Add SNAPSHOT-version guard to publish.yaml workflows

[amavashev]

Issue

The `publish.yaml` workflows across Cycles Java repos run `mvn -B -Prelease clean deploy` on `release` events without a build-time check that the pom version is not a SNAPSHOT. Example: `cycles-spring-boot-starter/.github/workflows/publish.yaml` and the matching workflow on `cycles-spring-ai-starter`.

If someone cuts a GitHub release while the pom version is still `x.y.z-SNAPSHOT`, the workflow runs and `mvn deploy` attempts to publish. Sonatype Central rejects SNAPSHOT versions server-side, so the actual harm is "noisy publish failure" rather than "published a snapshot to Central." But a fast-fail before the deploy phase would surface the operator error more clearly.

Proposed fix

Add a step in `publish.yaml` right after JDK setup:

```yaml

• name: Verify version is not SNAPSHOT
  working-directory: ${{ matrix.module-dir }}
  run: |
  VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
  if [[ "$VERSION" == SNAPSHOT ]]; then
  echo "::error::Cannot publish SNAPSHOT version: $VERSION. Drop -SNAPSHOT before tagging."
  exit 1
  fi
  echo "Publishing version: $VERSION"
  ```

Affected repos

Every Cycles repo that has a publish.yaml workflow targeting Maven Central:

• cycles-spring-boot-starter
• cycles-spring-ai-starter
• (and Python/TS equivalents if they have similar issues with PyPI / npm)

Surface

Original review finding from PR #1 on cycles-spring-ai-starter (2026-05-12). Tracking org-wide because the same pattern exists across publish workflows.

[amavashev]

Status (2026-05-12)

Python-side: done. `runcycles/cycles-client-python` PR #60 added a `Verify pyproject version matches tag` step to `.github/workflows/python-publish.yml` — runs on `refs/tags/v*`, uses `tomllib` to read `pyproject.toml`'s `project.version`, fails fast before build if the value doesn't match the tag (e.g. tag `v0.5.0` against `pyproject.toml` still on `0.4.1` or a `dev0` pre-release). PyPI rejects duplicates server-side, but this surfaces operator error earlier.

Java/TypeScript-side: pending. This issue's body proposed the snippet for Maven `publish.yaml` workflows. There's no canonical `publish-java.yml` in this repo (each Java repo carries its own), so the fix is either:

1. Per-repo PR adding the `Verify version is not SNAPSHOT` step from the original write-up. Smaller blast radius per PR, easier to review.
2. Promote to canonical: add `.github/workflows/publish-java.yml` here as a reusable workflow with the guard built-in, migrate Java repos to consume it. Larger one-time investment but matches the `ci-.yml` pattern.

Affected repos still needing the fix:

• `cycles-spring-boot-starter`
• `cycles-spring-ai-starter`
• `cycles-client-typescript` (npm publish equivalent — version-vs-tag rather than SNAPSHOT)
• `cycles-server` (if it publishes to Central)
• `cycles-server-admin` (if it publishes to Central)

Leaving open until Java/TS publish workflows have the guard. Out of scope for the current batch per scoping decision in `cycles-client-python` PR #60 ("source-side + this repo only").