fix(ci): ship the prebuilt Maven extension jar instead of building it at release#1387
Open
Jeppe Fredsgaard Blaabjerg (jfblaa) wants to merge 1 commit into
v1.xSocketDev/socket-cli:v1.xfrom
jfblaa/commit-maven-extension-jarSocketDev/socket-cli:jfblaa/commit-maven-extension-jarCopy head branch name to clipboard
Open
fix(ci): ship the prebuilt Maven extension jar instead of building it at release#1387Jeppe Fredsgaard Blaabjerg (jfblaa) wants to merge 1 commit intov1.xSocketDev/socket-cli:v1.xfrom jfblaa/commit-maven-extension-jarSocketDev/socket-cli:jfblaa/commit-maven-extension-jarCopy head branch name to clipboard
Jeppe Fredsgaard Blaabjerg (jfblaa) wants to merge 1 commit into
v1.xSocketDev/socket-cli:v1.xfrom
jfblaa/commit-maven-extension-jarSocketDev/socket-cli:jfblaa/commit-maven-extension-jarCopy head branch name to clipboard
Conversation
…at release The release runs behind Socket Firewall, which intercepts the Maven wrapper's download of Maven (and the extension's plugin dependencies) and fails the build, so the jar cannot be compiled during the publish workflow. Commit the shaded jar and drop the build:maven-extension step from provenance.yml. Rebuild the jar locally with build-jar.sh after changing the extension source; the dist build copies the committed jar and still fails closed if it is missing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The release (
provenance.yml) failed at the Maven-extension jar build step. The release runs behind Socket Firewall, which intercepts the Maven wrapper's download of Maven itself (and the extension's plugin dependencies) and fails the request — so the jar cannot be compiled during the publish workflow. Pre-installing a JDK doesn't help, because the plugin dependencies still need to be fetched through the firewall.This commits the prebuilt shaded jar so the published package ships it with no build-time network fetch:
coana-maven-extension.jar(built locally viabuild-jar.sh, Java 8 bytecode, self-contained shade jar).build:maven-extensionstep fromprovenance.yml.dist/manifest-scriptsand fails closed if it is ever missing from a published build.Rebuild and recommit the jar with
pnpm run build:maven-extensionafter changing the extension source.Note
The fail-closed ordering worked as intended: the jar-build step failed before publish, so no jarless package shipped.
Note
Medium Risk
Shipping a committed binary shifts trust to manual rebuilds when Java sources change; release behavior is safer (no silent empty Maven SBOM) but stale jars are possible if contributors forget
build-jar.sh.Overview
Release publish was failing because Socket Firewall blocks the Maven wrapper and plugin dependency downloads during
build:maven-extension, so the shaded jar cannot be built insideprovenance.yml.This PR vendors the prebuilt
coana-maven-extension.jarin the repo (stop ignoring it inmaven-extension/.gitignore) and removes the release workflow’s jar build step. The dist rollup step still copies the jar intodist/manifest-scriptsand errors on published builds if it is missing; docs inbuild-jar.shand rollup comments now say to refresh the committed jar locally after extension source changes.Reviewed by Cursor Bugbot for commit ba2d3ed. Configure here.