Skip to content

fix(ci): ship the prebuilt Maven extension jar instead of building it at release#1387

Closed
Jeppe Fredsgaard Blaabjerg (jfblaa) wants to merge 1 commit into
v1.xfrom
jfblaa/commit-maven-extension-jar
Closed

fix(ci): ship the prebuilt Maven extension jar instead of building it at release#1387
Jeppe Fredsgaard Blaabjerg (jfblaa) wants to merge 1 commit into
v1.xfrom
jfblaa/commit-maven-extension-jar

Conversation

@jfblaa

@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

The release (provenance.yml) failed at the Maven-extension jar build step. The release runs behind Socket Firewall, which intercepts the Maven wrapper's download of Maven itself (and the extension's plugin dependencies) and fails the request — so the jar cannot be compiled during the publish workflow. Pre-installing a JDK doesn't help, because the plugin dependencies still need to be fetched through the firewall.

This commits the prebuilt shaded jar so the published package ships it with no build-time network fetch:

  • Track coana-maven-extension.jar (built locally via build-jar.sh, Java 8 bytecode, self-contained shade jar).
  • Drop the build:maven-extension step from provenance.yml.
  • The dist build still copies the jar into dist/manifest-scripts and fails closed if it is ever missing from a published build.

Rebuild and recommit the jar with pnpm run build:maven-extension after changing the extension source.

Note

The fail-closed ordering worked as intended: the jar-build step failed before publish, so no jarless package shipped.


Note

Medium Risk
Shipping a committed binary shifts trust to manual rebuilds when Java sources change; release behavior is safer (no silent empty Maven SBOM) but stale jars are possible if contributors forget build-jar.sh.

Overview
Release publish was failing because Socket Firewall blocks the Maven wrapper and plugin dependency downloads during build:maven-extension, so the shaded jar cannot be built inside provenance.yml.

This PR vendors the prebuilt coana-maven-extension.jar in the repo (stop ignoring it in maven-extension/.gitignore) and removes the release workflow’s jar build step. The dist rollup step still copies the jar into dist/manifest-scripts and errors on published builds if it is missing; docs in build-jar.sh and rollup comments now say to refresh the committed jar locally after extension source changes.

Reviewed by Cursor Bugbot for commit ba2d3ed. Configure here.

…at release

The release runs behind Socket Firewall, which intercepts the Maven wrapper's
download of Maven (and the extension's plugin dependencies) and fails the build,
so the jar cannot be compiled during the publish workflow. Commit the shaded jar
and drop the build:maven-extension step from provenance.yml. Rebuild the jar
locally with build-jar.sh after changing the extension source; the dist build
copies the committed jar and still fails closed if it is missing.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant