[FEATURE](ci) Add reusable CodeArtifact publish composite actions#25
Merged
Merged
Conversation
Extract three composite actions from overture-matchers for org-wide reuse: - setup-codeartifact: OIDC role assumption, token acquisition, Maven settings.xml generation. Token passed via masked step output instead of GITHUB_ENV to avoid exposing it to unrelated steps. - deploy-maven-to-codeartifact: builds and publishes a Maven project; adds a version input for dev-publish (dev/release) support. References setup-codeartifact by full repo path (self-referential @main) since composite ./ paths resolve against the caller's checkout. - mirror-maven-jar: idempotently mirrors a public JAR into CodeArtifact. All run blocks use env-var indirection to satisfy zizmor template-injection; first-party actions SHA-pinned to match repo convention. Part of OvertureMaps/ops-team#384 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall <john@overturemaps.org>
Overture PRojection ReviewCentralizes three composite GitHub Actions for Maven/Scala artifact publishing to AWS CodeArtifact, with clear documentation and static validation. ✅ Checks Passed
🚩 Flags
❓ Open Questions
Context Files
If the non-reviewed files contain new code logic or workflows, ensure tests and error handling are present, and that AWS credentials are not hardcoded. For future PRs, splitting composite actions and their docs into separate PRs will streamline review and integration. |
…smatch Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall <john@overturemaps.org>
…rectory input - Align the action's folder name with the org's 'publish' key verb (the display name already read 'Publish'; mvn deploy stays as the plugin name). - Add an optional working-directory input (default '.') so the action can publish a Maven project that lives in a subdirectory, not just repo root. Threaded through setup-java's java-version-file/cache-dependency-path and the mvn run steps. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall <john@overturemaps.org>
There was a problem hiding this comment.
Pull request overview
This PR introduces three reusable composite GitHub Actions under .github/actions/ to standardize authentication to AWS CodeArtifact and publishing/mirroring Maven artifacts across OvertureMaps repositories.
Changes:
- Adds
setup-codeartifactcomposite action to assume an AWS role via OIDC, fetch a CodeArtifact token, and write Mavensettings.xml. - Adds
deploy-maven-to-codeartifactcomposite action to build and deploy a Maven project (with optional version override for dev publishing). - Adds
mirror-maven-jarcomposite action to idempotently mirror a single public JAR into CodeArtifact.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/actions/setup-codeartifact/README.md | Documents the setup-codeartifact action usage/inputs and security model. |
| .github/actions/setup-codeartifact/action.yml | Implements CodeArtifact auth + Maven settings generation. |
| .github/actions/mirror-maven-jar/README.md | Documents the JAR mirroring action, inputs, and idempotency behavior. |
| .github/actions/mirror-maven-jar/action.yml | Implements existence check + optional download + deploy-file publishing. |
| .github/actions/deploy-maven-to-codeartifact/README.md | Documents the Maven build+publish action and version override behavior. |
| .github/actions/deploy-maven-to-codeartifact/action.yml | Implements Java setup, internal CodeArtifact auth, deploy, and manifest printing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Echo domain, domain-owner, repository, region, and a fully-composed repository-url so downstream steps (mirror, publish, or a raw mvn) can pipe from a single source of truth instead of re-specifying CodeArtifact metadata. The authorization token is deliberately not output; it stays in settings.xml. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall <john@overturemaps.org>
- setup-codeartifact: correct the README 'token boundary' section and the step comment — token is passed via masked step output (not GITHUB_ENV) and embedded in settings.xml; the runner must still be trusted. - setup-codeartifact / publish-maven-to-codeartifact: aws-region has a default, so mark it required: false to match this repo's convention and the docs. - mirror-maven-jar: enforce jar-url/jar-path mutual exclusivity with a validation step (fails fast instead of a confusing Maven error); document the JDK + Maven runner prerequisite. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall <john@overturemaps.org>
On pull_request, github.sha is the merge-ref SHA, which diverges from the commit a caller actually checked out (e.g. pull_request.head.sha). Default build.commit to git rev-parse HEAD so the JAR manifest matches the built tree, with an optional commit input to override for non-git build trees. Reported by overture-matchers#287 review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall <john@overturemaps.org>
…testing Pre-merge testing on overture-matchers#287 cannot resolve the nested setup-codeartifact@main reference because #25 is not on main yet. Temporarily point the internal self-reference at the branch ref so the full deploy + dev-publish path can be validated. MUST be reverted to @main before #25 merges (then SHA-pinned in the post-merge follow-up). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall <john@overturemaps.org>
Pre-merge dev-publish testing on overture-matchers#287 is fully green against the temporary branch self-ref. Revert the internal setup-codeartifact reference to @main; it will be SHA-pinned in the post-merge follow-up. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall <john@overturemaps.org>
This was referenced Jun 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Centralizes three composite GitHub Actions under
.github/actions/so any OvertureMaps repo publishing Maven/Scala artifacts to AWS CodeArtifact can reuse them. This is Phase 1 of generalizing the publish pipeline — extracted fromoverture-matchers, which will be repointed at these central actions in a parallel PR (overture-matchers#287).Closes #26.
Part of OvertureMaps/ops-team#384 (reference, not
Closes— multiple PRs span this issue).Actions added
setup-codeartifactsettings.xml. Echoes CodeArtifact metadata (domain/owner/repo/region + composedrepository-url) as outputs for clean piping. Generic name kept (a pip/Python split may come later).publish-maven-to-codeartifactworking-directory.mirror-maven-jarNotable details
setup-codeartifactoutputs — emitscodeartifact-domain,codeartifact-domain-owner,codeartifact-repository,aws-region, and a fully-composedrepository-url, so downstream steps pipe from one source of truth instead of re-specifying CA metadata. The auth token is deliberately not output — it stays insettings.xml.working-directoryinput —publish-maven-to-codeartifactcan publish a project in a subdirectory (default.); threaded through setup-java paths and themvnsteps.versioninput / dev-publish support — when set, the pom version is overridden viamvn versions:setand the build runs with-Denv=dev; when empty, the release version is published unchanged (-Denv=release). Folded in from overture-matchers.mavenqualifier (publish-maven-to-codeartifact,mirror-maven-jar);publishis the org's key verb for this pipeline (mvn deployremains internally as the plugin name).@main— inside a composite actionuses: ./...resolves against the caller's checkout, sopublish-maven-to-codeartifactreferencesOvertureMaps/workflows/.github/actions/setup-codeartifact@mainby full path (with azizmor: ignore[unpinned-uses]comment). This@mainwill be tightened to a commit SHA in a follow-up once merged.configure-aws-credentials→7474bc4...(v4.3.1) andsetup-java→c1e3236...(v4.8.0).whelk-io/maven-settings-xml-actionwas already SHA-pinned upstream (# v22).Validation
action.ymlfiles parse as valid YAML.zizmor --persona=pedantic(andauditor) report no findings (2 justified inline ignores: the self-referential@main, and the archived-but-SHA-pinnedwhelk-ioaction).run:blocks use env-var indirection (template-injection-safe), and the CodeArtifact token is passed via a masked step output rather than$GITHUB_ENV.Review feedback addressed
setup-codeartifact"token boundary" docs/comment (masked step output →settings.xml, not$GITHUB_ENV).aws-regionmarkedrequired: false(it has a default) to match repo convention.mirror-maven-jarnow enforcesjar-url/jar-pathmutual exclusivity with a fail-fast validation step, and documents the JDK + Maven runner prerequisite.Each action folder includes a README documenting purpose, inputs/outputs, and usage in the repo's existing Diátaxis style.
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com