Skip to content

fix: PR checks fail after actions/checkout@v6 -> v7#969

Open
Sh1bari wants to merge 1 commit into
a2aproject:mainfrom
Sh1bari:fix/PR-checks-fix
Open

fix: PR checks fail after actions/checkout@v6 -> v7#969
Sh1bari wants to merge 1 commit into
a2aproject:mainfrom
Sh1bari:fix/PR-checks-fix

Conversation

@Sh1bari

@Sh1bari Sh1bari commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary:

  • Replaced the previous workflow_run-based release profile check with a regular workflow that runs directly on pull_request, push to main, and workflow_dispatch.
  • PRs now verify the build with -P release, but without access to GPG keys or Maven Central credentials.
  • Added safe PR-check parameters: -Dgpg.skip=true and -Drelease.auto.publish=false.

Why:
After upgrading actions/checkout to v7, checking out fork PR code from a privileged workflow_run context is blocked as unsafe. The old workflow executed untrusted PR code while repository secrets were available, which created a pwn-request risk.

This change keeps release profile validation for PRs while making it safe for fork PRs. Real GPG signing and Maven Central publishing are still verified by the release workflow during an actual release.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the RELEASE.md documentation to reflect changes in the build-with-release-profile.yml workflow, clarifying that it runs without GPG or Maven Central secrets. The review feedback suggests a minor formatting correction to change '-P release' to '-Prelease' for consistency with other references in the document.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread RELEASE.md
- ✅ No compilation or test failures

**Important**: This workflow tests the actual PR branch (not main) to catch issues before merge.
**Important**: This workflow runs as a normal PR/push check and verifies that the project builds with `-P release` without using release secrets.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

For consistency with other references in this document (such as lines 83, 120, and 252), -P release should be written as -Prelease without the space.

Suggested change
**Important**: This workflow runs as a normal PR/push check and verifies that the project builds with `-P release` without using release secrets.
**Important**: This workflow runs as a normal PR/push check and verifies that the project builds with -Prelease without using release secrets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant