From 4d2f70f60fc9e190e8cf57763f68af4e572ca0d9 Mon Sep 17 00:00:00 2001
From: John McCall <john@overturemaps.org>
Date: Tue, 9 Jun 2026 16:48:48 -0400
Subject: [PATCH 1/2] [CHORE](ci) Move setup-codeartifact off Node 20 runtimes

Bump aws-actions/configure-aws-credentials v4.3.1 -> v6.2.0 (Node 20 ->
Node 24) and replace the archived Node 20 whelk-io/maven-settings-xml-action
with an inline bash settings.xml writer. Removes a third-party + archived
dependency and clears the forced 2026-06-16 Node 20 runtime cutover.

The generated settings.xml is equivalent in the fields Maven uses (server
id/username/password + single repository), so it stays interface-compatible
for consumers. Updates the self-reference ignore justification in
publish-maven-to-codeartifact and refreshes the README.

Part of OvertureMaps/ops-team#384

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Signed-off-by: John McCall <john@overturemaps.org>
---
 .../publish-maven-to-codeartifact/action.yml  |  2 +-
 .github/actions/setup-codeartifact/README.md  | 10 +++-
 .github/actions/setup-codeartifact/action.yml | 49 +++++++++++++------
 3 files changed, 45 insertions(+), 16 deletions(-)

diff --git a/.github/actions/publish-maven-to-codeartifact/action.yml b/.github/actions/publish-maven-to-codeartifact/action.yml
index 8b951ef..9a24fe6 100644
--- a/.github/actions/publish-maven-to-codeartifact/action.yml
+++ b/.github/actions/publish-maven-to-codeartifact/action.yml
@@ -57,7 +57,7 @@ runs:
         cache-dependency-path: "${{ inputs.working-directory }}/pom.xml"
 
     - name: Authenticate with CodeArtifact
-      uses: OvertureMaps/workflows/.github/actions/setup-codeartifact@main # zizmor: ignore[unpinned-uses] -- self-referential; SHA updated in follow-up commit
+      uses: OvertureMaps/workflows/.github/actions/setup-codeartifact@main # zizmor: ignore[unpinned-uses] -- trusted same-repo self-reference; pinned to the branch-protected default branch by design
       with:
         aws-role-arn: ${{ inputs.aws-role-arn }}
         aws-region: ${{ inputs.aws-region }}
diff --git a/.github/actions/setup-codeartifact/README.md b/.github/actions/setup-codeartifact/README.md
index 4649f36..cf05f5b 100644
--- a/.github/actions/setup-codeartifact/README.md
+++ b/.github/actions/setup-codeartifact/README.md
@@ -104,7 +104,15 @@ step in the same job resolve or deploy artifacts without bespoke setup.
 
 The authorization token is masked in logs and passed from the token step to the
 settings step via a step output (not `$GITHUB_ENV`), then embedded into the
-generated `~/.m2/settings.xml`. Keeping it out of `$GITHUB_ENV` means it is not
+`~/.m2/settings.xml` written by an inline bash step (a `cat <<EOF` heredoc — no
+third-party action). Keeping it out of `$GITHUB_ENV` means it is not
 exposed as an environment variable to later steps — but `settings.xml` itself is
 readable by any subsequent step in the job, so still treat the runner as trusted
 for the duration of the job and call this action only in jobs you control.
+
+### Runtime
+
+The action pins `aws-actions/configure-aws-credentials` to v6.2.0, which runs on
+the Node.js 24 runtime. The `settings.xml` is written by an inline bash step
+rather than a third-party action, so this action carries no Node 20 runtime
+dependency.
diff --git a/.github/actions/setup-codeartifact/action.yml b/.github/actions/setup-codeartifact/action.yml
index 32010f7..adfa047 100644
--- a/.github/actions/setup-codeartifact/action.yml
+++ b/.github/actions/setup-codeartifact/action.yml
@@ -45,7 +45,7 @@ runs:
   using: "composite"
   steps:
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+      uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0
       with:
         role-to-assume: ${{ inputs.aws-role-arn }}
         aws-region: ${{ inputs.aws-region }}
@@ -71,16 +71,37 @@ runs:
         echo "token=$TOKEN" >> "$GITHUB_OUTPUT"
 
