Skip to content

[MOSIP-37901]: Exclude mosip services being published to nexus (develop) #1701

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
NidhiKumari0201 wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

[MOSIP-37901]: Exclude mosip services being published to nexus (develop) #1701

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/push-trigger.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ jobs:
secrets:
OSSRH_USER: ${{ secrets.OSSRH_USER }}
OSSRH_SECRET: ${{ secrets.OSSRH_SECRET }}
OSSRH_URL: ${{ secrets.OSSRH_SNAPSHOT_URL }}
OSSRH_URL: ${{ secrets.RELEASE_URL }}
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Local workflow checks =="
rg -n -C2 "publish_to_nexus:|publish_to_nexus_apitest_esignet:|if:|OSSRH_URL:" .github/workflows/push-trigger.yml

echo
echo "== Confirm snapshot versions currently used in repo =="
rg -n "<version>.*-SNAPSHOT</version>" pom.xml '**/pom.xml'

Repository: mosip/esignet

Length of output: 3738

Both publish jobs use RELEASE_URL while allowing SNAPSHOT versions on non-release branches.

Line 109 publishes to release URL on any non-master branch (excluding PRs). Line 240 publishes to release URL while explicitly excluding actual release events. With SNAPSHOT versions in the codebase (1.8.0-SNAPSHOT), this risks publishing development builds to production endpoints or failures from release URL rejecting snapshots. Tighten job conditions to gate publish jobs by release context, or use conditional URL selection based on version/branch.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/push-trigger.yml at line 117, Both publish jobs currently
set OSSRH_URL to secrets.RELEASE_URL unconditionally, risking snapshot/dev
builds being pushed to release endpoint; update the publish job definitions in
push-trigger.yml that set OSSRH_URL to instead: 1) gate the job with a
release-only condition (e.g., if: github.event_name == 'release' || github.ref
== 'refs/heads/master') or 2) choose the URL based on the artifact
version/branch (use secrets.RELEASE_URL for real releases and a separate
secrets.SNAPSHOT_URL for -SNAPSHOT builds or non-release branches). Locate the
places that assign OSSRH_URL (the lines using OSSRH_URL: ${{ secrets.RELEASE_URL
}}) and modify the job conditions or replace the value with a conditional
expression that checks release context or version suffix to select RELEASE_URL
vs SNAPSHOT_URL.

Copy link
Copy Markdown
Author

@NidhiKumari0201 NidhiKumari0201 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggest fix?

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@NidhiKumari0201, here's a concrete fix. The core problem is:

  • publish_to_nexus_apitest_esignet already excludes release events in its if: condition, yet uses RELEASE_URL — so SNAPSHOT artifacts would hit a release endpoint on every develop push.
  • publish_to_nexus runs on non-master non-PR branches (including develop with SNAPSHOT versions), same issue.

Since GitHub Actions doesn't allow conditional secret selection inline in secrets: blocks of reusable workflow calls, the cleanest approach is to split each publish job into two — one for release, one for snapshots — with appropriate conditions:

  # ── Release publish (triggered only on GitHub release events) ──────────────
  publish_to_nexus:
    if: "${{ github.event_name == 'release' }}"
    needs: build_maven_esignet
    uses: mosip/kattu/.github/workflows/maven-publish-to-nexus.yml@master-java21
    with:
      SERVICE_LOCATION: ./
    secrets:
      OSSRH_USER: ${{ secrets.OSSRH_USER }}
      OSSRH_SECRET: ${{ secrets.OSSRH_SECRET }}
      OSSRH_URL: ${{ secrets.RELEASE_URL }}
      OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
      GPG_SECRET: ${{ secrets.GPG_SECRET }}
      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}

  # ── Snapshot publish (develop / feature branches, not PRs, not releases) ───
  publish_snapshot_to_nexus:
    if: "${{ !contains(github.ref, 'master') && github.event_name != 'pull_request' && github.event_name != 'release' }}"
    needs: build_maven_esignet
    uses: mosip/kattu/.github/workflows/maven-publish-to-nexus.yml@master-java21
    with:
      SERVICE_LOCATION: ./
    secrets:
      OSSRH_USER: ${{ secrets.OSSRH_USER }}
      OSSRH_SECRET: ${{ secrets.OSSRH_SECRET }}
      OSSRH_URL: ${{ secrets.OSSRH_SNAPSHOT_URL }}
      OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
      GPG_SECRET: ${{ secrets.GPG_SECRET }}
      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}

