fix: align CI

Author: Raphael Vullriede

.github/workflows/build-on-push.yml

@@ -2,20 +2,23 @@ name: build-on-push
 
 on:
   push:
-    branches: [ main ]
-  pull_request:
-    branches: [ main ]
+    branches-ignore:
+      - main
 
 jobs:
-  build:
+  build-on-push:
     runs-on: ubuntu-latest
+
     steps:
-      - uses: actions/checkout@v4
+      - name: checkout
+        uses: actions/checkout@v4
+
       - name: setup-jdk
         uses: actions/setup-java@v4
         with:
           java-version: 17
           distribution: 'temurin'
           cache: maven
-      - name: maven-build
-        run: mvn --batch-mode --update-snapshots package
+
+      - name: maven-build-verify
+        run: mvn --batch-mode --update-snapshots verify

.github/workflows/build-release-on-main-push.yml

@@ -0,0 +1,66 @@
+name: build-release-on-main-push
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build-release-on-main-push:
+    if: ${{ !contains(github.event.head_commit.message, '[release]') }} # prevent recursive releases
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      packages: write
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+        with:
+          ref: main
+
+      - name: setup-jdk
+        uses: actions/setup-java@v4
+        with:
+          java-version: 17
+          distribution: 'temurin'
+          cache: maven
+          server-id: ossrh
+          server-username: MAVEN_USERNAME
+          server-password: MAVEN_PASSWORD
+          gpg-private-key: ${{ secrets.OSSRH_GPG_SECRET_KEY }}
+          gpg-passphrase: MAVEN_GPG_PASSPHRASE
+
+      - name: maven-build-verify
+        run: mvn --batch-mode verify
+
+      - name: configure-git-user
+        uses: qoomon/actions--setup-git@v1
+        with:
+          user: bot
+
+      - name: publish-on-maven-central
+        run: mvn --batch-mode -P osslabz-release clean release:clean release:prepare release:perform
+        env:
+          MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+          MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+
+      - name: 'get-latest-tag'
+        id: 'get-latest-tag'
+        uses: "WyriHaximus/github-action-get-previous-tag@v1"
+
+      - name: create-release-notes
+        uses: softprops/action-gh-release@v2
+        with:
+          generate_release_notes: true
+          tag_name: ${{ steps.get-latest-tag.outputs.tag }}
+
+      - name: merge-main-to-dev
+        run: |
+          git fetch --unshallow
+          git checkout dev
+          git pull
+          git merge --no-ff main -m "[release] auto-merge released main back to dev"
+          git push

.github/workflows/dependabot-auto-approve.yml renamed to .github/workflows/dependabot-pr-auto-merge.yml

@@ -1,27 +1,26 @@
 name: dependabot-pr-auto-merge
+
 on: pull_request
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
-  dependabot:
+  dependabot-pr-auto-merge:
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-      repository-projects: write
+
     if: github.actor == 'dependabot[bot]'
     steps:
       - name: dependabot-pr-fetch-metadata
-        id: metadata
         uses: dependabot/fetch-metadata@v2
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
       - name: dependabot-pr-approve
         run: gh pr review --approve "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
-          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
       - name: dependabot-pr-auto-merge
         run: gh pr merge --auto --merge "$PR_URL"
         env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          PR_URL: ${{github.event.pull_request.html_url}}