From 0b8429c8596b328c200f6bbc9b9aa39063580e47 Mon Sep 17 00:00:00 2001 From: Adrian Kuta Date: Sun, 7 Jun 2026 23:25:55 +0200 Subject: [PATCH] ci: cache Gradle, harden permissions, fix test triggers (#45) - Add gradle/actions/setup-gradle caching to all three workflows - test.yml: trigger on pull_request + push to master (was branches-ignore: master), so PRs from forks are covered and master is verified after merge; add least-privilege permissions and PR-only concurrency - publishRelease.yml: drop unused 'secrets: inherit' and the dead SNAPSHOT env var (Gradle reads the snapshot project property, not a plain env var); add contents: read permissions; fix the misleading Maven Central comment (upload only stages on Central Portal, the final Publish is manual) - docs.yml: add Gradle caching --- .github/workflows/docs.yml | 2 ++ .github/workflows/publishRelease.yml | 10 +++++++--- .github/workflows/test.yml | 12 +++++++++++- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 2a0607f..2647aa1 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -26,6 +26,8 @@ jobs: with: distribution: temurin java-version: '21' + - name: Set up Gradle + uses: gradle/actions/setup-gradle@v4 - name: Generate API docs run: ./gradlew :dokkaGeneratePublicationHtml --console=plain - name: Upload Pages artifact diff --git a/.github/workflows/publishRelease.yml b/.github/workflows/publishRelease.yml index 1892647..68b2dbe 100644 --- a/.github/workflows/publishRelease.yml +++ b/.github/workflows/publishRelease.yml @@ -5,11 +5,12 @@ on: # We'll run this workflow when a new GitHub release is created types: [released] +permissions: + contents: read jobs: test: uses: ./.github/workflows/test.yml - secrets: inherit publish: needs: test @@ -24,8 +25,12 @@ jobs: with: distribution: temurin java-version: '21' + - name: Set up Gradle + uses: gradle/actions/setup-gradle@v4 - # Runs upload, and then closes & releases the repository + # Uploads & stages the release on Central Portal. The final "Publish" + # step is manual there, because build.gradle.kts sets + # publishToMavenCentral(automaticRelease = false). - name: Publish to MavenCentral run: ./gradlew publishToMavenCentral env: @@ -33,4 +38,3 @@ jobs: ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.MAVEN_CENTRAL_PASSWORD }} ORG_GRADLE_PROJECT_signingInMemoryKey: ${{ secrets.SIGNING_KEY }} ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.SIGNING_PASSWORD }} - SNAPSHOT: false \ No newline at end of file diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 46923ab..0b17b16 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,9 +2,17 @@ name: Test on: push: - branches-ignore: [master] + branches: [master] + pull_request: workflow_call: +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: test: name: ${{ matrix.name }} @@ -27,5 +35,7 @@ jobs: with: distribution: temurin java-version: '21' + - name: Set up Gradle + uses: gradle/actions/setup-gradle@v4 - name: Test run: ./gradlew ${{ matrix.tasks }} --console=plain