthroughThe pull request updates the GitHub Actions workflow to use a different OSSRH URL secret for publishing steps and adds Maven plugin configurations to manage artifact deployment and central publishing with lifecycle controls to prevent automatic deployment during standard builds. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/push-trigger.yml:
- Line 117: Both publish jobs currently set OSSRH_URL to secrets.RELEASE_URL
unconditionally, risking snapshot/dev builds being pushed to release endpoint;
update the publish job definitions in push-trigger.yml that set OSSRH_URL to
instead: 1) gate the job with a release-only condition (e.g., if:
github.event_name == 'release' || github.ref == 'refs/heads/master') or 2)
choose the URL based on the artifact version/branch (use secrets.RELEASE_URL for
real releases and a separate secrets.SNAPSHOT_URL for -SNAPSHOT builds or
non-release branches). Locate the places that assign OSSRH_URL (the lines using
OSSRH_URL: ${{ secrets.RELEASE_URL }}) and modify the job conditions or replace
the value with a conditional expression that checks release context or version
suffix to select RELEASE_URL vs SNAPSHOT_URL.
In `@esignet-service/pom.xml`:
- Around line 114-132: Remove the unconditional skip settings on the
maven-deploy-plugin so the reusable workflow can run mvn deploy: delete the
plugin-level <skip>true</skip> and the execution-level <skip>true</skip> in the
maven-deploy-plugin configuration (leave the <phase>none</phase> and the
<execution id="default-deploy"> block intact to avoid automatic lifecycle
deploy); ensure the plugin artifactId "maven-deploy-plugin" and the execution
with id "default-deploy" remain but no longer contain any <skip>true</skip>
entries.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 98e41219-c25c-49c9-8a66-72a4c92afa2f
📒 Files selected for processing (2)
.github/workflows/push-trigger.ymlesignet-service/pom.xml
| OSSRH_USER: ${{ secrets.OSSRH_USER }} | ||
| OSSRH_SECRET: ${{ secrets.OSSRH_SECRET }} | ||
| OSSRH_URL: ${{ secrets.OSSRH_SNAPSHOT_URL }} | ||
| OSSRH_URL: ${{ secrets.RELEASE_URL }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Local workflow checks =="
rg -n -C2 "publish_to_nexus:|publish_to_nexus_apitest_esignet:|if:|OSSRH_URL:" .github/workflows/push-trigger.yml
echo
echo "== Confirm snapshot versions currently used in repo =="
rg -n "<version>.*-SNAPSHOT</version>" pom.xml '**/pom.xml'Repository: mosip/esignet
Length of output: 3738
Both publish jobs use RELEASE_URL while allowing SNAPSHOT versions on non-release branches.
Line 109 publishes to release URL on any non-master branch (excluding PRs). Line 240 publishes to release URL while explicitly excluding actual release events. With SNAPSHOT versions in the codebase (1.8.0-SNAPSHOT), this risks publishing development builds to production endpoints or failures from release URL rejecting snapshots. Tighten job conditions to gate publish jobs by release context, or use conditional URL selection based on version/branch.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/push-trigger.yml at line 117, Both publish jobs currently
set OSSRH_URL to secrets.RELEASE_URL unconditionally, risking snapshot/dev
builds being pushed to release endpoint; update the publish job definitions in
push-trigger.yml that set OSSRH_URL to instead: 1) gate the job with a
release-only condition (e.g., if: github.event_name == 'release' || github.ref
== 'refs/heads/master') or 2) choose the URL based on the artifact
version/branch (use secrets.RELEASE_URL for real releases and a separate
secrets.SNAPSHOT_URL for -SNAPSHOT builds or non-release branches). Locate the
places that assign OSSRH_URL (the lines using OSSRH_URL: ${{ secrets.RELEASE_URL
}}) and modify the job conditions or replace the value with a conditional
expression that checks release context or version suffix to select RELEASE_URL
vs SNAPSHOT_URL.
There was a problem hiding this comment.
@NidhiKumari0201, here's a concrete fix. The core problem is:
publish_to_nexus_apitest_esignetalready excludes release events in itsif:condition, yet usesRELEASE_URL— so SNAPSHOT artifacts would hit a release endpoint on every develop push.publish_to_nexusruns on non-master non-PR branches (includingdevelopwith SNAPSHOT versions), same issue.
