Skip to content

Commit 48c4d3f

Browse files
authored
fix(ci): build the Maven extension jar outside the Socket Firewall shims (#1390)
* fix(ci): build the Maven extension jar outside the Socket Firewall shims The release build failed because `pnpm run build:maven-extension` runs the whole build subtree (pnpm -> bash -> mvnw -> wget) under Socket Firewall, which shims the package managers it wraps. sfw then intercepts the Maven wrapper's download of Maven from Maven Central and fails on that non-package fetch. Invoke build-jar.sh directly instead. bash/mvnw/wget aren't shimmed, so the Maven download runs outside the sfw-wrapped process tree and succeeds. * chore(ci): remove the unused maven-extension-jar workflow The standalone PR-time jar-build workflow doesn't run behind Socket Firewall, so it never exercised the environment the release actually uses (and gave false confidence). The jar is built in the release workflow and the version-compat matrix runs locally via run-compat.sh, so drop it. * bump coana cli version
1 parent 68d109f commit 48c4d3f

5 files changed

Lines changed: 15 additions & 57 deletions

File tree

.github/workflows/maven-extension-jar.yml

Lines changed: 0 additions & 46 deletions
This file was deleted.

.github/workflows/provenance.yml

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -206,15 +206,19 @@ jobs:
206206

207207
# Compile the Maven manifest extension jar so the dist build bundles it
208208
# into dist/manifest-scripts (the jar is never committed; it ships only in
209-
# the published package). The org action allowlist forbids actions/setup-java,
210-
# so use a JDK pre-installed on the runner image (JAVA_HOME_17_X64), falling
211-
# back to the runner's default `java`. build-jar.sh uses the Maven wrapper.
209+
# the published package). Invoke build-jar.sh directly, NOT via `pnpm run`:
210+
# Socket Firewall wraps the package managers (npm/pnpm/...) it shims, so a
211+
# `pnpm run` would route the Maven wrapper's download through sfw, which
212+
# fails on the non-package fetch. Running bash directly keeps the Maven
213+
# download outside the shimmed process tree. The org action allowlist forbids
214+
# actions/setup-java, so use a JDK pre-installed on the runner image
215+
# (JAVA_HOME_17_X64), falling back to the runner's default `java`.
212216
- name: Build Maven manifest extension jar
213217
run: |
214218
if [ -n "${JAVA_HOME_17_X64:-}" ]; then
215219
export JAVA_HOME="$JAVA_HOME_17_X64"
216220
fi
217-
pnpm run build:maven-extension
221+
bash src/commands/manifest/scripts/maven-extension/build-jar.sh
218222
219223
- run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 pnpm run build:dist
220224
- name: Publish socket

CHANGELOG.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
99
### Changed
1010
- More reliable reachability for Gradle, sbt, and Maven projects with dynamic versions (git versions, CI build numbers, timestamps): the build is resolved once and its artifact paths reused, avoiding spurious "failed to install" errors.
1111
- `socket manifest` and `--auto-manifest` now prefer your project's build-tool wrapper (`./gradlew`, `./mvnw`) when present, falling back to `gradle`/`mvn` on PATH.
12-
- Updated the Coana CLI to v `15.6.3`.
12+
- Updated the Coana CLI to v `15.6.6`.
1313

1414
## [1.1.131](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.131) - 2026-06-29
1515

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,7 @@
9797
"@babel/preset-typescript": "7.27.1",
9898
"@babel/runtime": "7.28.4",
9999
"@biomejs/biome": "2.2.4",
100-
"@coana-tech/cli": "15.6.3",
100+
"@coana-tech/cli": "15.6.6",
101101
"@cyclonedx/cdxgen": "12.1.2",
102102
"@dotenvx/dotenvx": "1.49.0",
103103
"@eslint/compat": "1.3.2",

pnpm-lock.yaml

Lines changed: 5 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)