From 851005212c312a0bf9515b06e791cc6dfdb4bc74 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 28 Jul 2023 20:51:26 +0100 Subject: [PATCH] Nnnnnnnnn (#1) * Create JarfileHashMojo.java Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Create pom.xml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Delete JarfileHashMojo.java Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Delete pom.xml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update README.md Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update README.md Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update README.md Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --------- Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 19 ++++++++----------- internal/builders/maven/README.md | 24 ++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 11 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index ccfdb96186..d8e857a795 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -20,7 +20,7 @@ inputs: type: string provenance-download-sha256: description: "The sha256 of the package provenance artifact." - required: false + required: true type: string target-download-sha256: description: "The sha256 of the target directory." @@ -28,21 +28,21 @@ inputs: type: string maven-username: description: "Maven username" - required: false + required: true maven-password: description: "Maven password" - required: false + required: true gpg-key-pass: description: "gpg-key-pass" - required: false + required: true gpg-private-key: description: "gpg-key-pass" - required: false + required: true runs: using: "composite" steps: - name: Checkout the project repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main + uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources. - name: Set up Java for publishing to Maven Central Repository uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3 env: @@ -81,9 +81,6 @@ runs: SLSA_DIR: "${{ inputs.provenance-download-name }}" PROVENANCE_FILES: "${{ inputs.provenance-download-name }}" run: | - # Build and run custom plugin - cd plugin && mvn clean install && cd .. - # Re-indexing the secondary jar files for deploy mvn javadoc:jar source:jar # Retrieve project version version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) @@ -97,7 +94,7 @@ runs: for name in $(find ./ -name "$artifactid-$version-*.jar") do # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. - target=$(echo "${name}" | rev | cut -d\- -f1 | rev) + target=$(echo "${name}" | rev | cut -d- -f1 | rev) files=$files,$name types=$types,${target##*.} classifiers=$classifiers,${target%.*} @@ -108,7 +105,7 @@ runs: for name in $(find ./ -name "$artifactid-$version-*.jar.intoto.build.slsa") do # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. - target=$(echo "${name}" | rev | cut -d\- -f1 | rev) + target=$(echo "${name}" | rev | cut -d- -f1 | rev) files=$files,$name types=$types",slsa" classifiers=$classifiers,${target::-9} diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md index 3eb9415f79..84c5128fb7 100644 --- a/internal/builders/maven/README.md +++ b/internal/builders/maven/README.md @@ -86,6 +86,8 @@ jobs: Now, when you invoke this workflow, the Maven builder will build both your artifacts and the provenance files for them. +### Releasing directly to Maven Central + You can also release artifacts to Maven Central with [the slsa-github-generator Maven publisher](https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/maven/publish/action.yml) by adding the following step to your workflow: ```yaml @@ -107,6 +109,28 @@ Now your workflow will build your artifacts and publish them to a staging reposi In the above example of the publish Action, the job that invokes the Maven builder is called `build`. The publish Action uses output from that job. +#### Publisher requirements + +Besides adding the above workflow to your CI pipeline, you also need to add the following plugin to your `pom.xml`: + +```java +<plugin> + <groupId>io.github.adamkorcz</groupId> + <artifactId>slsa-hashing-plugin</artifactId> + <version>0.0.1</version> + <executions> + <execution> + <goals> + <goal>hash-jarfile</goal> + </goals> + </execution> + </executions> + <configuration> + <outputJsonPath>${SLSA_OUTPUTS_ARTIFACTS_FILE}</outputJsonPath> + </configuration> +</plugin> +``` + ### Private Repositories The builder records all provenance signatures in the [Rekor](https://github.com/sigstore/rekor) public transparency log. This record includes the repository name. To acknowledge you're aware that your repository name will be public, set the flag `rekor-log-public: true` when calling the builder: