Add dispatchable Plugin Portal publish workflow to main by kirich1409 · Pull Request #232 · androidbroadcast/Featured

kirich1409 · 2026-06-01T08:42:04Z

Adds .github/workflows/publish-plugin-portal.yml to main so that workflow_dispatch becomes available (GitHub only exposes manual dispatch for workflows present on the default branch).

This unblocks publishing the already-cut v1.0.0 plugin to the Gradle Plugin Portal via:

gh workflow run publish-plugin-portal.yml --ref main -f ref=v1.0.0 -f version=1.0.0

The workflow checks out the supplied ref (the v1.0.0 tag), so it publishes the exact tagged plugin code as 1.0.0 — main's version state is not modified by this PR (single new file, no other changes).

Scope note: main's existing publish.yml still contains the broken inline Portal step; it is harmless until the next tag push and is fixed on develop by #228. That fix reaches main through the normal release back-merge — it is intentionally not pulled in here to keep this PR a single-file, version-neutral change. Companion PR for develop: #231.

🤖 Generated with Claude Code

Isolates Portal publication so a re-run never re-triggers the Maven Central step. Adds workflow_dispatch with required ref/version inputs so the v1.0.0 tag can be published retroactively. Root cause fixed: the missing GPG signing env (ORG_GRADLE_PROJECT_signingInMemoryKey*) is now present alongside Portal creds, resolving the signatory error on marker publications.

qodo-code-review · 2026-06-01T08:42:17Z

Review Summary by Qodo

Add dispatchable Plugin Portal publish workflow to main

✨ Enhancement

Walkthroughs

Description

• Add dedicated Gradle Plugin Portal publish workflow with manual dispatch support
• Enable retroactive v1.0.0 plugin publication via workflow_dispatch inputs
• Include GPG signing environment variables for plugin marker publication
• Support both tag-triggered and manual ref-based workflow execution

Diagram

flowchart LR
  A["Tag Push or<br/>Manual Dispatch"] -->|"ref + version inputs"| B["Checkout Git Ref"]
  B --> C["Setup Build Environment"]
  C --> D["Determine Version"]
  D -->|"Strip v prefix or<br/>use input version"| E["Publish to Portal"]
  E -->|"GPG + Portal Creds"| F["Plugin Published"]

File Changes

1. .github/workflows/publish-plugin-portal.yml ✨ Enhancement +66/-0

Dedicated Portal publish workflow with dispatch support

• New workflow file for isolated Gradle Plugin Portal publication
• Triggers on version tags (v1.0.0 format) or manual workflow_dispatch
• Accepts ref and version inputs for retroactive tag publishing
• Includes GPG signing credentials alongside Portal authentication
• Determines version from tag name or explicit input parameter

.github/workflows/publish-plugin-portal.yml

qodo-code-review · 2026-06-01T08:42:18Z

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0)

1. Ref/version mismatch publish 🐞 Bug ≡ Correctness

Description

On workflow_dispatch, the workflow checks out inputs.ref but publishes using the separately
supplied inputs.version without verifying they correspond, so it can publish the wrong code under
the wrong version to the Gradle Plugin Portal. This contradicts the repo’s documented release
convention that tag name and VERSION_NAME must match (minus the leading v).

Code

.github/workflows/publish-plugin-portal.yml[R37-52]

Evidence

The workflow explicitly checks out inputs.ref for manual dispatch, but separately selects the
published version from inputs.version with no cross-check; the repo docs require that the tag
version and VERSION_NAME match (with v stripped), so publishing with inconsistent inputs
violates the documented release contract.

.github/workflows/publish-plugin-portal.yml[9-16]
.github/workflows/publish-plugin-portal.yml[37-52]
CONTRIBUTING.md[125-130]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`workflow_dispatch` accepts `ref` and `version` as independent required inputs, but the workflow does not validate that the checked-out ref corresponds to the version being published. This can lead to publishing code from one tag/commit under a different version number.

### Issue Context
The repository’s release process documentation states that the tag name must match `VERSION_NAME` in `gradle.properties` (with the `v` prefix stripped). The workflow currently relies on operator correctness but provides no guardrails.

### Fix Focus Areas
- .github/workflows/publish-plugin-portal.yml[9-16]
- .github/workflows/publish-plugin-portal.yml[37-66]

### Suggested fix
Add a validation step for `workflow_dispatch` runs before publishing. For example:
- Ensure `inputs.ref` is a tag-like value (e.g., starts with `v`).
- Compute `TAG_VERSION="${REF#v}"` and fail if `inputs.version != TAG_VERSION`.
- Optionally, make `version` optional and derive it from `ref` by default to eliminate mismatch risk.

Example (bash):
```bash
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
 REF="${{ inputs.ref }}"
 TAG_VERSION="${REF#v}"
 if [[ "${REF}" == "${TAG_VERSION}" ]]; then
   echo "ref must start with 'v' (e.g. v1.0.0)"; exit 1
 fi
 if [[ "${{ inputs.version }}" != "${TAG_VERSION}" ]]; then
   echo "version input (${{ inputs.version }}) must match ref ($TAG_VERSION)"; exit 1
 fi
fi
```

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Copilot

Pull request overview

Adds a dedicated GitHub Actions workflow on main to publish the Gradle plugin to the Gradle Plugin Portal via tag push or manual workflow_dispatch, enabling (re-)publishing an already-cut release tag (e.g. v1.0.0) without modifying main.

Changes:

Introduces .github/workflows/publish-plugin-portal.yml with workflow_dispatch inputs (ref, version) to publish a specific tag.
Adds logic to derive VERSION_NAME from either the dispatch input or the tag name.
Runs :featured-gradle-plugin:publishPlugins with Portal + GPG signing secrets configured.

+  push:
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+      - "v[0-9]+.[0-9]+.[0-9]+-*"


+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false


cubic-dev-ai

2 issues found across 1 file

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/publish-plugin-portal.yml">

<violation number="1" location=".github/workflows/publish-plugin-portal.yml:22">
P2: The concurrency group uses `github.ref`, which for `workflow_dispatch` events resolves to the branch ref (e.g. `refs/heads/main`) rather than the tag being published. This means all manual dispatch runs will share the same concurrency group and serialize against each other, even when publishing different tags. Consider incorporating `inputs.ref` into the group key for dispatch runs, e.g.:
```yaml
group: ${{ github.workflow }}-${{ inputs.ref || github.ref }}
```</violation>

<violation number="2" location=".github/workflows/publish-plugin-portal.yml:37">
P1: `workflow_dispatch` accepts `ref` and `version` independently without enforcing they match, so a manual run can publish a release version from non-tag code.</violation>
</file>

_{Reply with feedback, questions, or to request a fix.

Re-trigger cubic}

cubic-dev-ai · 2026-06-01T08:46:12Z

+          # On tag push: check out the triggering tag.
+          # On workflow_dispatch: check out the explicit ref input so develop-HEAD
+          # (1.1.0-SNAPSHOT) is never published in place of the release tag.
+          ref: ${{ inputs.ref || github.ref }}


P1: workflow_dispatch accepts ref and version independently without enforcing they match, so a manual run can publish a release version from non-tag code.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/publish-plugin-portal.yml, line 37: <comment>`workflow_dispatch` accepts `ref` and `version` independently without enforcing they match, so a manual run can publish a release version from non-tag code.</comment> <file context> @@ -0,0 +1,66 @@ + # On tag push: check out the triggering tag. + # On workflow_dispatch: check out the explicit ref input so develop-HEAD + # (1.1.0-SNAPSHOT) is never published in place of the release tag. + ref: ${{ inputs.ref || github.ref }} + + - uses: ./.github/actions/setup-build-env </file context>

cubic-dev-ai · 2026-06-01T08:46:12Z

+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}


P2: The concurrency group uses github.ref, which for workflow_dispatch events resolves to the branch ref (e.g. refs/heads/main) rather than the tag being published. This means all manual dispatch runs will share the same concurrency group and serialize against each other, even when publishing different tags. Consider incorporating inputs.ref into the group key for dispatch runs, e.g.:

group: ${{ github.workflow }}-${{ inputs.ref || github.ref }}

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/publish-plugin-portal.yml, line 22: <comment>The concurrency group uses `github.ref`, which for `workflow_dispatch` events resolves to the branch ref (e.g. `refs/heads/main`) rather than the tag being published. This means all manual dispatch runs will share the same concurrency group and serialize against each other, even when publishing different tags. Consider incorporating `inputs.ref` into the group key for dispatch runs, e.g.: ```yaml group: ${{ github.workflow }}-${{ inputs.ref || github.ref }} ```</comment> <file context> @@ -0,0 +1,66 @@ + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: false + </file context>

Suggested change

group: ${{ github.workflow }}-${{ github.ref }}

group: ${{ github.workflow }}-${{ inputs.ref || github.ref }}

qodo-code-review · 2026-06-01T08:47:38Z

+          ref: ${{ inputs.ref || github.ref }}
+
+      - uses: ./.github/actions/setup-build-env
+
+      - name: Determine version
+        id: version
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
+        run: |
+          if [[ -n "${INPUT_VERSION}" ]]; then
+            # Manual dispatch: use the explicitly supplied version.
+            VERSION="${INPUT_VERSION}"
+          else
+            # Tag push: strip the leading "v" from the tag (e.g. v1.0.0 -> 1.0.0).
+            VERSION="${GITHUB_REF_NAME#v}"
+          fi


1. Ref/version mismatch publish 🐞 Bug ≡ Correctness

On workflow_dispatch, the workflow checks out inputs.ref but publishes using the separately supplied inputs.version without verifying they correspond, so it can publish the wrong code under the wrong version to the Gradle Plugin Portal. This contradicts the repo’s documented release convention that tag name and VERSION_NAME must match (minus the leading v).

Agent Prompt

### Issue description `workflow_dispatch` accepts `ref` and `version` as independent required inputs, but the workflow does not validate that the checked-out ref corresponds to the version being published. This can lead to publishing code from one tag/commit under a different version number. ### Issue Context The repository’s release process documentation states that the tag name must match `VERSION_NAME` in `gradle.properties` (with the `v` prefix stripped). The workflow currently relies on operator correctness but provides no guardrails. ### Fix Focus Areas - .github/workflows/publish-plugin-portal.yml[9-16] - .github/workflows/publish-plugin-portal.yml[37-66] ### Suggested fix Add a validation step for `workflow_dispatch` runs before publishing. For example: - Ensure `inputs.ref` is a tag-like value (e.g., starts with `v`). - Compute `TAG_VERSION="${REF#v}"` and fail if `inputs.version != TAG_VERSION`. - Optionally, make `version` optional and derive it from `ref` by default to eliminate mismatch risk. Example (bash): ```bash if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then REF="${{ inputs.ref }}" TAG_VERSION="${REF#v}" if [[ "${REF}" == "${TAG_VERSION}" ]]; then echo "ref must start with 'v' (e.g. v1.0.0)"; exit 1 fi if [[ "${{ inputs.version }}" != "${TAG_VERSION}" ]]; then echo "version input (${{ inputs.version }}) must match ref ($TAG_VERSION)"; exit 1 fi fi ```

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Copilot AI review requested due to automatic review settings June 1, 2026 08:42

Copilot started reviewing on behalf of kirich1409 June 1, 2026 08:42 View session

Copilot AI reviewed Jun 1, 2026

View reviewed changes

cubic-dev-ai Bot reviewed Jun 1, 2026

View reviewed changes

kirich1409 merged commit a9ba3d9 into main Jun 1, 2026
8 checks passed

qodo-code-review Bot reviewed Jun 1, 2026

View reviewed changes

kirich1409 mentioned this pull request Jun 1, 2026

Wire Gradle Plugin Portal publishing before next release (publishPlugins + creds) #229

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add dispatchable Plugin Portal publish workflow to main#232

Add dispatchable Plugin Portal publish workflow to main#232
kirich1409 merged 1 commit into
mainfrom
chore/portal-workflow-on-main

kirich1409 commented Jun 1, 2026

Uh oh!

qodo-code-review Bot commented Jun 1, 2026

Uh oh!

qodo-code-review Bot commented Jun 1, 2026 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

cubic-dev-ai Bot left a comment

Uh oh!

cubic-dev-ai Bot Jun 1, 2026

Uh oh!

cubic-dev-ai Bot Jun 1, 2026

Uh oh!

Uh oh!

qodo-code-review Bot Jun 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

	group: ${{ github.workflow }}-${{ github.ref }}
	group: ${{ github.workflow }}-${{ inputs.ref \|\| github.ref }}

Conversation

kirich1409 commented Jun 1, 2026

Uh oh!

qodo-code-review Bot commented Jun 1, 2026

Review Summary by Qodo

Walkthroughs

File Changes

Uh oh!

qodo-code-review Bot commented Jun 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review by Qodo

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

cubic-dev-ai Bot Jun 1, 2026

Choose a reason for hiding this comment

Uh oh!

cubic-dev-ai Bot Jun 1, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

qodo-code-review Bot Jun 1, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

qodo-code-review Bot commented Jun 1, 2026 •

edited

Loading