Add workflow to publish GitHub release to Modrinth#70
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. 🗂️ Base branches to auto review (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish-modrinth.yml:
- Line 13: The checkout action usage "uses: actions/checkout@v4" is leaving a
writable token in git config; update that step to include the input
"persist-credentials: false" so the action does not persist credentials into the
repository git config (i.e., add persist-credentials: false under the
actions/checkout@v4 step).
- Line 13: The workflow uses mutable action tags like actions/checkout@v4,
actions/setup-java@v4, and cloudnode-pro/modrinth-publish@v2; replace each
mutable tag with the provided commit SHAs: change actions/checkout@v4 to
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5, actions/setup-java@v4
to actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9, and
cloudnode-pro/modrinth-publish@v2 to
cloudnode-pro/modrinth-publish@8dc596b20b94959bf244180235d90729d05a674f so the
workflow pins exact commits instead of floating tags.
- Around line 8-35: Add a minimal permissions block to the publish job to
enforce least-privilege: inside the "publish" job (job name "publish") add a
permissions map with only the rights needed to read repo contents and the
release metadata, e.g. permissions: { contents: read, releases: read }, so the
workflow can checkout and read github.event.release.tag_name/body but nothing
else; place this block at the top of the job definition above "runs-on".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: a485004c-7fb1-4830-8d09-d7703184db40
📒 Files selected for processing (1)
.github/workflows/publish-modrinth.yml
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/publish-modrinth.yml (1)
40-40:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winTighten the Modrinth glob (
build/libs/*.jar) to avoid uploading unintended jars
build/libs/*.jaruploads all jars in that folder, butbuild.gradle.ktsconfigurestasks.shadowJar { archiveClassifier.set("") }, which should make Shadow use the standard jar filename and greatly reduce the chance of extra “-all/-original” artifacts. Still, it’s safest to ensure Gradle doesn’t leave any additional jar outputs inbuild/libs(or narrow the workflow glob to the exact expected artifact).🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/publish-modrinth.yml at line 40, The workflow currently uploads every JAR in build/libs via the glob "files: build/libs/*.jar" which can accidentally include classifier artifacts; update the upload glob to only include the intended Shadow/Gradle artifact produced by tasks.shadowJar (noted as tasks.shadowJar { archiveClassifier.set("") }) — either specify the exact artifact filename pattern matching your project’s archiveBaseName/archiveVersion (the single jar created by shadowJar) or narrow the glob by excluding classifier outputs (for example add negative patterns like !build/libs/*-all.jar and !build/libs/*-original.jar) so only the expected jar is uploaded.
♻️ Duplicate comments (1)
.github/workflows/publish-modrinth.yml (1)
16-16:⚠️ Potential issue | 🟠 Major | ⚡ Quick winStill riding floating tags — let's pin these to SHAs.
Lines 16, 21, and 30 still use mutable tags (
@v4,@v4,@v2). Pinning to commit SHAs keeps an upstream tag move from quietly changing what runs in your publish pipeline. zizmor's still grumbling about line 16 too.🔧 Suggested pins
- - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false- uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4- uses: cloudnode-pro/modrinth-publish@v2 + uses: cloudnode-pro/modrinth-publish@8dc596b20b94959bf244180235d90729d05a674f # v2Heads up: please re-verify those SHAs still map to the intended tags before committing.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/publish-modrinth.yml at line 16, Replace mutable action tags with immutable commit SHAs: locate each "uses:" entry that currently references floating tags such as "actions/checkout@v4" (and the other occurrences of "`@v4`" and "`@v2`" in the workflow) and replace the tag with the corresponding full commit SHA of the upstream action repository, then verify each SHA resolves to the intended tag before committing; ensure you update "uses: actions/checkout@v4" by substituting the exact commit SHA and do the same for the other two "uses" entries so the publish pipeline no longer depends on mutable tags.
🧹 Nitpick comments (1)
.github/workflows/publish-modrinth.yml (1)
26-27: Optional: cache Gradle to speed up the build.Every release build re-resolves dependencies from scratch. Tossing in a Gradle cache (via
setup-java'scache: gradleorgradle/actions/setup-gradle) would shave time off each publish run. Not a blocker, just a quality-of-life win.🚀 One-line option via setup-java
uses: actions/setup-java@v4 with: java-version: '21' distribution: 'temurin' + cache: 'gradle'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/publish-modrinth.yml around lines 26 - 27, The workflow currently always runs the "Build with Gradle" step with ./gradlew build and doesn't cache Gradle artifacts; update the job to enable Gradle caching by either adding cache: gradle to the actions/setup-java step (actions/setup-java@v3 with cache: 'gradle') or by adding the official Gradle cache action (gradle/actions/setup-gradle) before the "Build with Gradle" step so dependencies and wrapper caches are restored and saved between runs; make sure the cache action is placed prior to running ./gradlew build and uses the same Gradle version/paths as the build step.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/publish-modrinth.yml:
- Line 40: The workflow currently uploads every JAR in build/libs via the glob
"files: build/libs/*.jar" which can accidentally include classifier artifacts;
update the upload glob to only include the intended Shadow/Gradle artifact
produced by tasks.shadowJar (noted as tasks.shadowJar {
archiveClassifier.set("") }) — either specify the exact artifact filename
pattern matching your project’s archiveBaseName/archiveVersion (the single jar
created by shadowJar) or narrow the glob by excluding classifier outputs (for
example add negative patterns like !build/libs/*-all.jar and
!build/libs/*-original.jar) so only the expected jar is uploaded.
---
Duplicate comments:
In @.github/workflows/publish-modrinth.yml:
- Line 16: Replace mutable action tags with immutable commit SHAs: locate each
"uses:" entry that currently references floating tags such as
"actions/checkout@v4" (and the other occurrences of "`@v4`" and "`@v2`" in the
workflow) and replace the tag with the corresponding full commit SHA of the
upstream action repository, then verify each SHA resolves to the intended tag
before committing; ensure you update "uses: actions/checkout@v4" by substituting
the exact commit SHA and do the same for the other two "uses" entries so the
publish pipeline no longer depends on mutable tags.
---
Nitpick comments:
In @.github/workflows/publish-modrinth.yml:
- Around line 26-27: The workflow currently always runs the "Build with Gradle"
step with ./gradlew build and doesn't cache Gradle artifacts; update the job to
enable Gradle caching by either adding cache: gradle to the actions/setup-java
step (actions/setup-java@v3 with cache: 'gradle') or by adding the official
Gradle cache action (gradle/actions/setup-gradle) before the "Build with Gradle"
step so dependencies and wrapper caches are restored and saved between runs;
make sure the cache action is placed prior to running ./gradlew build and uses
the same Gradle version/paths as the build step.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 0cece45d-e394-4f01-a8f8-21225f6bdbd8
📒 Files selected for processing (1)
.github/workflows/publish-modrinth.yml
1 participant
No description provided.