     - name: Configure Maven Settings for CodeArtifact
-      uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d # v22 # zizmor: ignore[archived-uses] -- upstream archived but SHA-pinned; canonical settings.xml writer with no maintained drop-in replacement
-      with:
-        repositories: >
-          [{
-            "id": "${{ inputs.codeartifact-domain }}",
-            "url": "https://${{ inputs.codeartifact-domain }}-${{ inputs.codeartifact-domain-owner }}.d.codeartifact.${{ inputs.aws-region }}.amazonaws.com/maven/${{ inputs.codeartifact-repository }}/"
-          }]
-        servers: >
-          [{
-            "id": "${{ inputs.codeartifact-domain }}",
-            "username": "aws",
-            "password": "${{ steps.token.outputs.token }}"
-          }]
+      shell: bash
+      env:
+        CODEARTIFACT_DOMAIN: ${{ inputs.codeartifact-domain }}
+        CODEARTIFACT_REPO_URL: "https://${{ inputs.codeartifact-domain }}-${{ inputs.codeartifact-domain-owner }}.d.codeartifact.${{ inputs.aws-region }}.amazonaws.com/maven/${{ inputs.codeartifact-repository }}/"
+        CODEARTIFACT_TOKEN: ${{ steps.token.outputs.token }}
+      run: |
+        mkdir -p ~/.m2
+        cat > ~/.m2/settings.xml <<EOF
+        <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
+          <servers>
+            <server>
+              <id>${CODEARTIFACT_DOMAIN}</id>
+              <username>aws</username>
+              <password>${CODEARTIFACT_TOKEN}</password>
+            </server>
+          </servers>
+          <profiles>
+            <profile>
+              <id>codeartifact</id>
+              <repositories>
+                <repository>
+                  <id>${CODEARTIFACT_DOMAIN}</id>
+                  <url>${CODEARTIFACT_REPO_URL}</url>
+                </repository>
+              </repositories>
+            </profile>
+          </profiles>
+          <activeProfiles>
+            <activeProfile>codeartifact</activeProfile>
+          </activeProfiles>
+        </settings>
+        EOF

From 659da6fe288f41457c5da863c4188b55e3c0a0ce Mon Sep 17 00:00:00 2001
From: John McCall <john@overturemaps.org>
Date: Tue, 9 Jun 2026 17:03:08 -0400
Subject: [PATCH 2/2] Document why settings.xml is written inline (not
 setup-java)

CodeArtifact needs both a server (creds) and a repository (resolve URL) in settings.xml, and the token must stay out of the environment. actions/setup-java emits only env-placeholder servers, so it is a partial fit; record the rationale in-step for reviewers.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Signed-off-by: John McCall <john@overturemaps.org>
---
 .github/actions/setup-codeartifact/action.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/actions/setup-codeartifact/action.yml b/.github/actions/setup-codeartifact/action.yml
index adfa047..d98c3e5 100644
--- a/.github/actions/setup-codeartifact/action.yml
+++ b/.github/actions/setup-codeartifact/action.yml
@@ -70,6 +70,12 @@ runs:
         echo "::add-mask::$TOKEN"
         echo "token=$TOKEN" >> "$GITHUB_OUTPUT"
 
+    # settings.xml is written inline rather than via actions/setup-java's
+    # generator. CodeArtifact needs both a <server> (credentials) and a
+    # <repository> (resolve URL) in settings.xml; setup-java emits only
+    # <servers> with ${env.*} credential placeholders, which would drop the
+    # resolve repository and force the token into the environment at mvn time.
+    # An inline writer also keeps this auth action JDK-agnostic.
     - name: Configure Maven Settings for CodeArtifact
       shell: bash
       env: