How to release from master only


Hello Team,

I want to open source a library (java/maven) and release it to Central. The problem is I want to have full control over release process.

I want an automatic release if a commit is on master and has been tagged. Additionally I want to run build (build only, not release) on master if no tags and again build only if on branch and ignore tags (if any).

In other words - I want to prevent releases to Central from branches being tagged.

I already tried probably all possible combinations of workflows filters, tried to write sophisticated shell command and utilities git cli to check if master and tags comes together.

Apart from annoying builds from tags which has no branch ($CIRCLE_BRANCH), what is a proper way to defend from releases from branch by editing config.yml on that branch? e.g. what kind of guard should I apply to forbid users from changing config.yml and maliciously release from branch?


Anyone who can merge such a change into master (or can push to master directly) should have release rights. So, you need to stop unauthorised users from being able to merge to master.