The reusable-release.yml workflow puts the stages of publishing your library to Maven Central
into separate workflow jobs:
The individual workflow jobs can be distinguished in their level of trust - what code they execute:
- 🎊 Library build/test code - the potentially dangerous code coming from the library's transitive dependencies is represented by the shiny & unknown wonders falling out of the confetti ball
- 🔒 Fixed code that's dictated by
gha-scala-library-release-workflow- trusted with release credentials and write access on the repository
This means your library's code, with its tests and dependencies, does NOT have access to your release credentials:
- Sonatype OSSRH username & password
- PGP signing key
So while the library's code is being compiled, its tests run, and artifacts created, there is no way for malicious code to exfiltrate those secrets.