  # ── Release publish for api-test (only on release events) ──────────────────
  publish_to_nexus_apitest_esignet:
    if: "${{ github.event_name == 'release' }}"
    needs: build_maven_apitest_esignet
    uses: mosip/kattu/.github/workflows/maven-publish-to-nexus.yml@master-java21
    with:
      SERVICE_LOCATION: ./api-test
    secrets:
      OSSRH_USER: ${{ secrets.OSSRH_USER }}
      OSSRH_SECRET: ${{ secrets.OSSRH_SECRET }}
      OSSRH_URL: ${{ secrets.RELEASE_URL }}
      OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
      GPG_SECRET: ${{ secrets.GPG_SECRET }}
      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}

  # ── Snapshot publish for api-test (develop / feature branches) ─────────────
  publish_snapshot_to_nexus_apitest_esignet:
    if: "${{ !contains(github.ref, 'master') && github.event_name != 'pull_request' && github.event_name != 'release' }}"
    needs: build_maven_apitest_esignet
    uses: mosip/kattu/.github/workflows/maven-publish-to-nexus.yml@master-java21
    with:
      SERVICE_LOCATION: ./api-test
    secrets:
      OSSRH_USER: ${{ secrets.OSSRH_USER }}
      OSSRH_SECRET: ${{ secrets.OSSRH_SECRET }}
      OSSRH_URL: ${{ secrets.OSSRH_SNAPSHOT_URL }}
      OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
      GPG_SECRET: ${{ secrets.GPG_SECRET }}
      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}

Note: Also update the build_dockers_esignet_with_plugins job's needs: array — it currently depends on publish_to_nexus. After the split, change it to:

needs: [build_maven_esignet_with_plugins, check_snapshot_version, publish_to_nexus, publish_snapshot_to_nexus]

Summary of the fix:

Job Condition URL used
publish_to_nexus event == release RELEASE_URL
publish_snapshot_to_nexus non-master, non-PR, non-release OSSRH_SNAPSHOT_URL
publish_to_nexus_apitest_esignet event == release RELEASE_URL
publish_snapshot_to_nexus_apitest_esignet non-master, non-PR, non-release OSSRH_SNAPSHOT_URL

OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
GPG_SECRET: ${{ secrets.GPG_SECRET }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
Expand Down Expand Up @@ -245,7 +245,7 @@ jobs:
secrets:
OSSRH_USER: ${{ secrets.OSSRH_USER }}
OSSRH_SECRET: ${{ secrets.OSSRH_SECRET }}
OSSRH_URL: ${{ secrets.OSSRH_SNAPSHOT_URL }}
OSSRH_URL: ${{ secrets.RELEASE_URL }}
OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
GPG_SECRET: ${{ secrets.GPG_SECRET }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
Expand Down
41 changes: 41 additions & 0 deletions esignet-service/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@

<properties>
<spring-cloud.version>2023.0.6</spring-cloud.version>
<maven.deploy.plugin.version>3.1.1</maven.deploy.plugin.version>
<central.publishing.maven.plugin.version>0.7.0</central.publishing.maven.plugin.version>
</properties>

<dependencies>
Expand Down Expand Up @@ -109,6 +111,45 @@
</execution>
</executions>
</plugin>
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>${maven.deploy.plugin.version}</version>
<configuration>
<skip>true</skip>
</configuration>
<executions>
<execution>
<id>default-deploy</id>
<phase>none</phase>
<goals>
<goal>deploy</goal>
</goals>
<configuration>
<skip>true</skip>
</configuration>
</execution>
</executions>
</plugin>
Comment on lines +114 to +132
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Inspect external reusable workflow =="
curl -fsSL https://raw.githubusercontent.com/mosip/kattu/master-java21/.github/workflows/maven-publish-to-nexus.yml \
  | nl -ba | sed -n '1,260p'

echo
echo "== Find Maven publish command + deploy skip override presence =="
curl -fsSL https://raw.githubusercontent.com/mosip/kattu/master-java21/.github/workflows/maven-publish-to-nexus.yml \
  | rg -n "mvn|deploy|central-publishing|maven.deploy.skip|OSSRH_URL|settings.xml"

Repository: mosip/esignet

Length of output: 188

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Fetching external reusable workflow =="
WORKFLOW=$(curl -fsSL https://raw.githubusercontent.com/mosip/kattu/master-java21/.github/workflows/maven-publish-to-nexus.yml)

if [ -z "$WORKFLOW" ]; then
  echo "Failed to fetch workflow. Trying alternative path..."
  curl -fsSL https://raw.githubusercontent.com/mosip/kattu/refs/heads/master-java21/.github/workflows/maven-publish-to-nexus.yml 2>&1 | head -50
  exit 1
fi

echo "$WORKFLOW" | head -100

echo
echo "== Searching for Maven deploy invocations =="
echo "$WORKFLOW" | grep -n "mvn\|deploy\|central-publishing\|maven.deploy\|OSSRH\|settings" || echo "(no matches found)"

echo
echo "== Full workflow content (first 300 lines) =="
echo "$WORKFLOW" | head -300

Repository: mosip/esignet

Length of output: 10169

maven-deploy-plugin skip configuration blocks release publishing—the maven-publish-to-nexus workflow will fail.

The reusable workflow calls mvn deploy explicitly (line 68 of maven-publish-to-nexus.yml) without overriding the deploy skip flag. However, line 118 of pom.xml sets plugin-level <skip>true</skip>, which suppresses the deploy plugin unconditionally. This prevents any release deployment to Nexus, regardless of the workflow's intent.

To fix, remove both the plugin-level <skip>true</skip> (line 118) and the execution-level <skip>true</skip> (line 131). Keep <phase>none</phase> (line 123) to prevent automatic lifecycle deploy on develop:

Required fix 
 <plugin>
   <artifactId>maven-deploy-plugin</artifactId>
   <version>${maven.deploy.plugin.version}</version>
-  <configuration>
-    <skip>true</skip>
-  </configuration>
   <executions>
     <execution>
       <id>default-deploy</id>
       <phase>none</phase>
       <goals>
         <goal>deploy</goal>
       </goals>
-      <configuration>
-        <skip>true</skip>
-      </configuration>
     </execution>
   </executions>
 </plugin>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>${maven.deploy.plugin.version}</version>
<configuration>
<skip>true</skip>
</configuration>
<executions>
<execution>
<id>default-deploy</id>
<phase>none</phase>
<goals>
<goal>deploy</goal>
</goals>
<configuration>
<skip>true</skip>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>${maven.deploy.plugin.version}</version>
<executions>
<execution>
<id>default-deploy</id>
<phase>none</phase>
<goals>
<goal>deploy</goal>
</goals>
</execution>
</executions>
</plugin>
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@esignet-service/pom.xml` around lines 114 - 132, Remove the unconditional
skip settings on the maven-deploy-plugin so the reusable workflow can run mvn
deploy: delete the plugin-level <skip>true</skip> and the execution-level
<skip>true</skip> in the maven-deploy-plugin configuration (leave the
<phase>none</phase> and the <execution id="default-deploy"> block intact to
avoid automatic lifecycle deploy); ensure the plugin artifactId
"maven-deploy-plugin" and the execution with id "default-deploy" remain but no
longer contain any <skip>true</skip> entries.

<plugin>
<groupId>org.sonatype.central</groupId>
<artifactId>central-publishing-maven-plugin</artifactId>
<version>${central.publishing.maven.plugin.version}</version>
<extensions>true</extensions>
<executions>
<execution>
<id>default-publish</id>
<phase>none</phase>
<goals>
<goal>publish</goal>
</goals>
</execution>
</executions>
<configuration>
<publishingServerId>ossrh</publishingServerId>
<autoPublish>false</autoPublish> <!-- do NOT auto publish after staging -->
</configuration>
</plugin>

</plugins>
</build>

Expand Down
Loading