fix: PR checks fail after actions/checkout@v6 -> v7#969
Conversation
There was a problem hiding this comment.
Code Review
This pull request updates the RELEASE.md documentation to reflect changes in the build-with-release-profile.yml workflow, clarifying that it runs without GPG or Maven Central secrets. The review feedback suggests a minor formatting correction to change '-P release' to '-Prelease' for consistency with other references in the document.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| - ✅ No compilation or test failures | ||
|
|
||
| **Important**: This workflow tests the actual PR branch (not main) to catch issues before merge. | ||
| **Important**: This workflow runs as a normal PR/push check and verifies that the project builds with `-P release` without using release secrets. |
There was a problem hiding this comment.
For consistency with other references in this document (such as lines 83, 120, and 252), -P release should be written as -Prelease without the space.
| **Important**: This workflow runs as a normal PR/push check and verifies that the project builds with `-P release` without using release secrets. | |
| **Important**: This workflow runs as a normal PR/push check and verifies that the project builds with -Prelease without using release secrets. |
Summary:
-P release, but without access to GPG keys or Maven Central credentials.-Dgpg.skip=trueand-Drelease.auto.publish=false.Why:
After upgrading
actions/checkoutto v7, checking out fork PR code from a privileged workflow_run context is blocked as unsafe. The old workflow executed untrusted PR code while repository secrets were available, which created a pwn-request risk.This change keeps release profile validation for PRs while making it safe for fork PRs. Real GPG signing and Maven Central publishing are still verified by the release workflow during an actual release.