-
-
Notifications
You must be signed in to change notification settings - Fork 796
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Migrate to a CI build with SLSA provenance (#896)
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
- Loading branch information
Showing
2 changed files
with
116 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| # This workflow publishes a new release to Maven central. | ||
| # | ||
| # The release MUST be initiated by running the release.sh script. That script will run | ||
| # ./mvnw release:prepare and make the necessary changes for this workflow to then take | ||
| # over and perform the actual release. | ||
|
|
||
| name: Publish new release | ||
| on: | ||
| push: | ||
| tags: | ||
| - "*" | ||
| - "!*.pr*" | ||
| - "!*b" | ||
|
|
||
| jobs: | ||
| release: | ||
| runs-on: "ubuntu-20.04" | ||
| env: | ||
| JAVA_OPTS: "-XX:+TieredCompilation -XX:TieredStopAtLevel=1" | ||
| TAG: ${{ github.ref_name }} | ||
| outputs: | ||
| hash: ${{ steps.hash.outputs.hash }} | ||
| artifact_name: ${{ steps.hash.outputs.artifact_name }} | ||
| steps: | ||
| - name: Validate version name | ||
| run: | | ||
| [[ "$TAG" =~ jackson-core-[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)? ]] || exit 1 | ||
| - uses: actions/checkout@v3 | ||
| - name: Set up JDK | ||
| uses: actions/setup-java@v3 | ||
| with: | ||
| distribution: "temurin" | ||
| java-version: "8" | ||
| cache: "maven" | ||
| server-id: sonatype-nexus-staging | ||
| server-username: CI_DEPLOY_USERNAME | ||
| server-password: CI_DEPLOY_PASSWORD | ||
| # See https://github.com/actions/setup-java/blob/v2/docs/advanced-usage.md#Publishing-using-Apache-Maven | ||
| # gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import | ||
| # gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase | ||
| - name: Perform release | ||
| # The following command will only succeed if the preparation was done via the | ||
| # release.sh script. | ||
| run: ./mvnw -B -q -ff -ntp release:perform -DlocalCheckout=true | ||
| - name: Generate hash | ||
| id: hash | ||
| run: | | ||
| ARTIFACT_NAME="$( \ | ||
| ./mvnw help:evaluate \ | ||
| -Dexpression=project.artifactId -q -DforceStdout)-$( \ | ||
| ./mvnw help:evaluate \ | ||
| -Dexpression=project.version -q -DforceStdout)" | ||
| echo "artifact_name=$ARTIFACT_NAME" >> "$GITHUB_OUTPUT" | ||
| cd ./target | ||
| echo "hash=$( \ | ||
| sha256sum $ARTIFACT_NAME*.jar | \ | ||
| base64 -w0 \ | ||
| )" >> "$GITHUB_OUTPUT" | ||
| provenance: | ||
| needs: [release] | ||
| permissions: | ||
| actions: read # To read the workflow path. | ||
| id-token: write # To sign the provenance. | ||
| contents: write # To add assets to a release. | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
| with: | ||
| base64-subjects: "${{ needs.release.outputs.hash }}" | ||
| provenance-name: "${{ needs.release.outputs.artifact_name }}.jar.intoto.jsonl" | ||
| upload-assets: true # Optional: Upload to a new release |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| #!/bin/bash | ||
|
|
||
| # This script simulates the Maven Release Plugin, but only performs | ||
| # release:clean and release:prepare. The release:perform step is handled by the | ||
| # CI when the tag is pushed. | ||
| # | ||
| # However, release:perform on Git requires the release.properties file. We must | ||
| # therefore modify the first commit created by release:prepare to include this | ||
| # file, and then delete the file in the second commit. | ||
| # | ||
| # This will ensure that release.properties is available to release:perform in | ||
| # the CI, while keeping with the expectation that this file does not get | ||
| # commited (long-term) to the repository. | ||
|
|
||
| set -euo pipefail | ||
|
|
||
| # Prepare but don't push, we'll need to modify the commits | ||
| ./mvnw release:clean release:prepare -DpushChanges=false | ||
|
|
||
| # Step back to the first commit (from SNAPSHOT to release) | ||
| git reset HEAD~1 | ||
|
|
||
| # delete tag created by release:prepare | ||
| tag_name="$(git tag --points-at)" | ||
| git tag -d "$tag_name" | ||
|
|
||
| # Add release.properties to that commit | ||
| git add release.properties | ||
| git commit --amend --no-edit | ||
|
|
||
| # recreate tag | ||
| git tag "$tag_name" -m "[maven-release-plugin] copy for tag $tag_name" | ||
|
|
||
| # Recreate second commit (from release to SNAPSHOT), removing | ||
| # release.properties from the repository | ||
| git rm release.properties | ||
| git add pom.xml | ||
| git commit -m "[maven-release-plugin] prepare for next development iteration" | ||
|
|
||
| # push everything | ||
| git push | ||
| git push origin "$tag_name" | ||
|
|
||
| # clean up | ||
| rm pom.xml.releaseBackup |