Skip to content

merge workflows "build" and "publishX"#342

Merged
infeo merged 3 commits intodevelopfrom
feature/refactor-ci
Mar 5, 2026
Merged

merge workflows "build" and "publishX"#342
infeo merged 3 commits intodevelopfrom
feature/refactor-ci

Conversation

@infeo
Copy link
Member

@infeo infeo commented Mar 4, 2026

align repository CI with other repos like cryptolib

@infeo
merge build and publish workflows
6f2f6c0 
align repository CI with other repos like cryptolib
@infeo infeo self-assigned this Mar 4, 2026
@infeo infeo added this to the 2.10.0 milestone Mar 4, 2026
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 4, 2026
edited
Loading

Warning

Rate limit exceeded

@infeo has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 58 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e4536986-f430-425c-9886-371e602c02ca

📥 Commits

Reviewing files that changed from the base of the PR and between 6f2f6c0 and c0856f5.

📒 Files selected for processing (1)
  • .github/workflows/build.yml

Walkthrough

This pull request consolidates and restructures the GitHub Actions CI/CD pipeline by integrating two separate publishing workflows into the main build workflow. The .github/workflows/build.yml file is enhanced with three new top-level jobs (deploy-central, deploy-github, and release) to handle Maven Central deployment, GitHub Packages deployment, and GitHub Release creation respectively. The build job is augmented with SHA256 checksum calculation and attestation step updates. Job-level permissions are refined to enforce least-privilege access (contents: read for build, id-token: write and attestations: write for attestations). The separate .github/workflows/publish-central.yml and .github/workflows/publish-github.yml files are deleted as their functionality is now integrated into the main workflow. Release notes are expanded to include changelog sections, Maven coordinates, and computed artifact checksums.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description check ✅ Passed The description 'align repository CI with other repos like cryptolib' is related to the changeset and explains the motivation for merging the workflows to match the CI setup in cryptolib.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title accurately summarizes the main change: merging build and publish workflows into a single unified workflow.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feature/refactor-ci

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 4, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/build.yml (1)

91-99: Consider extracting deploy prechecks to a shared unit.

Both deploy jobs duplicate the same tagged-version and -SNAPSHOT validation logic. A reusable workflow/composite step would reduce drift and maintenance cost.

Also applies to: 124-131

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build.yml around lines 91 - 99, Extract the duplicated
precheck steps ("Enforce to use tagged version" and "Verify project version is
-SNAPSHOT") into a shared unit (either a reusable workflow or a composite
action) and replace the inline blocks in both deploy jobs with a single call to
that unit; move the logic that runs ./mvnw versions:set
-DnewVersion="${GITHUB_REF##*/}" and the PROJECT_VERSION check (./mvnw
help:evaluate and the test on "-SNAPSHOT") into the shared file, expose any
needed inputs (e.g., GITHUB_REF) and outputs, and update both places that
currently contain those steps to call the new reusable workflow/composite step
(using uses: ./.github/workflows/<name>.yml or uses: ./github/actions/<name>) so
the check is maintained in one place.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build.yml:
- Around line 15-17: The permissions block for the GitHub Actions workflow is
missing the required "artifact-metadata: write" permission for
actions/attest@v4; update the permissions list in the workflow's permissions
block (the same block that contains "contents: read", "id-token: write", and
"attestations: write") to include "artifact-metadata: write" so the attestations
step can create the artifact storage record and succeed on tag builds.

---

Nitpick comments:
In @.github/workflows/build.yml:
- Around line 91-99: Extract the duplicated precheck steps ("Enforce to use
tagged version" and "Verify project version is -SNAPSHOT") into a shared unit
(either a reusable workflow or a composite action) and replace the inline blocks
in both deploy jobs with a single call to that unit; move the logic that runs
./mvnw versions:set -DnewVersion="${GITHUB_REF##*/}" and the PROJECT_VERSION
check (./mvnw help:evaluate and the test on "-SNAPSHOT") into the shared file,
expose any needed inputs (e.g., GITHUB_REF) and outputs, and update both places
that currently contain those steps to call the new reusable workflow/composite
step (using uses: ./.github/workflows/<name>.yml or uses:
./github/actions/<name>) so the check is maintained in one place.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e5a45de1-f984-4d0a-ae8f-3b152b88cd44

📥 Commits

Reviewing files that changed from the base of the PR and between e48461c and 6f2f6c0.

📒 Files selected for processing (3)
  • .github/workflows/build.yml
  • .github/workflows/publish-central.yml
  • .github/workflows/publish-github.yml
💤 Files with no reviewable changes (2)
  • .github/workflows/publish-central.yml
  • .github/workflows/publish-github.yml

@infeo infeo changed the title merge build and publish workflows merge workflows "build" and "publishX" Mar 5, 2026
@infeo infeo merged commit bb74d13 into develop Mar 5, 2026
11 checks passed
@infeo infeo deleted the feature/refactor-ci branch March 5, 2026 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@overheadhunter overheadhunter overheadhunter left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

@infeo infeo

Labels

None yet

Projects

None yet

Milestone

2.10.0

Development

Successfully merging this pull request may close these issues.

2 participants

@infeo @overheadhunter