Hey! Thanks for bringing this up. From a quick look-through, it seems there are a few different issues here that it would be good to separate:
- Some builds fail because GitHub Actions is using Maven 3.8.1, but all the repository URLs are HTTP URLs. For these cases, we should just change the URLs in the POM to HTTPS. (But see below for a caveat).
- Some modules (including openmrs-module-referenceapplication) rely on a version of Sass downloaded from a RubyGem repository that Maven can speak to. The repo that we are using for that is unmaintained and not available via HTTPS and there don’t seem to be any alternatives providing that service (I tried to setup our Artifactory instance, but while it can serve as a Gem repo, it doesn’t do the Gem → Maven conversion; JRuby, which is the whole reason that Maven repo for Gems existed long ago migrated to using the same code to fetch Gems as Mats Ruby) . For those modules, we’ll need to pin the build to use Maven 3.6.3, e.g., by leveraging this. The long-term solution here is probably to migrate to using the libsass-maven-plugin since the ruby-sass gem is EOL’d.
- I have no idea what’s going on with the HFE failures, but I don’t think it’s Maven 3.8.1 related (or, at the very least, the same module and PR builds successfully on my machine using Java 8 and Maven 3.8.1). We can try pinning the Maven version there, but I’m not convinced that will solve things.
AFAICT, there’s no way to tell GitHub Actions “use this version of Maven for my projects”, apart from using a self-hosted runner, but that negates one of the main advantages of GitHub Actions, namely, we don’t have to maintain the build machines.