PREQ-5981 Skip release/sign Maven profiles when deploy is false#269
Conversation
Agentic Analysis: Early ResultsAgentic Analysis and Context Augmentation are available on your project. Here are some issues that could have been prevented. Follow the links to learn how to put them into action. 1 issue(s) found across 1 file(s):
Analyzed by SonarQube Agentic Analysis in 2.3 s |
![gitar-bot[bot]](https://avatars.githubusercontent.com/in/827041?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This PR updates the Maven build workflow logic so that -Prelease,sign (default/maintenance) and -Prelease (dogfood) are only enabled when should_deploy() is true, preventing signing steps from running in deploy: false scenarios (e.g., unit-test-only jobs).
Changes:
- Gate Maven release/sign profiles on
should_deploy()instead ofRUN_SHADOW_SCANS. - Extend ShellSpec coverage to validate profiles are excluded when
DEPLOY=false.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
build-maven/build.sh |
Adjusts when -Prelease,sign / -Prelease profiles are appended to the Maven command. |
spec/build-maven_spec.sh |
Updates and adds tests for the new deploy-gated profile behavior. |
Comments suppressed due to low confidence (1)
build-maven/build.sh:174
- Same as above: avoid calling
should_deploya second time (it can emit warnings on shadow scans). Use the already-selected Maven goal (deployvsinstall) to decide whether to add-Prelease.
if should_deploy; then
maven_command_args+=("-Prelease")
fi
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Gate -Prelease,sign and -Prelease on should_deploy() so install-only builds (e.g. sonar-security Unit Tests with deploy: false) match the shadow-scan behaviour and do not run PGP or jsign signing.
matemoln
force-pushed
the
mate/PREQ-5981-build-maven-skip-sign-profiles
branch
from
abede84 to
e328165
Compare
|
Code Review ✅ Approved 1 resolved / 1 findingsFixes the Unit Tests job in sonar-security by gating Maven release/sign profiles on the deploy flag, ensuring ✅ 1 resolved✅ Bug: Dogfood test asserts -Pcoverage but dogfood never gets it
OptionsAuto-apply is off → Gitar will not commit updates to this branch. Comment with these commands to change:
Was this helpful? React with 👍 / 👎 | Gitar |
matemoln
changed the title
Context
sonar-securityuses PGP signing (-Psign) plus gh-action_azure-artifact-signing setup forjsign-maven-plugin. The Unit Tests job usesdeploy: falsebut previously still received-Prelease,sign, causing unnecessary signing and jsign failures without Azure env vars.Summary
-Prelease,sign(default/maintenance) and-Prelease(dogfood) onshould_deploy()inbuild-maven/build.shdeploy: false, Maven runsinstallwith-Pcoverageonly — same behaviour as shadow scans (no signing)sonar-securityUnit Tests and Sonar Analysis failing after BUILD-11035 Azure signing migration (failed run)Test plan
shellspec spec/build-maven_spec.sh(33 examples)sonar-securityUnit Tests job onmasterpasses with existingdeploy: falseLinks