From 25227e864899c9db82500788bfc040da790f7fd2 Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Thu, 27 Jul 2023 14:12:55 +0100
Subject: [PATCH 01/15] Create JarfileHashMojo.java
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
.../slsa-framework/JarfileHashMojo.java | 81 +++++++++++++++++++
1 file changed, 81 insertions(+)
create mode 100644 actions/maven/publish/plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java
diff --git a/actions/maven/publish/plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java b/actions/maven/publish/plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java
new file mode 100644
index 0000000000..ce216603c5
--- /dev/null
+++ b/actions/maven/publish/plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java
@@ -0,0 +1,81 @@
+package io.github.slsa_framework;
+
+import org.apache.maven.plugin.AbstractMojo;
+import org.apache.maven.plugin.MojoExecutionException;
+import org.apache.maven.plugin.MojoFailureException;
+import org.apache.maven.plugins.annotations.LifecyclePhase;
+import org.apache.maven.plugins.annotations.Mojo;
+import org.apache.maven.plugins.annotations.Parameter;
+import org.apache.maven.project.MavenProject;
+
+import org.json.JSONObject;
+
+import java.io.File;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.nio.file.Files;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.List;
+import java.util.LinkedList;
+
+@Mojo(name = "hash-jarfile", defaultPhase = LifecyclePhase.PACKAGE)
+public class JarfileHashMojo extends AbstractMojo {
+ private final String jsonBase = "{\"version\": 1, \"attestations\":[%ATTESTATIONS%]}";
+ private final String attestationTemplate = "{\"name\": \"%NAME%.intoto\",\"subjects\":[{\"name\": \"%NAME%\",\"digest\":{\"sha256\":\"%HASH%\"}}]}";
+
+ @Parameter(defaultValue = "${project}", required = true, readonly = true)
+ private MavenProject project;
+
+ @Parameter(property = "hash-jarfile.outputJsonPath", defaultValue = "")
+ private String outputJsonPath;
+
+ public void execute() throws MojoExecutionException, MojoFailureException {
+ try {
+ StringBuilder attestations = new StringBuilder();
+
+ File targetDir = new File(project.getBasedir(), "target");
+ File outputJson = this.getOutputJsonFile(targetDir.getAbsolutePath());
+ for (File file : targetDir.listFiles()) {
+ String filePath = file.getAbsolutePath();
+ if (!filePath.endsWith("original") && (filePath.endsWith(".pom") || filePath.endsWith(".jar"))) {
+ byte[] data = Files.readAllBytes(file.toPath());
+ byte[] hash = MessageDigest.getInstance("SHA-256").digest(data);
+ String checksum = new BigInteger(1, hash).toString(16);
+
+ String attestation = attestationTemplate.replaceAll("%NAME%", file.getName());
+ attestation = attestation.replaceAll("%HASH%", checksum);
+ if (attestations.length() > 0) {
+ attestations.append(",");
+ }
+ attestations.append(attestation);
+ }
+ }
+ String json = jsonBase.replaceAll("%ATTESTATIONS%", attestations.toString());
+
+ Files.write(outputJson.toPath(), new JSONObject(json).toString(4).getBytes());
+ } catch (IOException | NoSuchAlgorithmException e) {
+ throw new MojoFailureException("Fail to generate hash for the jar files", e);
+ }
+
+ }
+
+ private File getOutputJsonFile(String targetDir) {
+ try {
+ if (this.outputJsonPath != null && this.outputJsonPath.length() > 0) {
+ File outputJson = new File(outputJsonPath);
+ if (!outputJson.exists() || !outputJson.isFile()) {
+ outputJson.getParentFile().mkdirs();
+ Files.createFile(outputJson.toPath());
+ }
+
+ if (Files.isWritable(outputJson.toPath())) {
+ return outputJson;
+ }
+ }
+ return new File(targetDir, "hash.json");
+ } catch (IOException e) {
+ return new File(targetDir, "hash.json");
+ }
+ }
+}
From 7cb572d1f26833ff45652ffc96564567aec6077a Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Thu, 27 Jul 2023 14:13:18 +0100
Subject: [PATCH 02/15] Create pom.xml
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
actions/maven/publish/plugin/pom.xml | 42 ++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
create mode 100644 actions/maven/publish/plugin/pom.xml
diff --git a/actions/maven/publish/plugin/pom.xml b/actions/maven/publish/plugin/pom.xml
new file mode 100644
index 0000000000..43de8977ae
--- /dev/null
+++ b/actions/maven/publish/plugin/pom.xml
@@ -0,0 +1,42 @@
+
+
+ 4.0.0
+ io.github.adamkorcz
+ hash-maven-plugin
+ maven-plugin
+ 0.0.1
+
+ Jarfile Hashing Maven Mojo
+ http://maven.apache.org
+
+
+ 1.8
+ 1.8
+
+
+
+
+ org.apache.maven
+ maven-plugin-api
+ 3.6.3
+
+
+ org.apache.maven.plugin-tools
+ maven-plugin-annotations
+ 3.6.0
+ provided
+
+
+ org.apache.maven
+ maven-project
+ 2.2.1
+
+
+ org.json
+ json
+ 20230227
+
+
+
From c4500847d8c80b0797590707d200e1a2635165a3 Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Thu, 27 Jul 2023 14:16:50 +0100
Subject: [PATCH 03/15] Update action.yml
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
actions/maven/publish/action.yml | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml
index ccfdb96186..df071fb8b1 100644
--- a/actions/maven/publish/action.yml
+++ b/actions/maven/publish/action.yml
@@ -41,8 +41,8 @@ inputs:
runs:
using: "composite"
steps:
- - name: Checkout the project repository
- uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main
+ #- name: Checkout the project repository
+ # uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main
- name: Set up Java for publishing to Maven Central Repository
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3
env:
@@ -82,7 +82,8 @@ runs:
PROVENANCE_FILES: "${{ inputs.provenance-download-name }}"
run: |
# Build and run custom plugin
- cd plugin && mvn clean install && cd ..
+ cd ./../__TOOL_ACTION_DIR__/plugin && ls && mvn clean install && cd -
+ #cd plugin && mvn clean install && cd ..
# Re-indexing the secondary jar files for deploy
mvn javadoc:jar source:jar
# Retrieve project version
From a2332071f8ee62a8a4cc3d3286bb0d05c3f60974 Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Thu, 27 Jul 2023 14:22:21 +0100
Subject: [PATCH 04/15] Update action.yml
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
actions/maven/publish/action.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml
index df071fb8b1..006dd90bd6 100644
--- a/actions/maven/publish/action.yml
+++ b/actions/maven/publish/action.yml
@@ -82,6 +82,9 @@ runs:
PROVENANCE_FILES: "${{ inputs.provenance-download-name }}"
run: |
# Build and run custom plugin
+ echo "ls .."
+ ls ..
+ echo "end ls .."
cd ./../__TOOL_ACTION_DIR__/plugin && ls && mvn clean install && cd -
#cd plugin && mvn clean install && cd ..
# Re-indexing the secondary jar files for deploy
From 5c1ba45775884ff0862b61fa478b35dea981df54 Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Thu, 27 Jul 2023 16:22:49 +0100
Subject: [PATCH 05/15] Update action.yml
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
actions/maven/publish/action.yml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml
index 006dd90bd6..f67e2ae396 100644
--- a/actions/maven/publish/action.yml
+++ b/actions/maven/publish/action.yml
@@ -82,10 +82,10 @@ runs:
PROVENANCE_FILES: "${{ inputs.provenance-download-name }}"
run: |
# Build and run custom plugin
- echo "ls .."
- ls ..
- echo "end ls .."
- cd ./../__TOOL_ACTION_DIR__/plugin && ls && mvn clean install && cd -
+ #echo "ls .."
+ #ls ..
+ #echo "end ls .."
+ #cd ./../__TOOL_ACTION_DIR__/plugin && ls && mvn clean install && cd -
#cd plugin && mvn clean install && cd ..
# Re-indexing the secondary jar files for deploy
mvn javadoc:jar source:jar
From a9fc1202421a90f3845ed5998b8554ef7a194f6d Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Thu, 27 Jul 2023 16:28:08 +0100
Subject: [PATCH 06/15] Update action.yml
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
actions/maven/publish/action.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml
index f67e2ae396..50cbcdcd09 100644
--- a/actions/maven/publish/action.yml
+++ b/actions/maven/publish/action.yml
@@ -41,8 +41,8 @@ inputs:
runs:
using: "composite"
steps:
- #- name: Checkout the project repository
- # uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main
+ - name: Checkout the project repository
+ uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main
- name: Set up Java for publishing to Maven Central Repository
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3
env:
From cab3abf958671ebae228de3fe9730eff08da2bf9 Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Fri, 28 Jul 2023 20:15:07 +0100
Subject: [PATCH 07/15] Update action.yml
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
actions/maven/publish/action.yml | 7 -------
1 file changed, 7 deletions(-)
diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml
index 50cbcdcd09..f32c2d4ffb 100644
--- a/actions/maven/publish/action.yml
+++ b/actions/maven/publish/action.yml
@@ -81,13 +81,6 @@ runs:
SLSA_DIR: "${{ inputs.provenance-download-name }}"
PROVENANCE_FILES: "${{ inputs.provenance-download-name }}"
run: |
- # Build and run custom plugin
- #echo "ls .."
- #ls ..
- #echo "end ls .."
- #cd ./../__TOOL_ACTION_DIR__/plugin && ls && mvn clean install && cd -
- #cd plugin && mvn clean install && cd ..
- # Re-indexing the secondary jar files for deploy
mvn javadoc:jar source:jar
# Retrieve project version
version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout)
From e9d1a8a945ec2acb7acb9bb02ec6153651d8a6e0 Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Fri, 28 Jul 2023 20:15:31 +0100
Subject: [PATCH 08/15] Delete JarfileHashMojo.java
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
.../slsa-framework/JarfileHashMojo.java | 81 -------------------
1 file changed, 81 deletions(-)
delete mode 100644 actions/maven/publish/plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java
diff --git a/actions/maven/publish/plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java b/actions/maven/publish/plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java
deleted file mode 100644
index ce216603c5..0000000000
--- a/actions/maven/publish/plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java
+++ /dev/null
@@ -1,81 +0,0 @@
-package io.github.slsa_framework;
-
-import org.apache.maven.plugin.AbstractMojo;
-import org.apache.maven.plugin.MojoExecutionException;
-import org.apache.maven.plugin.MojoFailureException;
-import org.apache.maven.plugins.annotations.LifecyclePhase;
-import org.apache.maven.plugins.annotations.Mojo;
-import org.apache.maven.plugins.annotations.Parameter;
-import org.apache.maven.project.MavenProject;
-
-import org.json.JSONObject;
-
-import java.io.File;
-import java.io.IOException;
-import java.math.BigInteger;
-import java.nio.file.Files;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.util.List;
-import java.util.LinkedList;
-
-@Mojo(name = "hash-jarfile", defaultPhase = LifecyclePhase.PACKAGE)
-public class JarfileHashMojo extends AbstractMojo {
- private final String jsonBase = "{\"version\": 1, \"attestations\":[%ATTESTATIONS%]}";
- private final String attestationTemplate = "{\"name\": \"%NAME%.intoto\",\"subjects\":[{\"name\": \"%NAME%\",\"digest\":{\"sha256\":\"%HASH%\"}}]}";
-
- @Parameter(defaultValue = "${project}", required = true, readonly = true)
- private MavenProject project;
-
- @Parameter(property = "hash-jarfile.outputJsonPath", defaultValue = "")
- private String outputJsonPath;
-
- public void execute() throws MojoExecutionException, MojoFailureException {
- try {
- StringBuilder attestations = new StringBuilder();
-
- File targetDir = new File(project.getBasedir(), "target");
- File outputJson = this.getOutputJsonFile(targetDir.getAbsolutePath());
- for (File file : targetDir.listFiles()) {
- String filePath = file.getAbsolutePath();
- if (!filePath.endsWith("original") && (filePath.endsWith(".pom") || filePath.endsWith(".jar"))) {
