Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate to a CI build with SLSA provenance #896

Merged
merged 8 commits into from
Feb 14, 2023
Merged

Migrate to a CI build with SLSA provenance #896

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
3a92ad9
Set pom url to my fork
pnacht Jan 3, 2023
5077716
Add release.sh and release.yml
pnacht Jan 9, 2023
46dce9c
Add localCheckout to release:perform
pnacht Jan 13, 2023
a75a5bd
Rename jackson-release.sh to release.sh, document release.yml
pnacht Jan 13, 2023
dc4f2ca
Add provenance
pnacht Jan 13, 2023
3549c72
Revert "Set pom url to my fork"
pnacht Jan 20, 2023
07b35e1
Remove unnecessary output
pnacht Jan 23, 2023
d08eddb
Fix server-id, validate version
pnacht Feb 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
# This workflow publishes a new release to Maven central.
#
# The release MUST be initiated by running the release.sh script. That script will run
# ./mvnw release:prepare and make the necessary changes for this workflow to then take
# over and perform the actual release.

name: Publish new release
on:
push:
tags:
- "*"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As per my note, should perhaps verify that the tag ends in something like "2.15.3"; although if Release Candidates were to use this workflow too (should they?) would need to accommodate those too.

- "!*.pr*"
- "!*b"

jobs:
release:
runs-on: "ubuntu-20.04"
env:
JAVA_OPTS: "-XX:+TieredCompilation -XX:TieredStopAtLevel=1"
TAG: ${{ github.ref_name }}
outputs:
hash: ${{ steps.hash.outputs.hash }}
artifact_name: ${{ steps.hash.outputs.artifact_name }}
steps:
- name: Validate version name
run: |
[[ "$TAG" =~ jackson-core-[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)? ]] || exit 1
- uses: actions/checkout@v3
- name: Set up JDK
uses: actions/setup-java@v3
with:
distribution: "temurin"
java-version: "8"
cache: "maven"
server-id: sonatype-nexus-staging
server-username: CI_DEPLOY_USERNAME
server-password: CI_DEPLOY_PASSWORD
# See https://github.com/actions/setup-java/blob/v2/docs/advanced-usage.md#Publishing-using-Apache-Maven
# gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
# gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
- name: Perform release
# The following command will only succeed if the preparation was done via the
# release.sh script.
run: ./mvnw -B -q -ff -ntp release:perform -DlocalCheckout=true
- name: Generate hash
id: hash
run: |
ARTIFACT_NAME="$( \
./mvnw help:evaluate \
-Dexpression=project.artifactId -q -DforceStdout)-$( \
./mvnw help:evaluate \
-Dexpression=project.version -q -DforceStdout)"
echo "artifact_name=$ARTIFACT_NAME" >> "$GITHUB_OUTPUT"

cd ./target
echo "hash=$( \
sha256sum $ARTIFACT_NAME*.jar | \
base64 -w0 \
)" >> "$GITHUB_OUTPUT"

provenance:
needs: [release]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.release.outputs.hash }}"
provenance-name: "${{ needs.release.outputs.artifact_name }}.jar.intoto.jsonl"
upload-assets: true # Optional: Upload to a new release
45 changes: 45 additions & 0 deletions release.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
#!/bin/bash

# This script simulates the Maven Release Plugin, but only performs
# release:clean and release:prepare. The release:perform step is handled by the
# CI when the tag is pushed.
#
# However, release:perform on Git requires the release.properties file. We must
# therefore modify the first commit created by release:prepare to include this
# file, and then delete the file in the second commit.
#
# This will ensure that release.properties is available to release:perform in
# the CI, while keeping with the expectation that this file does not get
# commited (long-term) to the repository.

set -euo pipefail

# Prepare but don't push, we'll need to modify the commits
./mvnw release:clean release:prepare -DpushChanges=false

# Step back to the first commit (from SNAPSHOT to release)
git reset HEAD~1

# delete tag created by release:prepare
tag_name="$(git tag --points-at)"
git tag -d "$tag_name"

# Add release.properties to that commit
git add release.properties
git commit --amend --no-edit

# recreate tag
git tag "$tag_name" -m "[maven-release-plugin] copy for tag $tag_name"

# Recreate second commit (from release to SNAPSHOT), removing
# release.properties from the repository
git rm release.properties
git add pom.xml
git commit -m "[maven-release-plugin] prepare for next development iteration"

# push everything
git push
git push origin "$tag_name"

# clean up
rm pom.xml.releaseBackup