Since GitHub Actions doesn't allow conditional secret selection inline in secrets: blocks of reusable workflow calls, the cleanest approach is to split each publish job into two — one for release, one for snapshots — with appropriate conditions:
# ── Release publish (triggered only on GitHub release events) ──────────────
publish_to_nexus:
if: "${{ github.event_name == 'release' }}"
needs: build_maven_esignet
uses: mosip/kattu/.github/workflows/maven-publish-to-nexus.yml@master-java21
with:
SERVICE_LOCATION: ./
secrets:
OSSRH_USER: ${{ secrets.OSSRH_USER }}
OSSRH_SECRET: ${{ secrets.OSSRH_SECRET }}
OSSRH_URL: ${{ secrets.RELEASE_URL }}
OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
GPG_SECRET: ${{ secrets.GPG_SECRET }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
# ── Snapshot publish (develop / feature branches, not PRs, not releases) ───
publish_snapshot_to_nexus:
if: "${{ !contains(github.ref, 'master') && github.event_name != 'pull_request' && github.event_name != 'release' }}"
needs: build_maven_esignet
uses: mosip/kattu/.github/workflows/maven-publish-to-nexus.yml@master-java21
with:
SERVICE_LOCATION: ./
secrets:
OSSRH_USER: ${{ secrets.OSSRH_USER }}
OSSRH_SECRET: ${{ secrets.OSSRH_SECRET }}
OSSRH_URL: ${{ secrets.OSSRH_SNAPSHOT_URL }}
OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
GPG_SECRET: ${{ secrets.GPG_SECRET }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
# ── Release publish for api-test (only on release events) ──────────────────
publish_to_nexus_apitest_esignet:
if: "${{ github.event_name == 'release' }}"
needs: build_maven_apitest_esignet
uses: mosip/kattu/.github/workflows/maven-publish-to-nexus.yml@master-java21
with:
SERVICE_LOCATION: ./api-test
secrets:
OSSRH_USER: ${{ secrets.OSSRH_USER }}
OSSRH_SECRET: ${{ secrets.OSSRH_SECRET }}
OSSRH_URL: ${{ secrets.RELEASE_URL }}
OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
GPG_SECRET: ${{ secrets.GPG_SECRET }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
# ── Snapshot publish for api-test (develop / feature branches) ─────────────
publish_snapshot_to_nexus_apitest_esignet:
if: "${{ !contains(github.ref, 'master') && github.event_name != 'pull_request' && github.event_name != 'release' }}"
needs: build_maven_apitest_esignet
uses: mosip/kattu/.github/workflows/maven-publish-to-nexus.yml@master-java21
with:
SERVICE_LOCATION: ./api-test
secrets:
OSSRH_USER: ${{ secrets.OSSRH_USER }}
OSSRH_SECRET: ${{ secrets.OSSRH_SECRET }}
OSSRH_URL: ${{ secrets.OSSRH_SNAPSHOT_URL }}
OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
GPG_SECRET: ${{ secrets.GPG_SECRET }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}Note: Also update the
build_dockers_esignet_with_pluginsjob'sneeds:array — it currently depends onpublish_to_nexus. After the split, change it to:needs: [build_maven_esignet_with_plugins, check_snapshot_version, publish_to_nexus, publish_snapshot_to_nexus]
Summary of the fix:
| Job | Condition | URL used |
|---|---|---|
publish_to_nexus |
event == release |
RELEASE_URL |
publish_snapshot_to_nexus |
non-master, non-PR, non-release | OSSRH_SNAPSHOT_URL |
publish_to_nexus_apitest_esignet |
event == release |
RELEASE_URL |
publish_snapshot_to_nexus_apitest_esignet |
non-master, non-PR, non-release | OSSRH_SNAPSHOT_URL |
| <plugin> | ||
| <artifactId>maven-deploy-plugin</artifactId> | ||
| <version>${maven.deploy.plugin.version}</version> | ||
| <configuration> | ||
| <skip>true</skip> | ||
| </configuration> | ||
| <executions> | ||
| <execution> | ||
| <id>default-deploy</id> | ||
| <phase>none</phase> | ||
| <goals> | ||
| <goal>deploy</goal> | ||
| </goals> | ||
| <configuration> | ||
| <skip>true</skip> | ||
| </configuration> | ||
| </execution> | ||
| </executions> | ||
| </plugin> |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Inspect external reusable workflow =="
curl -fsSL https://raw.githubusercontent.com/mosip/kattu/master-java21/.github/workflows/maven-publish-to-nexus.yml \
| nl -ba | sed -n '1,260p'
echo
echo "== Find Maven publish command + deploy skip override presence =="
curl -fsSL https://raw.githubusercontent.com/mosip/kattu/master-java21/.github/workflows/maven-publish-to-nexus.yml \
| rg -n "mvn|deploy|central-publishing|maven.deploy.skip|OSSRH_URL|settings.xml"Repository: mosip/esignet
Length of output: 188
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Fetching external reusable workflow =="
WORKFLOW=$(curl -fsSL https://raw.githubusercontent.com/mosip/kattu/master-java21/.github/workflows/maven-publish-to-nexus.yml)
if [ -z "$WORKFLOW" ]; then
echo "Failed to fetch workflow. Trying alternative path..."
curl -fsSL https://raw.githubusercontent.com/mosip/kattu/refs/heads/master-java21/.github/workflows/maven-publish-to-nexus.yml 2>&1 | head -50
exit 1
fi
echo "$WORKFLOW" | head -100
echo
echo "== Searching for Maven deploy invocations =="
echo "$WORKFLOW" | grep -n "mvn\|deploy\|central-publishing\|maven.deploy\|OSSRH\|settings" || echo "(no matches found)"
echo
echo "== Full workflow content (first 300 lines) =="
echo "$WORKFLOW" | head -300Repository: mosip/esignet
Length of output: 10169
maven-deploy-plugin skip configuration blocks release publishing—the maven-publish-to-nexus workflow will fail.
The reusable workflow calls mvn deploy explicitly (line 68 of maven-publish-to-nexus.yml) without overriding the deploy skip flag. However, line 118 of pom.xml sets plugin-level <skip>true</skip>, which suppresses the deploy plugin unconditionally. This prevents any release deployment to Nexus, regardless of the workflow's intent.
To fix, remove both the plugin-level <skip>true</skip> (line 118) and the execution-level <skip>true</skip> (line 131). Keep <phase>none</phase> (line 123) to prevent automatic lifecycle deploy on develop:
Required fix
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>${maven.deploy.plugin.version}</version>
- <configuration>
- <skip>true</skip>
- </configuration>
<executions>
<execution>
<id>default-deploy</id>
<phase>none</phase>
<goals>
<goal>deploy</goal>
</goals>
- <configuration>
- <skip>true</skip>
- </configuration>
</execution>
</executions>
</plugin>📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| <plugin> | |
| <artifactId>maven-deploy-plugin</artifactId> | |
| <version>${maven.deploy.plugin.version}</version> | |
| <configuration> | |
| <skip>true</skip> | |
| </configuration> | |
| <executions> | |
| <execution> | |
| <id>default-deploy</id> | |
| <phase>none</phase> | |
| <goals> | |
| <goal>deploy</goal> | |
| </goals> | |
| <configuration> | |
| <skip>true</skip> | |
| </configuration> | |
| </execution> | |
| </executions> | |
| </plugin> | |
| <plugin> | |
| <artifactId>maven-deploy-plugin</artifactId> | |
| <version>${maven.deploy.plugin.version}</version> | |
| <executions> | |
| <execution> | |
| <id>default-deploy</id> | |
| <phase>none</phase> | |
| <goals> | |
| <goal>deploy</goal> | |
| </goals> | |
| </execution> | |
| </executions> | |
| </plugin> |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@esignet-service/pom.xml` around lines 114 - 132, Remove the unconditional
skip settings on the maven-deploy-plugin so the reusable workflow can run mvn
deploy: delete the plugin-level <skip>true</skip> and the execution-level
<skip>true</skip> in the maven-deploy-plugin configuration (leave the
<phase>none</phase> and the <execution id="default-deploy"> block intact to
avoid automatic lifecycle deploy); ensure the plugin artifactId
"maven-deploy-plugin" and the execution with id "default-deploy" remain but no
longer contain any <skip>true</skip> entries.
1 participant
Summary by CodeRabbit