Skip to content

Release stoic-plugin via workflow#191

Merged
zach-klippenstein merged 1 commit intomainfrom
tomm/release-stoic-via-workflow
Feb 25, 2026
Merged

Release stoic-plugin via workflow#191
zach-klippenstein merged 1 commit intomainfrom
tomm/release-stoic-via-workflow

Conversation

@tcmulcahy
Copy link
Collaborator

Instead of uploading a locally built version of stoic-plugin, this does the release fully within a Github Action, providing safety against supply-chain attacks.

Comment on lines +30 to +31
- name: Build Stoic Plugin Distribution
run: ./gradlew :stoic-plugin:dist
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need any new secrets access for this? And if the maven publish step fails after this, do we end up in a weird state?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see why it would require any secrets. If ./gradlew assemble above works, then this should too. But I don't know a good way to test other than landing this and trying it out.

If Maven publish fails, then that's fine - everything is local up to that point. The somewhat weird state is if Maven publish succeeds, but then Github release fails.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait, so does that mean anyone can just check out this repo, make changes, and publish the stoic plugin?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I see what you're saying. You're asking if gh release requires secrets. Yes, it does - that's the GH_TOKEN, and that's why I had to add the

permissions:
  # Required so GH_TOKEN can create the GitHub Release and upload the artifact.
  contents: write

./gradlew :stoic-plugin:dist does not publish anything - it just builds stoic-plugin locally.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, so that's just a verification step?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

./gradlew :stoic-plugin:dist builds stoic-plugin/build/distributions/radiography-stoic-plugin-*.tar.gz, which then gets used by gh release

@tcmulcahy tcmulcahy force-pushed the tomm/release-stoic-via-workflow branch from f677014 to 880b943 Compare February 25, 2026 22:03
@zach-klippenstein zach-klippenstein merged commit 8a2df9c into main Feb 25, 2026
8 checks passed
@zach-klippenstein zach-klippenstein deleted the tomm/release-stoic-via-workflow branch February 25, 2026 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants