Leveraging GitHub actions, it would be possible to: 1) build *.so files from source; 2) publish to maven. This would remove the need to trust maintainers and contributors to trust only the build steps and GH action environment. Also, this could simplify the maintenance burden.
From https://github.com/arakelian/java-jq/issues/22, https://github.com/arakelian/java-jq/issues/21#issuecomment-1613340351, I gather that the process of publishing a new version to
maven
is currently manually done by yourself @arakelian .Also,
*.so
files, (supposedly) compiled from source, are vendored in https://github.com/arakelian/java-jq/tree/main/src/main/resources/lib. As a consequence, it takes one to trust maintainers and contributors to not distribute malware.Leveraging GitHub actions, it would be possible to: 1) build
*.so
files from source; 2) publish tomaven
. This would remove the need to trust maintainers and contributors to trust only the build steps and GH action environment. Also, this could simplify the maintenance burden.