Skip to content

fix(ci): build the Maven extension jar outside the Socket Firewall shims#1390

Merged
Jeppe Fredsgaard Blaabjerg (jfblaa) merged 3 commits into
v1.xfrom
jfblaa/build-maven-extension-outside-sfw
Jul 1, 2026
Merged

fix(ci): build the Maven extension jar outside the Socket Firewall shims#1390
Jeppe Fredsgaard Blaabjerg (jfblaa) merged 3 commits into
v1.xfrom
jfblaa/build-maven-extension-outside-sfw

Conversation

@jfblaa

@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

The release build failed at the Maven-extension jar step. Root cause: pnpm run build:maven-extension runs the whole build subtree (pnpm → bash → mvnw → wget) under Socket Firewall, which intercepts by shimming the package managers it wraps (npm/yarn/pnpm/pip/uv/cargo). sfw then proxies the Maven wrapper's download of Maven from Maven Central and fails on that non-package fetch.

The fix is a one-line change: invoke build-jar.sh directly rather than through pnpm run. bash/mvnw/wget aren't shimmed, so the Maven download runs outside the sfw-wrapped process tree and succeeds. The jar stays uncommitted and is still bundled into dist/manifest-scripts at build time.

Relationship to #1387

This is the lighter-touch alternative to #1387 (which commits the prebuilt jar). Preference is to land this if it builds green in the release, and keep #1387 as the fallback if the direct invocation still trips the firewall.


Note

Low Risk
Single workflow-step change with no runtime or auth impact; only affects how the release job builds an uncommitted jar.

Overview
Fixes release CI failures when building the Maven manifest extension jar by invoking build-jar.sh with bash instead of pnpm run build:maven-extension.

In the publish workflow, Socket Firewall shims pnpm, so the previous path nested mvnw/Maven Central downloads under sfw and broke on non-package fetches. Direct bash keeps that download outside the shimmed package-manager tree; JDK selection via JAVA_HOME_17_X64 is unchanged, and the jar still bundles into dist/manifest-scripts for publish.

Reviewed by Cursor Bugbot for commit 59f7e2a. Configure here.

The release build failed because `pnpm run build:maven-extension` runs the whole
build subtree (pnpm -> bash -> mvnw -> wget) under Socket Firewall, which shims
the package managers it wraps. sfw then intercepts the Maven wrapper's download
of Maven from Maven Central and fails on that non-package fetch.

Invoke build-jar.sh directly instead. bash/mvnw/wget aren't shimmed, so the
Maven download runs outside the sfw-wrapped process tree and succeeds.
The standalone PR-time jar-build workflow doesn't run behind Socket Firewall, so
it never exercised the environment the release actually uses (and gave false
confidence). The jar is built in the release workflow and the version-compat
matrix runs locally via run-compat.sh, so drop it.
@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) merged commit 48c4d3f into v1.x Jul 1, 2026
13 checks passed
@jfblaa Jeppe Fredsgaard Blaabjerg (jfblaa) deleted the jfblaa/build-maven-extension-outside-sfw branch July 1, 2026 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants