diff --git a/.github/workflows/maven-extension-jar.yml b/.github/workflows/maven-extension-jar.yml deleted file mode 100644 index 258dc331c..000000000 --- a/.github/workflows/maven-extension-jar.yml +++ /dev/null @@ -1,46 +0,0 @@ -name: Maven extension jar - -# Builds (and smoke-tests) the Maven manifest extension jar in CI, separately -# from release. Uses only allowlisted actions — notably NOT actions/setup-java -# (the org allowlist forbids it), so it relies on a JDK pre-installed on the -# runner via JAVA_HOME_17_X64, the same approach provenance.yml uses to build -# the jar at release. Runs on changes to the extension and on demand. - -on: - pull_request: - paths: - - 'src/commands/manifest/scripts/maven-extension/**' - - 'src/commands/manifest/scripts/test/maven-compat/**' - - '.github/workflows/maven-extension-jar.yml' - workflow_dispatch: - -permissions: - contents: read - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - name: Build the Maven extension jar (pre-installed JDK; no setup-java) - run: | - if [ -n "${JAVA_HOME_17_X64:-}" ]; then - export JAVA_HOME="$JAVA_HOME_17_X64" - fi - java -version - bash src/commands/manifest/scripts/maven-extension/build-jar.sh - - name: Verify the jar was produced - run: test -f src/commands/manifest/scripts/maven-extension/coana-maven-extension.jar - - name: Smoke-test the extension on Maven 3.9.9 - run: | - if [ -n "${JAVA_HOME_17_X64:-}" ]; then - export JAVA_HOME="$JAVA_HOME_17_X64" - fi - ver=3.9.9 - curl -fsSL "https://archive.apache.org/dist/maven/maven-3/$ver/binaries/apache-maven-$ver-bin.zip" -o maven.zip - unzip -q maven.zip - bash src/commands/manifest/scripts/test/maven-compat/smoke-test.sh \ - "$PWD/apache-maven-$ver/bin/mvn" \ - "$PWD/src/commands/manifest/scripts/maven-extension/coana-maven-extension.jar" diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml index 3cc35b6de..358a7b2d5 100644 --- a/.github/workflows/provenance.yml +++ b/.github/workflows/provenance.yml @@ -206,15 +206,19 @@ jobs: # Compile the Maven manifest extension jar so the dist build bundles it # into dist/manifest-scripts (the jar is never committed; it ships only in - # the published package). The org action allowlist forbids actions/setup-java, - # so use a JDK pre-installed on the runner image (JAVA_HOME_17_X64), falling - # back to the runner's default `java`. build-jar.sh uses the Maven wrapper. + # the published package). Invoke build-jar.sh directly, NOT via `pnpm run`: + # Socket Firewall wraps the package managers (npm/pnpm/...) it shims, so a + # `pnpm run` would route the Maven wrapper's download through sfw, which + # fails on the non-package fetch. Running bash directly keeps the Maven + # download outside the shimmed process tree. The org action allowlist forbids + # actions/setup-java, so use a JDK pre-installed on the runner image + # (JAVA_HOME_17_X64), falling back to the runner's default `java`. - name: Build Maven manifest extension jar run: | if [ -n "${JAVA_HOME_17_X64:-}" ]; then export JAVA_HOME="$JAVA_HOME_17_X64" fi - pnpm run build:maven-extension + bash src/commands/manifest/scripts/maven-extension/build-jar.sh - run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 pnpm run build:dist - name: Publish socket diff --git a/CHANGELOG.md b/CHANGELOG.md index ce273d8df..55b3e728e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). ### Changed - More reliable reachability for Gradle, sbt, and Maven projects with dynamic versions (git versions, CI build numbers, timestamps): the build is resolved once and its artifact paths reused, avoiding spurious "failed to install" errors. - `socket manifest` and `--auto-manifest` now prefer your project's build-tool wrapper (`./gradlew`, `./mvnw`) when present, falling back to `gradle`/`mvn` on PATH. -- Updated the Coana CLI to v `15.6.3`. +- Updated the Coana CLI to v `15.6.6`. ## [1.1.131](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.131) - 2026-06-29 diff --git a/package.json b/package.json index c0467e3a0..eb07a3472 100644 --- a/package.json +++ b/package.json @@ -97,7 +97,7 @@ "@babel/preset-typescript": "7.27.1", "@babel/runtime": "7.28.4", "@biomejs/biome": "2.2.4", - "@coana-tech/cli": "15.6.3", + "@coana-tech/cli": "15.6.6", "@cyclonedx/cdxgen": "12.1.2", "@dotenvx/dotenvx": "1.49.0", "@eslint/compat": "1.3.2", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 7d6adcf9b..fd3b8c5f5 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -128,8 +128,8 @@ importers: specifier: 2.2.4 version: 2.2.4 '@coana-tech/cli': - specifier: 15.6.3 - version: 15.6.3 + specifier: 15.6.6 + version: 15.6.6 '@cyclonedx/cdxgen': specifier: 12.1.2 version: 12.1.2 @@ -749,8 +749,8 @@ packages: resolution: {integrity: sha512-hAs5PPKPCQ3/Nha+1fo4A4/gL85fIfxZwHPehsjCJ+BhQH2/yw6/xReuaPA/RfNQr6iz1PcD7BZcE3ctyyl3EA==} cpu: [x64] - '@coana-tech/cli@15.6.3': - resolution: {integrity: sha512-Z2gfuZURKd7fmYuyBgy/WsxGUKbSjCcI5nNU4Hjrk5/DjP1ihxHJK3sJp4/zcU/TwdCaqU4J13ZhuaXO4nkYPw==} + '@coana-tech/cli@15.6.6': + resolution: {integrity: sha512-UQLVEk73PExNBtc3skTt7dhiW9JrPkzCgXFNfOkVHx823v2721ZPTv6wWXM/JFMwbAQaij06mtESqm17IwxgQw==} hasBin: true '@colors/colors@1.5.0': @@ -5388,7 +5388,7 @@ snapshots: '@cdxgen/cdxgen-plugins-bin@2.0.2': optional: true - '@coana-tech/cli@15.6.3': {} + '@coana-tech/cli@15.6.6': {} '@colors/colors@1.5.0': optional: true