- byte[] data = Files.readAllBytes(file.toPath());
- byte[] hash = MessageDigest.getInstance("SHA-256").digest(data);
- String checksum = new BigInteger(1, hash).toString(16);
-
- String attestation = attestationTemplate.replaceAll("%NAME%", file.getName());
- attestation = attestation.replaceAll("%HASH%", checksum);
- if (attestations.length() > 0) {
- attestations.append(",");
- }
- attestations.append(attestation);
- }
- }
- String json = jsonBase.replaceAll("%ATTESTATIONS%", attestations.toString());
-
- Files.write(outputJson.toPath(), new JSONObject(json).toString(4).getBytes());
- } catch (IOException | NoSuchAlgorithmException e) {
- throw new MojoFailureException("Fail to generate hash for the jar files", e);
- }
-
- }
-
- private File getOutputJsonFile(String targetDir) {
- try {
- if (this.outputJsonPath != null && this.outputJsonPath.length() > 0) {
- File outputJson = new File(outputJsonPath);
- if (!outputJson.exists() || !outputJson.isFile()) {
- outputJson.getParentFile().mkdirs();
- Files.createFile(outputJson.toPath());
- }
-
- if (Files.isWritable(outputJson.toPath())) {
- return outputJson;
- }
- }
- return new File(targetDir, "hash.json");
- } catch (IOException e) {
- return new File(targetDir, "hash.json");
- }
- }
-}
From 5c514dddd9a1d98def81c39e87155892dc1d46fc Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Fri, 28 Jul 2023 20:15:40 +0100
Subject: [PATCH 09/15] Delete pom.xml
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
actions/maven/publish/plugin/pom.xml | 42 ----------------------------
1 file changed, 42 deletions(-)
delete mode 100644 actions/maven/publish/plugin/pom.xml
diff --git a/actions/maven/publish/plugin/pom.xml b/actions/maven/publish/plugin/pom.xml
deleted file mode 100644
index 43de8977ae..0000000000
--- a/actions/maven/publish/plugin/pom.xml
+++ /dev/null
@@ -1,42 +0,0 @@
-
-
- 4.0.0
- io.github.adamkorcz
- hash-maven-plugin
- maven-plugin
- 0.0.1
-
- Jarfile Hashing Maven Mojo
- http://maven.apache.org
-
-
- 1.8
- 1.8
-
-
-
-
- org.apache.maven
- maven-plugin-api
- 3.6.3
-
-
- org.apache.maven.plugin-tools
- maven-plugin-annotations
- 3.6.0
- provided
-
-
- org.apache.maven
- maven-project
- 2.2.1
-
-
- org.json
- json
- 20230227
-
-
-
From 3ddb21b3db8f0f048d5a439d29b51082ac2c7681 Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Fri, 28 Jul 2023 20:22:09 +0100
Subject: [PATCH 10/15] Update action.yml
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
actions/maven/publish/action.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml
index f32c2d4ffb..b88b15b310 100644
--- a/actions/maven/publish/action.yml
+++ b/actions/maven/publish/action.yml
@@ -94,7 +94,7 @@ runs:
for name in $(find ./ -name "$artifactid-$version-*.jar")
do
# shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should.
- target=$(echo "${name}" | rev | cut -d\- -f1 | rev)
+ target=$(echo "${name}" | rev | cut -d- -f1 | rev)
files=$files,$name
types=$types,${target##*.}
classifiers=$classifiers,${target%.*}
From f406a790188b585649b4e7b903d1955d8bb482bd Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Fri, 28 Jul 2023 20:23:04 +0100
Subject: [PATCH 11/15] Update action.yml
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
actions/maven/publish/action.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml
index b88b15b310..fe65a2de93 100644
--- a/actions/maven/publish/action.yml
+++ b/actions/maven/publish/action.yml
@@ -105,7 +105,7 @@ runs:
for name in $(find ./ -name "$artifactid-$version-*.jar.intoto.build.slsa")
do
# shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should.
- target=$(echo "${name}" | rev | cut -d\- -f1 | rev)
+ target=$(echo "${name}" | rev | cut -d- -f1 | rev)
files=$files,$name
types=$types",slsa"
classifiers=$classifiers,${target::-9}
From 6da1c7481e4397260ba9bf4d7482624283dd58bd Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Fri, 28 Jul 2023 20:35:12 +0100
Subject: [PATCH 12/15] Update README.md
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
internal/builders/maven/README.md | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md
index 3eb9415f79..9abda3d764 100644
--- a/internal/builders/maven/README.md
+++ b/internal/builders/maven/README.md
@@ -86,6 +86,7 @@ jobs:
Now, when you invoke this workflow, the Maven builder will build both your artifacts and the provenance files for them.
+### Releasing directly to Maven Central
You can also release artifacts to Maven Central with [the slsa-github-generator Maven publisher](https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/maven/publish/action.yml) by adding the following step to your workflow:
```yaml
@@ -107,6 +108,27 @@ Now your workflow will build your artifacts and publish them to a staging reposi
In the above example of the publish Action, the job that invokes the Maven builder is called `build`. The publish Action uses output from that job.
+#### Publisher requirements
+Besides adding the above workflow to your CI pipeline, you also need to add the following plugin to your `pom.xml`:
+```java
+
+
+ io.github.adamkorcz
+ slsa-hashing-plugin
+ 0.0.1
+
+
+
+ hash-jarfile
+
+
+
+
+ ${SLSA_OUTPUTS_ARTIFACTS_FILE}
+
+
+```
+
### Private Repositories
The builder records all provenance signatures in the [Rekor](https://github.com/sigstore/rekor) public transparency log. This record includes the repository name. To acknowledge you're aware that your repository name will be public, set the flag `rekor-log-public: true` when calling the builder:
From 04d6af926baebd51593ba465f00ac56aa71e2f63 Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Fri, 28 Jul 2023 20:39:28 +0100
Subject: [PATCH 13/15] Update action.yml
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
actions/maven/publish/action.yml | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml
index fe65a2de93..d8e857a795 100644
--- a/actions/maven/publish/action.yml
+++ b/actions/maven/publish/action.yml
@@ -20,7 +20,7 @@ inputs:
type: string
provenance-download-sha256:
description: "The sha256 of the package provenance artifact."
- required: false
+ required: true
type: string
target-download-sha256:
description: "The sha256 of the target directory."
@@ -28,21 +28,21 @@ inputs:
type: string
maven-username:
description: "Maven username"
- required: false
+ required: true
maven-password:
description: "Maven password"
- required: false
+ required: true
gpg-key-pass:
description: "gpg-key-pass"
- required: false
+ required: true
gpg-private-key:
description: "gpg-key-pass"
- required: false
+ required: true
runs:
using: "composite"
steps:
- name: Checkout the project repository
- uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main
+ uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources.
- name: Set up Java for publishing to Maven Central Repository
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3
env:
From ab8ed1d28688b6ff372f0d080eb5372432f71283 Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Fri, 28 Jul 2023 20:46:34 +0100
Subject: [PATCH 14/15] Update README.md
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
internal/builders/maven/README.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md
index 9abda3d764..b732d5b7a3 100644
--- a/internal/builders/maven/README.md
+++ b/internal/builders/maven/README.md
@@ -109,9 +109,10 @@ Now your workflow will build your artifacts and publish them to a staging reposi
In the above example of the publish Action, the job that invokes the Maven builder is called `build`. The publish Action uses output from that job.
#### Publisher requirements
+
Besides adding the above workflow to your CI pipeline, you also need to add the following plugin to your `pom.xml`:
-```java
+```java
io.github.adamkorcz
slsa-hashing-plugin
From 54946cefd73dd6be60730b6155e4a4fdd7c0f407 Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Fri, 28 Jul 2023 20:50:20 +0100
Subject: [PATCH 15/15] Update README.md
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
---
internal/builders/maven/README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md
index b732d5b7a3..84c5128fb7 100644
--- a/internal/builders/maven/README.md
+++ b/internal/builders/maven/README.md
@@ -87,6 +87,7 @@ jobs:
Now, when you invoke this workflow, the Maven builder will build both your artifacts and the provenance files for them.
### Releasing directly to Maven Central
+
You can also release artifacts to Maven Central with [the slsa-github-generator Maven publisher](https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/maven/publish/action.yml) by adding the following step to your workflow:
```yaml