[CHORE](ci) Move setup-codeartifact off Node 20 runtimes

[John McCall (lowlydba)]

What

Hardens the setup-codeartifact composite action (added in #25) to clear the GitHub-forced Node.js 20 runtime cutover on 2026-06-16:

• Bump aws-actions/configure-aws-credentials v4.3.1 → v6.2.0 (Node 20 → Node 24). Only role-to-assume and aws-region inputs are used and both are stable across v4→v6, so no with: changes.
• Replace the archived, Node 20-only whelk-io/maven-settings-xml-action with an inline bash settings.xml writer (a cat <<EOF heredoc). The upstream action is archived with no Node 24 release, so there is no SHA to bump to — removing it drops a third-party and archived dependency entirely.

Interface compatibility

The generated ~/.m2/settings.xml is byte-for-byte equivalent in the fields Maven actually uses: server id (= domain), username aws, the masked CodeArtifact token as password, and a single <repository> (id = domain, url = CodeArtifact Maven URL). The token remains masked via the existing ::add-mask:: in the prior token step. So this is interface-compatible for downstream resolve/deploy.

Alternatives considered

• actions/setup-java's built-in settings.xml generator (the prevailing pattern for GitHub Packages) — rejected for this action. Verified against setup-java's src/auth.ts: its generator emits only <servers> with ${env.*} credential placeholders. That would (1) drop the <repository> resolve URL this action provides (consumer-critical), (2) force the token into the environment at mvn time, reversing this action's documented "token never in $GITHUB_ENV" property, and (3) couple a JDK install into a deliberately JDK-agnostic auth action. A rationale comment is recorded in-step.
• A generic third-party XML-editor action — rejected: re-introduces the exact third-party + Node-runtime dependency class this PR removes, typically with a weaker maintenance posture, for a file we generate statically from known inputs.

Ranking for this specific need: inline heredoc > setup-java > generic XML-editor action. The heredoc is the lowest-dependency, runtime-proof option.

Other

• Updates the same-repo self-reference comment in publish-maven-to-codeartifact/action.yml to a permanent justification (# zizmor: ignore[unpinned-uses] -- trusted same-repo self-reference; pinned to the branch-protected default branch by design). @main is intentional for a same-repo self-reference — SHA-pinning it would force a SHA bump on every action edit.
• The whelk-io ignore[archived-uses] justification is gone with the step — one fewer ignore.
• README refreshed to describe the inline writer and the Node 24 runtime.
• mirror-maven-jar/action.yml untouched.

Validation (static only — actions need AWS OIDC to run live)

• ✅ YAML parses for all three actions (yaml.safe_load).
• ✅ Extracted the exact run: script as GitHub Actions parses it from the YAML block scalar; confirmed indent-stripping lands <settings> and the closing EOF at column 0 (heredoc terminates correctly), then rendered it through bash with a CodeArtifact-style token containing + / = → well-formed XML with correct server.id/username/password/repository.id/url, and server.id == repository.id (the id -DaltDeploymentRepository deploy auth resolves against).
• ✅ zizmor --persona auditor (superset of pedantic): No findings to report. (1 ignored) — the single remaining ignore is the same-repo self-reference unpinned-uses in publish-maven-to-codeartifact.
• ℹ️ actionlint targets .github/workflows/, not composite action.yml files, so it does not apply here.

Consumer note

The consumer overture-matchers (#287) should re-run its dev-publish validation (resolve + deploy) against branch harden-codeartifact-actions-node24 before this merges, since the settings.xml writer changed.

Part of OvertureMaps/ops-team#384

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

[overture-projection]

Overture PRojection Review

This PR updates the setup-codeartifact composite action to remove Node.js 20 runtime dependencies, replacing a third-party Maven settings writer with an inline bash implementation, and bumps AWS credentials action to Node 24. No new tests are included.

✅ Checks Passed

• The inline bash writer for settings.xml produces Maven-compatible output with correct fields (server id, username, password, repository id, url).
• aws-actions/configure-aws-credentials is bumped to v6.2.0 (Node 24), and only stable inputs are used.
• README accurately reflects the changes and runtime update.
• The self-reference comment in publish-maven-to-codeartifact/action.yml is clarified and justified.
• Linked issue is present (#29), following org process.

🚩 Flags

• .github/actions/setup-codeartifact/action.yml: No tests are included (Tests: ❌) despite a change in code behavior (inline bash replaces third-party action). While static validation is described, consider adding a minimal integration test or validation workflow to confirm live behavior, especially for the new settings writer.
• .github/actions/setup-codeartifact/action.yml: The inline bash step directly interpolates environment variables into XML. While the values are controlled and masked, review for any edge cases where unexpected input could break XML structure or introduce injection risk (e.g., domain names with special characters). If possible, sanitize or validate these inputs before writing.
• .github/actions/setup-codeartifact/action.yml: The Maven settings file is written with a heredoc. If future changes introduce multiline or special characters in any fields, ensure the heredoc remains robust (currently safe for the expected values).

❓ Open Questions

• .github/actions/setup-codeartifact/action.yml: Was the removal of the third-party action tested against all Maven consumers, or only overture-matchers? Are there any consumers with custom Maven settings requirements that could be affected?
• .github/actions/setup-codeartifact/action.yml: Is there a plan to add a workflow test for this action, or will validation remain manual/consumer-driven?

---

No security issues, hardcoded secrets, or AWS credential exposures are present. The PR follows org conventions (no pip install, correct action pinning, Node 24 runtime). LICENSE is unchanged and correct.

Summary: The PR is well-justified and improves maintainability by removing archived dependencies and updating runtimes. However, the lack of automated tests for the new inline settings writer is a process gap—consider addressing this in a follow-up. Otherwise, changes are interface-compatible and safe for merge after consumer validation.

[Copilot]

Pull request overview

Updates the repo’s reusable CodeArtifact composite actions to avoid the GitHub Actions Node.js 20 runtime cutoff by removing a Node-20-only dependency and bumping the AWS credentials action to a Node 24-capable release.

Changes:

• Bumped aws-actions/configure-aws-credentials pin in setup-codeartifact from v4.3.1 to v6.2.0.
• Replaced the archived whelk-io/maven-settings-xml-action with an inline bash heredoc that writes ~/.m2/settings.xml.
• Updated the publish-maven-to-codeartifact self-reference zizmor ignore justification comment and refreshed setup-codeartifact documentation to reflect the new runtime and settings writer.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.github/actions/setup-codeartifact/README.md	Documents the inline settings.xml writer and the Node.js 24 runtime dependency.
.github/actions/setup-codeartifact/action.yml	Updates AWS credentials action pin and replaces third-party settings writer with an inline bash heredoc.
.github/actions/publish-maven-to-codeartifact/action.yml	Adjusts the zizmor ignore comment for the same-repo self-reference to setup-codeartifact@main.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.