Generate the workflow for publishing PRs to GitHub Packages.
More information on the system can be found on the action repository.
Let's address some common questions
The PRs are published to GitHub Packages, which unfortunately require auth. To bypass that we use an ephemeral pass-through hidden repository on reposilite (which prmaven.neoforged.net redirects to) that will server as an auth bridge.
Can that bridge be used for artifacts not published under the NeoForged org?
No. It only allows artifacts published under the NeoForged org as the org is already in the mirror URL.
Security?
The action is composed of two steps, which you can find on the README. Basically, the first step will run with no secrets and publish the artifacts to a local repository that will then be zipped up and published as a workflow run artifact. The second step with secret access will unzip and publish that artifact.
Can you publish something that's not under net.neoforged.<projectname>
No. Even though it's not strictly needed, a filter will make sure that artifacts only under the specific project's group and name will be published.
What if a PR is malicious?
To publish, all PRs made from outside contributors will have a checkbox that must be ticked in order to publish the PR. Even if a malicious artifact somehow slips through, any maintainer can delete versions of the package or the package itself and disable further publishing of the PR.
What about "stale" artifacts?
Currently, by design, stale artifacts are not deleted, not even after a PR is closed. The reasoning for this is in case the PR "broke" something, one can easily test the different commits of the PR to see when and how it did so. That way we also don't instantly break userdev environments using the published PR.
And the amount of packages?!
This is not a problem as, for public repositories, GH Packages space is unlimited. If it ever becomes a problem we can address it by introducing some automatic deletion code after 30 days or so.
PR is closed/merged, can it still publish artifacts?
No, only open PRs can publish artifacts.
But PRs will show up on the project's package list, or here
This is a valid concern, but at the same time it isn't necessarily.
PR artifacts will have pr<number>. as a package prefix which is already an indication that it's not a simple package. We also do not use Packages as our distribution model, and all of our official artifacts only come from the maven. We only use Packages as the distribution model of our Docker artifacts, which are usually meant for internal use, and even if they aren't, they'd be linked accordingly and are also differentiated from Maven artifacts.
Generate the workflow for publishing PRs to GitHub Packages.
More information on the system can be found on the action repository.
Let's address some common questions
The PRs are published to GitHub Packages, which unfortunately require auth. To bypass that we use an ephemeral pass-through hidden repository on reposilite (which
prmaven.neoforged.netredirects to) that will server as an auth bridge.Can that bridge be used for artifacts not published under the NeoForged org?
No. It only allows artifacts published under the NeoForged org as the org is already in the mirror URL.
Security?
The action is composed of two steps, which you can find on the README. Basically, the first step will run with no secrets and publish the artifacts to a local repository that will then be zipped up and published as a workflow run artifact. The second step with secret access will unzip and publish that artifact.
Can you publish something that's not under
net.neoforged.<projectname>No. Even though it's not strictly needed, a filter will make sure that artifacts only under the specific project's group and name will be published.
What if a PR is malicious?
To publish, all PRs made from outside contributors will have a checkbox that must be ticked in order to publish the PR. Even if a malicious artifact somehow slips through, any maintainer can delete versions of the package or the package itself and disable further publishing of the PR.
What about "stale" artifacts?
Currently, by design, stale artifacts are not deleted, not even after a PR is closed. The reasoning for this is in case the PR "broke" something, one can easily test the different commits of the PR to see when and how it did so. That way we also don't instantly break userdev environments using the published PR.
And the amount of packages?!
This is not a problem as, for public repositories, GH Packages space is unlimited. If it ever becomes a problem we can address it by introducing some automatic deletion code after 30 days or so.
PR is closed/merged, can it still publish artifacts?
No, only open PRs can publish artifacts.
But PRs will show up on the project's package list, or here
This is a valid concern, but at the same time it isn't necessarily.
PR artifacts will have
pr<number>.as a package prefix which is already an indication that it's not a simple package. We also do not use Packages as our distribution model, and all of our official artifacts only come from the maven. We only use Packages as the distribution model of our Docker artifacts, which are usually meant for internal use, and even if they aren't, they'd be linked accordingly and are also differentiated from Maven artifacts.