From 851005212c312a0bf9515b06e791cc6dfdb4bc74 Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Fri, 28 Jul 2023 20:51:26 +0100
Subject: [PATCH] Nnnnnnnnn (#1)

* Create JarfileHashMojo.java

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Create pom.xml

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Update action.yml

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Update action.yml

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Update action.yml

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Update action.yml

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Update action.yml

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Delete JarfileHashMojo.java

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Delete pom.xml

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Update action.yml

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Update action.yml

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Update README.md

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Update action.yml

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Update README.md

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Update README.md

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

---------

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
 actions/maven/publish/action.yml  | 19 ++++++++-----------
 internal/builders/maven/README.md | 24 ++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml
index ccfdb96186..d8e857a795 100644
--- a/actions/maven/publish/action.yml
+++ b/actions/maven/publish/action.yml
@@ -20,7 +20,7 @@ inputs:
     type: string
   provenance-download-sha256:
     description: "The sha256 of the package provenance artifact."
-    required: false
+    required: true
     type: string
   target-download-sha256:
     description: "The sha256 of the target directory."
@@ -28,21 +28,21 @@ inputs:
     type: string
   maven-username:
     description: "Maven username"
-    required: false
+    required: true
   maven-password:
     description: "Maven password"
-    required: false
+    required: true
   gpg-key-pass:
     description: "gpg-key-pass"
-    required: false
+    required: true
   gpg-private-key:
     description: "gpg-key-pass"
-    required: false
+    required: true
 runs:
   using: "composite"
   steps:
     - name: Checkout the project repository
-      uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main
+      uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources.
     - name: Set up Java for publishing to Maven Central Repository
       uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3
       env:
@@ -81,9 +81,6 @@ runs:
         SLSA_DIR: "${{ inputs.provenance-download-name }}"
         PROVENANCE_FILES: "${{ inputs.provenance-download-name }}"
       run: |
-        # Build and run custom plugin
-        cd plugin && mvn clean install && cd ..
-        # Re-indexing the secondary jar files for deploy
         mvn javadoc:jar source:jar
         # Retrieve project version
         version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout)
@@ -97,7 +94,7 @@ runs:
         for name in $(find ./ -name "$artifactid-$version-*.jar")
         do
           # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should.
-          target=$(echo "${name}" | rev | cut -d\- -f1 | rev)
+          target=$(echo "${name}" | rev | cut -d- -f1 | rev)
           files=$files,$name
           types=$types,${target##*.}
           classifiers=$classifiers,${target%.*}
@@ -108,7 +105,7 @@ runs:
         for name in $(find ./ -name "$artifactid-$version-*.jar.intoto.build.slsa")
         do
           # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should.
-          target=$(echo "${name}" | rev | cut -d\- -f1 | rev)
+          target=$(echo "${name}" | rev | cut -d- -f1 | rev)
           files=$files,$name
           types=$types",slsa"
           classifiers=$classifiers,${target::-9}
diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md
index 3eb9415f79..84c5128fb7 100644
--- a/internal/builders/maven/README.md
+++ b/internal/builders/maven/README.md
@@ -86,6 +86,8 @@ jobs:
 
 Now, when you invoke this workflow, the Maven builder will build both your artifacts and the provenance files for them.
 
+### Releasing directly to Maven Central
+
 You can also release artifacts to Maven Central with [the slsa-github-generator Maven publisher](https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/maven/publish/action.yml) by adding the following step to your workflow:
 
 ```yaml
@@ -107,6 +109,28 @@ Now your workflow will build your artifacts and publish them to a staging reposi
 
 In the above example of the publish Action, the job that invokes the Maven builder is called `build`. The publish Action uses output from that job.
 
+#### Publisher requirements
+
+Besides adding the above workflow to your CI pipeline, you also need to add the following plugin to your `pom.xml`:
+
+```java
+<plugin>
+    <groupId>io.github.adamkorcz</groupId>
+    <artifactId>slsa-hashing-plugin</artifactId>
+    <version>0.0.1</version>
+    <executions>
+        <execution>
+            <goals>
+                <goal>hash-jarfile</goal>
+            </goals>
+        </execution>
+    </executions>
+    <configuration>
+        <outputJsonPath>${SLSA_OUTPUTS_ARTIFACTS_FILE}</outputJsonPath>
+    </configuration>
+</plugin>
+```
+
 ### Private Repositories
 
 The builder records all provenance signatures in the [Rekor](https://github.com/sigstore/rekor) public transparency log. This record includes the repository name. To acknowledge you're aware that your repository name will be public, set the flag `rekor-log-public: true` when calling the builder: