diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index ccfdb96186..d8e857a795 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -20,7 +20,7 @@ inputs: type: string provenance-download-sha256: description: "The sha256 of the package provenance artifact." - required: false + required: true type: string target-download-sha256: description: "The sha256 of the target directory." @@ -28,21 +28,21 @@ inputs: type: string maven-username: description: "Maven username" - required: false + required: true maven-password: description: "Maven password" - required: false + required: true gpg-key-pass: description: "gpg-key-pass" - required: false + required: true gpg-private-key: description: "gpg-key-pass" - required: false + required: true runs: using: "composite" steps: - name: Checkout the project repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main + uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources. - name: Set up Java for publishing to Maven Central Repository uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3 env: @@ -81,9 +81,6 @@ runs: SLSA_DIR: "${{ inputs.provenance-download-name }}" PROVENANCE_FILES: "${{ inputs.provenance-download-name }}" run: | - # Build and run custom plugin - cd plugin && mvn clean install && cd .. - # Re-indexing the secondary jar files for deploy mvn javadoc:jar source:jar # Retrieve project version version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) @@ -97,7 +94,7 @@ runs: for name in $(find ./ -name "$artifactid-$version-*.jar") do # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. - target=$(echo "${name}" | rev | cut -d\- -f1 | rev) + target=$(echo "${name}" | rev | cut -d- -f1 | rev) files=$files,$name types=$types,${target##*.} classifiers=$classifiers,${target%.*} @@ -108,7 +105,7 @@ runs: for name in $(find ./ -name "$artifactid-$version-*.jar.intoto.build.slsa") do # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. - target=$(echo "${name}" | rev | cut -d\- -f1 | rev) + target=$(echo "${name}" | rev | cut -d- -f1 | rev) files=$files,$name types=$types",slsa" classifiers=$classifiers,${target::-9} diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md index 3eb9415f79..84c5128fb7 100644 --- a/internal/builders/maven/README.md +++ b/internal/builders/maven/README.md @@ -86,6 +86,8 @@ jobs: Now, when you invoke this workflow, the Maven builder will build both your artifacts and the provenance files for them. +### Releasing directly to Maven Central + You can also release artifacts to Maven Central with [the slsa-github-generator Maven publisher](https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/maven/publish/action.yml) by adding the following step to your workflow: ```yaml @@ -107,6 +109,28 @@ Now your workflow will build your artifacts and publish them to a staging reposi In the above example of the publish Action, the job that invokes the Maven builder is called `build`. The publish Action uses output from that job. +#### Publisher requirements + +Besides adding the above workflow to your CI pipeline, you also need to add the following plugin to your `pom.xml`: + +```java + + io.github.adamkorcz + slsa-hashing-plugin + 0.0.1 + + + + hash-jarfile + + + + + ${SLSA_OUTPUTS_ARTIFACTS_FILE} + + +``` + ### Private Repositories The builder records all provenance signatures in the [Rekor](https://github.com/sigstore/rekor) public transparency log. This record includes the repository name. To acknowledge you're aware that your repository name will be public, set the flag `rekor-log-public: true` when calling the builder: