mirror of
https://github.com/lancedb/lancedb.git
synced 2026-05-13 18:10:41 +00:00
ba6c44abc9
Adds `permissions: contents: read` to the 10 workflows that had no top-level permissions block. Workflows that already declared permissions, or individual jobs that need elevated permissions (`issues: write`, `pull-requests: write`, `contents: write`), are left unchanged. Affected workflows: `dev.yml`, `java-publish.yml`, `java.yml`, `license-header-check.yml`, `nodejs.yml`, `pypi-publish.yml`, `python.yml`, `rust.yml`, `update_package_lock_run.yml`, `update_package_lock_run_nodejs.yml`
80 lines
2.5 KiB
YAML
80 lines
2.5 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
name: Build and publish Java packages
|
|
on:
|
|
push:
|
|
tags:
|
|
- "v*"
|
|
pull_request:
|
|
paths:
|
|
- .github/workflows/java-publish.yml
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
publish:
|
|
name: Build and Publish
|
|
runs-on: ubuntu-24.04
|
|
timeout-minutes: 30
|
|
defaults:
|
|
run:
|
|
working-directory: ./java
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
- name: Set up Java 8
|
|
uses: actions/setup-java@v4
|
|
with:
|
|
distribution: temurin
|
|
java-version: 8
|
|
cache: "maven"
|
|
server-id: ossrh
|
|
server-username: SONATYPE_USER
|
|
server-password: SONATYPE_TOKEN
|
|
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
|
|
gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
|
|
- name: Set git config
|
|
run: |
|
|
git config --global user.email "dev+gha@lancedb.com"
|
|
git config --global user.name "LanceDB Github Runner"
|
|
- name: Dry run
|
|
if: github.event_name == 'pull_request'
|
|
run: |
|
|
./mvnw --batch-mode -DskipTests package -pl lancedb-core -am
|
|
- name: Publish
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
run: |
|
|
echo "use-agent" >> ~/.gnupg/gpg.conf
|
|
echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
|
|
export GPG_TTY=$(tty)
|
|
./mvnw --batch-mode -DskipTests -DpushChanges=false -Dgpg.passphrase=${{ secrets.GPG_PASSPHRASE }} deploy -pl lancedb-core -am -P deploy-to-ossrh
|
|
env:
|
|
SONATYPE_USER: ${{ secrets.SONATYPE_USER }}
|
|
SONATYPE_TOKEN: ${{ secrets.SONATYPE_TOKEN }}
|
|
|
|
report-failure:
|
|
name: Report Workflow Failure
|
|
runs-on: ubuntu-latest
|
|
needs: [publish]
|
|
if: always() && failure() && startsWith(github.ref, 'refs/tags/v')
|
|
permissions:
|
|
contents: read
|
|
issues: write
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/create-failure-issue
|
|
with:
|
|
job-results: ${{ toJSON(needs) }}
|
|
workflow-name: ${{ github.workflow }}
|