From 1fdfa2cc8a01235247e335e406b209f71074a4de Mon Sep 17 00:00:00 2001 From: Jeff Jensen Date: Sun, 28 Jun 2026 13:07:26 -0500 Subject: [PATCH] ci: Guard release tag against project version mismatch The deploy publishes the POM version while the GitHub Release title came from the tag suffix, so a mistyped tag could publish one version and announce another. Resolve the version from the POM, fail unless the tag encodes exactly that version, and title the GitHub Release from the resolved version. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_0133BgD2ro4ZJh1TaXHrZSff --- .github/workflows/release.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 78e1abd..1317f42 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,6 +20,8 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 120 environment: release + outputs: + version: ${{ steps.resolve.outputs.version }} steps: - uses: actions/checkout@v7 with: @@ -33,6 +35,22 @@ jobs: gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} gpg-passphrase: MAVEN_GPG_PASSPHRASE + # Guard against a mistyped tag releasing the wrong version: the POM is the + # source of truth for what gets deployed, so the tag must encode exactly that + # version. The resolved version also titles the GitHub Release below. + - name: Verify tag matches project version + id: resolve + env: + TAG: ${{ github.ref_name }} + run: | + version="$(${{ env.MAVEN_COMMAND }} help:evaluate -Dexpression=project.version -q -DforceStdout)" + expected="v${version}" + if [ "$TAG" != "$expected" ]; then + echo "::error::Tag '$TAG' does not match project version (expected '$expected'). Refusing to release." + exit 1 + fi + echo "version=${version}" >> "$GITHUB_OUTPUT" + # Tests already ran during release:prepare; skip surefire and the archetype # integration tests (archetype.test.skip — -DskipTests does not cover them). - name: Deploy release to Maven Central @@ -57,9 +75,10 @@ jobs: env: GH_TOKEN: ${{ github.token }} TAG: ${{ github.ref_name }} # via env to avoid script injection + VERSION: ${{ needs.release.outputs.version }} run: | gh release create "$TAG" \ --repo "${{ github.repository }}" \ - --title "${TAG#v}" \ + --title "$VERSION" \ --generate-notes \ --verify-tag