feat(ci): remove redundant dependency:go-offline (DAT-22570)

[jandroav]

Summary

Removes the dependency:go-offline Maven goal from build commands in reusable extension workflows. With stickydisk and actions/cache providing warm Maven repository caches, the pre-fetch step is redundant overhead (~1-2 min per build per OS).

Changes

• pro-extension-build-for-liquibase.yml: Removed dependency:go-offline from the "Build and Package" step (used by RC Release Orchestrator)
• pro-extension-test.yml: Removed dependency:go-offline from 3 build steps (nightly build, regular build with/without extra Maven args)

Companion PR

• liquibase/liquibase-pro — same branch (DAT-22570/optimize-rc-release-orchestrator): main pipeline optimization changes (Maven cache on Win/macOS, Docker parallelization, combined version commands)

Test plan

• Verify extension builds still pass without dependency:go-offline
• Verify Maven downloads dependencies on-demand during build phase
• Run a test RC pipeline using branch reference to validate end-to-end

🔗 DAT-22570

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR removes the dependency:go-offline Maven goal from build commands in two GitHub Actions workflow files for Liquibase extensions, simplifying the Maven invocations while preserving all other build flags and parameterization.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/pro-extension-build-for-liquibase.yml, .github/workflows/pro-extension-test.yml	Removed dependency:go-offline goal from Maven build commands. Both workflows now execute mvn -B clean package -DskipTests=true ... instead of mvn -B dependency:go-offline clean package -DskipTests=true .... Conditional handling of extra Maven arguments remains unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

claude-code-assisted

Suggested reviewers

• abrackx
• jnewton03
• filipelautert

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: removing the redundant Maven dependency:go-offline goal from CI workflows, with the ticket reference.
Description check	✅ Passed	The description provides clear context about why the change is being made, which files are affected, and includes a comprehensive test plan related to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DAT-22570/optimize-rc-release-orchestrator

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

General fix: Avoid using ${{ ... }} expressions directly in run: command bodies for untrusted inputs. Instead, assign the input to an environment variable via the env: section, and reference it using shell variable syntax (e.g., $EXTRA_MAVEN_ARGS) so that the shell receives the value as data, not parsed script.

Best concrete fix here, without changing behavior:

• Add an environment variable (e.g., EXTRA_MAVEN_ARGS) in the “Build and Package” step and set it to ${{ inputs.extraMavenArgs }}.
• In the run: block, replace ${{ inputs.extraMavenArgs }} with $EXTRA_MAVEN_ARGS and keep the conditional if [ -n "$EXTRA_MAVEN_ARGS" ]; then ... check using standard bash syntax.
• Do not alter any other steps or logic.

Concretely in .github/workflows/pro-extension-test.yml around lines 246–260:

• Under env:, add EXTRA_MAVEN_ARGS: ${{ inputs.extraMavenArgs }}.
• In the bash script, change the condition to test "$EXTRA_MAVEN_ARGS" and pass "$EXTRA_MAVEN_ARGS" to mvn instead of "${{ inputs.extraMavenArgs }}".

No additional methods or external libraries are needed; this is pure YAML + shell variable usage.

---

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/pro-extension-test.yml (1)

246-260: ⚠️ Potential issue | 🟠 Major

Security: Potential command injection via direct input interpolation.

The CodeQL analysis flagged line 257. Using ${{ inputs.extraMavenArgs }} directly in the shell command is vulnerable to command injection if the input can be controlled by an external user (e.g., via workflow_dispatch or a malicious PR triggering a workflow_call).

Compare with pro-extension-build-for-liquibase.yml (line 219-221), which safely passes the input through an environment variable first:

env:
  EXTRA_MAVEN_ARGS: ${{ inputs.extraMavenArgs }}
run: |
  mvn -B clean package -DskipTests=true ${EXTRA_MAVEN_ARGS}

🛡️ Proposed fix: Use environment variable instead of direct interpolation

       - name: Build and Package
         if: ${{ !inputs.nightly }}
         shell: bash
         env:
           LIQUIBASE_PRO_LICENSE_KEY: ${{ env.PRO_LICENSE_KEY }}
           AZURE_TENANT_ID: ${{ env.AZURE_TENANT_ID }}
           AZURE_CLIENT_SECRET: ${{ env.AZURE_CLIENT_SECRET }}
           AZURE_CLIENT_ID: ${{ env.AZURE_CLIENT_ID }}
           LIQUIBASE_AZURE_STORAGE_ACCOUNT: ${{ env.LIQUIBASE_AZURE_STORAGE_ACCOUNT }}
+          EXTRA_MAVEN_ARGS: ${{ inputs.extraMavenArgs }}
         run: |
-          if [ -n "${{ inputs.extraMavenArgs }}" ]; then
-            mvn -B clean package -DskipTests=true "${{ inputs.extraMavenArgs }}"
+          if [ -n "${EXTRA_MAVEN_ARGS}" ]; then
+            mvn -B clean package -DskipTests=true ${EXTRA_MAVEN_ARGS}
           else
             mvn -B clean package -DskipTests=true
           fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pro-extension-test.yml around lines 246 - 260, The
workflow step "Build and Package" currently interpolates inputs.extraMavenArgs
directly into the shell run command (risk of command injection); change it to
set an environment variable (e.g., EXTRA_MAVEN_ARGS: ${{ inputs.extraMavenArgs
}}) in the step env block and reference that env var inside the run script (use
${EXTRA_MAVEN_ARGS}) instead of ${ { inputs.extraMavenArgs } }; keep the
existing conditional logic that checks for a non-empty value but perform the
check against ${EXTRA_MAVEN_ARGS} so the input is never directly injected into
the shell command.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/pro-extension-test.yml:
- Around line 246-260: The workflow step "Build and Package" currently
interpolates inputs.extraMavenArgs directly into the shell run command (risk of
command injection); change it to set an environment variable (e.g.,
EXTRA_MAVEN_ARGS: ${{ inputs.extraMavenArgs }}) in the step env block and
reference that env var inside the run script (use ${EXTRA_MAVEN_ARGS}) instead
of ${ { inputs.extraMavenArgs } }; keep the existing conditional logic that
checks for a non-empty value but perform the check against ${EXTRA_MAVEN_ARGS}
so the input is never directly injected into the shell command.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1d83c324-0092-46bc-8366-4a96f6204b4f

📥 Commits

Reviewing files that changed from the base of the PR and between 6147dd2 and 57cc8e9.

📒 Files selected for processing (2)

• .github/workflows/pro-extension-build-for-liquibase.yml
• .github/workflows/pro-extension-test.yml