Checkmarx · cx-alon-rosenhek · Jun 25, 2026 · Jun 25, 2026
diff --git a/.github/workflows/delete-dev-releases.yml b/.github/workflows/delete-dev-releases.yml
@@ -25,10 +25,25 @@ jobs:
 
       - name: Delete releases and tags
         continue-on-error: true
-        uses: dev-drprasad/delete-older-releases@653dc03d96473ac9e585c68c8bf5aaccb0dadb61 # 0.2.1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          keep_latest: 0
-          delete_tag_pattern: "-${{inputs.tag}}"
-          delete_tags: true
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          TAG: ${{ inputs.tag }}
+        run: |
+          set -euo pipefail
+
+          # Find every release whose tag name contains "-<input tag>"
+          tags=$(gh release list --limit 1000 --json tagName \
+            --jq ".[] | select(.tagName | contains(\"-${TAG}\")) | .tagName")
+
+          if [ -z "$tags" ]; then
+            echo "No releases matching pattern '-${TAG}' found."
+            exit 0
+          fi
+
+          while IFS= read -r tag; do
+            [ -z "$tag" ] && continue
+            echo "Deleting release and tag: $tag"
+            # --cleanup-tag also deletes the underlying git tag
+            gh release delete "$tag" --yes --cleanup-tag
+          done <<< "$tags"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -30,6 +30,11 @@ on:
         required: true
         type: string
 
+permissions:
+  id-token: write
+  contents: write
+  packages: write
+
 jobs:
   deleteDevReleases:
     uses: Checkmarx/ast-eclipse-plugin/.github/workflows/delete-dev-releases.yml@main
@@ -38,15 +43,18 @@ jobs:
     secrets: inherit
     if: inputs.rbranch
   release:
+    permissions:
+      id-token: write
+      contents: write
     runs-on: cx-public-ubuntu-x64
     outputs:
       TAG_NAME: ${{ steps.generate_tag_name.outputs.TAG_NAME }}
       CLI_VERSION: ${{ steps.set_outputs.outputs.CLI_VERSION }}
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
-          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           lfs: true
 
       - name: Checkout LFS objects
@@ -75,18 +83,23 @@ jobs:
           echo "TAG_NAME=$GH_RELEASE_TAG_NAME" >> $GITHUB_OUTPUT
 
       - name: Set up JDK 17
-        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
         with:
           distribution: temurin
           java-version: 17
 
       - name: Cache local Maven repository
-        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
             ${{ runner.os }}-maven-
+
+      - name: Configure echo mirror for dependency resolution
+        run: |
+          sed -i 's|</settings>|<mirrors><mirror><id>echo</id><mirrorOf>central</mirrorOf><url>https://maven.echohq.com</url></mirror></mirrors></settings>|' ~/.m2/settings.xml
+
 
       - name: Update the POM version.
         run: mvn -B org.eclipse.tycho:tycho-versions-plugin:set-version -DnewVersion='${{ inputs.tag }}' --file pom.xml
@@ -106,115 +119,115 @@ jobs:
           echo "::set-output name=CLI_VERSION::${{ env.CLI_VERSION }}"
 
       - name: Release
-        uses: step-security/action-gh-release@277bfa82abcfdb73e5bbb19e213fd76532ee2be5 # v3.0.0
+        uses: step-security/action-gh-release@277bfa82abcfdb73e5bbb19e213fd76532ee2be5 # v3.0.0
         with:
           tag_name: ${{ env.GH_RELEASE_TAG_NAME }}
           generate_release_notes: true
           files: ./com.checkmarx.eclipse.site/target/com.checkmarx.eclipse.site-*.zip
           prerelease: ${{ inputs.rbranch != '' && inputs.rbranch != null }}
 
-      - name: Git configuration 
-        run: |
-          git config --global safe.directory "/tmp/**/*/"
-          git config --global http.postBuffer 2097152000
-          git config --global https.postBuffer 2097152000
-
-      - name: Ensure Git LFS is enabled
-        run: |
-          git lfs install
-          git lfs track "plugins/*.jar" # Ensure large JARs are tracked
-          git add .gitattributes
-          git commit -m "Ensure LFS tracking for large JAR files" || echo "No changes to commit"
-
-      - name: Clone target repository and push changes via PR
-        env:
-          GH_TOKEN: ${{ secrets.ECLIPSE_SITE_TOKEN }}
-        run: |
-          # Clone the repository
-          git clone https://x-access-token:${{ secrets.ECLIPSE_SITE_TOKEN }}@github.com/CheckmarxDev/ast-eclipse-plugin-update-site.git update-site
-          cd update-site
-
-          # Ensure Git LFS is installed
-          git lfs install
-
-          # Configure Git user to prevent commit errors
-          git config --global user.email "cylon-bot@checkmarx.com"
-          git config --global user.name "cylon-bot"
-
-          # Fetch all branches
-          git fetch --all
-
-          # Ensure the branch exists and check it out
-          if git show-ref --verify --quiet refs/remotes/origin/${{ env.GH_BRANCH_NAME }}; then
-            echo "Branch ${{ env.GH_BRANCH_NAME }} exists remotely."
-            git checkout -B ${{ env.GH_BRANCH_NAME }} origin/${{ env.GH_BRANCH_NAME }}
-          else
-            echo "Branch ${{ env.GH_BRANCH_NAME }} does not exist remotely."
-            exit 1
-          fi
-
-          # Create a feature branch
-          FEATURE_BRANCH="update-site/${{ env.GH_RELEASE_TAG_NAME }}"
-          git checkout -b "$FEATURE_BRANCH"
-
-          echo "===== Files BEFORE COPY ====="
-          ls -lh ../com.checkmarx.eclipse.site/target/repository/
-
-          # Copy new files without deleting .git directory
-          rsync -av --delete --exclude='.git' ../com.checkmarx.eclipse.site/target/repository/ ./
-
-          # Debugging: List files in repository after copying
-          echo "===== Files AFTER COPY ====="
-          ls -lh .
-
-          # Dynamically track all .jar files in the plugins/ and features/ directories
-          find plugins -name "*.jar" -exec git lfs track {} +
-          find features -name "*.jar" -exec git lfs track {} +
-
-          # Ensure .gitattributes is added
-          git add .gitattributes
-          git add .
-
-          # Debugging: Show LFS-tracked files
-          echo "===== Git LFS-tracked files ====="
-          git lfs ls-files
-
-          git commit -m "Update Eclipse update site for ${{ env.GH_RELEASE_TAG_NAME }} (${{ inputs.jira_ticket }})" || echo "No changes to commit"
-
-          # Ensure the correct remote URL
-          git remote set-url origin https://x-access-token:${{ secrets.ECLIPSE_SITE_TOKEN }}@github.com/CheckmarxDev/ast-eclipse-plugin-update-site.git
-
-          # Push the feature branch
-          git push origin "$FEATURE_BRANCH"
-
-          # Create PR with Jira ID at the end of the title
-          gh pr create \
-            --repo CheckmarxDev/ast-eclipse-plugin-update-site \
-            --base "${{ env.GH_BRANCH_NAME }}" \
-            --head "$FEATURE_BRANCH" \
-            --title "Update Eclipse update site for ${{ env.GH_RELEASE_TAG_NAME }} (${{ inputs.jira_ticket }})" \
-            --body "Automated update of Eclipse update site for release ${{ env.GH_RELEASE_TAG_NAME }}."
-
-          # Squash and merge the PR, then delete the branch
-          gh pr merge \
-            --repo CheckmarxDev/ast-eclipse-plugin-update-site \
-            --squash \
-            --auto \
-            --delete-branch
+      # - name: Git configuration 
+      #   run: |
+      #     git config --global safe.directory "/tmp/**/*/"
+      #     git config --global http.postBuffer 2097152000
+      #     git config --global https.postBuffer 2097152000
+
+      # - name: Ensure Git LFS is enabled
+      #   run: |
+      #     git lfs install
+      #     git lfs track "plugins/*.jar" # Ensure large JARs are tracked
+      #     git add .gitattributes
+      #     git commit -m "Ensure LFS tracking for large JAR files" || echo "No changes to commit"
+
+      # - name: Clone target repository and push changes via PR
+      #   env:
+      #     GH_TOKEN: ${{ secrets.ECLIPSE_SITE_TOKEN }}
+      #   run: |
+      #     # Clone the repository
+      #     git clone https://x-access-token:${{ secrets.ECLIPSE_SITE_TOKEN }}@github.com/Checkmarx/ast-eclipse-plugin-update-site.git update-site
+      #     cd update-site
+
+      #     # Ensure Git LFS is installed
+      #     git lfs install
+
+      #     # # Configure Git user to prevent commit errors
+      #     # git config --global user.email ""
+      #     # git config --global user.name ""
+
+      #     # Fetch all branches
+      #     git fetch --all
+
+      #     # Ensure the branch exists and check it out
+      #     if git show-ref --verify --quiet refs/remotes/origin/${{ env.GH_BRANCH_NAME }}; then
+      #       echo "Branch ${{ env.GH_BRANCH_NAME }} exists remotely."
+      #       git checkout -B ${{ env.GH_BRANCH_NAME }} origin/${{ env.GH_BRANCH_NAME }}
+      #     else
+      #       echo "Branch ${{ env.GH_BRANCH_NAME }} does not exist remotely."
+      #       exit 1
+      #     fi
+
+      #     # Create a feature branch
+      #     FEATURE_BRANCH="update-site/${{ env.GH_RELEASE_TAG_NAME }}"
+      #     git checkout -b "$FEATURE_BRANCH"
+
+      #     echo "===== Files BEFORE COPY ====="
+      #     ls -lh ../com.checkmarx.eclipse.site/target/repository/
+
+      #     # Copy new files without deleting .git directory
+      #     rsync -av --delete --exclude='.git' ../com.checkmarx.eclipse.site/target/repository/ ./
+
+      #     # Debugging: List files in repository after copying
+      #     echo "===== Files AFTER COPY ====="
+      #     ls -lh .
+
+      #     # Dynamically track all .jar files in the plugins/ and features/ directories
+      #     find plugins -name "*.jar" -exec git lfs track {} +
+      #     find features -name "*.jar" -exec git lfs track {} +
+
+      #     # Ensure .gitattributes is added
+      #     git add .gitattributes
+      #     git add .
+
+      #     # Debugging: Show LFS-tracked files
+      #     echo "===== Git LFS-tracked files ====="
+      #     git lfs ls-files
+
+      #     git commit -m "Update Eclipse update site for ${{ env.GH_RELEASE_TAG_NAME }} (${{ inputs.jira_ticket }})" || echo "No changes to commit"
+
+      #     # Ensure the correct remote URL
+      #     git remote set-url origin https://x-access-token:${{ secrets.ECLIPSE_SITE_TOKEN }}@github.com/CheckmarxDev/ast-eclipse-plugin-update-site.git
+
+      #     # Push the feature branch
+      #     git push origin "$FEATURE_BRANCH"
+
+      #     # Create PR with Jira ID at the end of the title
+      #     gh pr create \
+      #       --repo CheckmarxDev/ast-eclipse-plugin-update-site \
+      #       --base "${{ env.GH_BRANCH_NAME }}" \
+      #       --head "$FEATURE_BRANCH" \
+      #       --title "Update Eclipse update site for ${{ env.GH_RELEASE_TAG_NAME }} (${{ inputs.jira_ticket }})" \
+      #       --body "Automated update of Eclipse update site for release ${{ env.GH_RELEASE_TAG_NAME }}."
+
+      #     # Squash and merge the PR, then delete the branch
+      #     gh pr merge \
+      #       --repo CheckmarxDev/ast-eclipse-plugin-update-site \
+      #       --squash \
+      #       --auto \
+      #       --delete-branch
 
 
 
 
-  notify:
-    if: ${{ inputs.rbranch == '' || inputs.rbranch == null }}
-    needs: release
-    uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main
-    with:
-      product_name: Eclipse
-      release_version: ${{ needs.release.outputs.TAG_NAME }}
-      cli_release_version: ${{ needs.release.outputs.CLI_VERSION }}
-      release_author: "Phoenix Team"
-      release_url: https://github.com/Checkmarx/ast-eclipse-plugin/releases/tag/${{ needs.release.outputs.TAG_NAME }}
-      jira_product_name: ECLIPSE
-    secrets: inherit
+  # notify:
+  #   if: ${{ inputs.rbranch == '' || inputs.rbranch == null }}
+  #   needs: release
+  #   uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main
+  #   with:
+  #     product_name: Eclipse
+  #     release_version: ${{ needs.release.outputs.TAG_NAME }}
+  #     cli_release_version: ${{ needs.release.outputs.CLI_VERSION }}
+  #     release_author: "Phoenix Team"
+  #     release_url: https://github.com/Checkmarx/ast-eclipse-plugin/releases/tag/${{ needs.release.outputs.TAG_NAME }}
+  #     jira_product_name: ECLIPSE
+  #   secrets: inherit