ci: cache Gradle, harden permissions, fix test triggers (#45)

- Add gradle/actions/setup-gradle caching to all three workflows - test.yml: trigger on pull_request + push to master (was branches-ignore: master), so PRs from forks are covered and master is verified after merge; add least-privilege permissions and PR-only concurrency - publishRelease.yml: drop unused 'secrets: inherit' and the dead SNAPSHOT env var (Gradle reads the snapshot project property, not a plain env var); add contents: read permissions; fix the misleading Maven Central comment (upload only stages on Central Portal, the final Publish is manual) - docs.yml: add Gradle caching
2026-06-19 19:00:14 +02:00 · 2026-06-07 23:25:55 +02:00
parent f47fb091ec
commit 0b8429c859
3 changed files with 20 additions and 4 deletions
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -26,6 +26,8 @@ jobs:
        with:
          distribution: temurin
          java-version: '21'
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@v4
      - name: Generate API docs
        run: ./gradlew :dokkaGeneratePublicationHtml --console=plain
      - name: Upload Pages artifact
--- a/.github/workflows/publishRelease.yml
+++ b/.github/workflows/publishRelease.yml
@@ -5,11 +5,12 @@ on:
    # We'll run this workflow when a new GitHub release is created
    types: [released]

+permissions:
+  contents: read

 jobs:
  test:
    uses: ./.github/workflows/test.yml
-    secrets: inherit

  publish:
    needs: test
@@ -24,8 +25,12 @@ jobs:
        with:
          distribution: temurin
          java-version: '21'
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@v4

-        # Runs upload, and then closes & releases the repository
+        # Uploads & stages the release on Central Portal. The final "Publish"
+        # step is manual there, because build.gradle.kts sets
+        # publishToMavenCentral(automaticRelease = false).
      - name: Publish to MavenCentral
        run: ./gradlew publishToMavenCentral
        env:
@@ -33,4 +38,3 @@ jobs:
          ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
          ORG_GRADLE_PROJECT_signingInMemoryKey: ${{ secrets.SIGNING_KEY }}
          ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.SIGNING_PASSWORD }}
-          SNAPSHOT: false
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -2,9 +2,17 @@ name: Test

 on:
  push:
-    branches-ignore: [master]
+    branches: [master]
+  pull_request:
  workflow_call:

+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 jobs:
  test:
    name: ${{ matrix.name }}
@@ -27,5 +35,7 @@ jobs:
        with:
          distribution: temurin
          java-version: '21'
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@v4
      - name: Test
        run: ./gradlew ${{ matrix.tasks }} --console=plain