-
-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use a newer Maven version for CD workflow #36
Comments
See jenkins-infra/jenkins-security-scan#32 (a different fix for the same issue) for comparison. I am not implying that one solution is better or worse than another, but rather I am mentioning the alternative for completeness. |
The action mentioned there looks more convenient. On the other hand the |
Neither proposed solution seems to do checksum verification of the downloaded Maven binary, which is concerning to me. |
Does it matter, if the tarball is downloaded via HTTPS from an official mirror? Admittedly it puts less burden on mirrors to use HTTP for the download. |
Only if the underlying storage is unreliable, but I have seen that several times throughout my career. |
I'd have pinned upstream hash, but doing it ourselves makes sense to me. No outsized review burden for dependency updates. |
Lazy consensus decisionWe would like this task to be implemented in both
|
FWIW I have also requested the maven version to be updated on the runners in actions/runner-images#10715, maybe we can wait a little? |
Not sure if it will happen anytime soon. From what I see is that Maven 3.9.0 cannot publish to GH Maven packages due to authentication: https://github.com/orgs/community/discussions/49001 It only works by changing the resolver transport |
Yes but that was resolved in 3.9.1 so hopefully a non issue now |
I'm not 100% sure. Last time I was testing with 3.9.9 a SNAPSHOT deploy I got
Like the authorization is completly ignored My only solution was to fallback on |
I tried now and it worked fine:
|
#37 seems to work. I do not think we need to wait for the official runner to update; anyway we may prefer going forward to retain tighter control over the version. |
github-reusable-workflows/.github/workflows/maven-cd.yml
Line 84 in 4f9dc4e
The text was updated successfully, but these errors were encountered: