Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nnnnnnnnn #1

Merged
merged 15 commits into from
Jul 28, 2023
Merged

Nnnnnnnnn #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
25227e8
Create JarfileHashMojo.java
AdamKorcz Jul 27, 2023
7cb572d
Create pom.xml
AdamKorcz Jul 27, 2023
c450084
Update action.yml
AdamKorcz Jul 27, 2023
a233207
Update action.yml
AdamKorcz Jul 27, 2023
5c1ba45
Update action.yml
AdamKorcz Jul 27, 2023
a9fc120
Update action.yml
AdamKorcz Jul 27, 2023
cab3abf
Update action.yml
AdamKorcz Jul 28, 2023
e9d1a8a
Delete JarfileHashMojo.java
AdamKorcz Jul 28, 2023
5c514dd
Delete pom.xml
AdamKorcz Jul 28, 2023
3ddb21b
Update action.yml
AdamKorcz Jul 28, 2023
f406a79
Update action.yml
AdamKorcz Jul 28, 2023
6da1c74
Update README.md
AdamKorcz Jul 28, 2023
04d6af9
Update action.yml
AdamKorcz Jul 28, 2023
ab8ed1d
Update README.md
AdamKorcz Jul 28, 2023
54946ce
Update README.md
AdamKorcz Jul 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 8 additions & 11 deletions actions/maven/publish/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,29 +20,29 @@ inputs:
type: string
provenance-download-sha256:
description: "The sha256 of the package provenance artifact."
required: false
required: true
type: string
target-download-sha256:
description: "The sha256 of the target directory."
required: true
type: string
maven-username:
description: "Maven username"
required: false
required: true
maven-password:
description: "Maven password"
required: false
required: true
gpg-key-pass:
description: "gpg-key-pass"
required: false
required: true
gpg-private-key:
description: "gpg-key-pass"
required: false
required: true
runs:
using: "composite"
steps:
- name: Checkout the project repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main
uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources.
- name: Set up Java for publishing to Maven Central Repository
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3
env:
Expand Down Expand Up @@ -81,9 +81,6 @@ runs:
SLSA_DIR: "${{ inputs.provenance-download-name }}"
PROVENANCE_FILES: "${{ inputs.provenance-download-name }}"
run: |
# Build and run custom plugin
cd plugin && mvn clean install && cd ..
# Re-indexing the secondary jar files for deploy
mvn javadoc:jar source:jar
# Retrieve project version
version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout)
Expand All @@ -97,7 +94,7 @@ runs:
for name in $(find ./ -name "$artifactid-$version-*.jar")
do
# shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should.
target=$(echo "${name}" | rev | cut -d\- -f1 | rev)
target=$(echo "${name}" | rev | cut -d- -f1 | rev)
files=$files,$name
types=$types,${target##*.}
classifiers=$classifiers,${target%.*}
Expand All @@ -108,7 +105,7 @@ runs:
for name in $(find ./ -name "$artifactid-$version-*.jar.intoto.build.slsa")
do
# shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should.
target=$(echo "${name}" | rev | cut -d\- -f1 | rev)
target=$(echo "${name}" | rev | cut -d- -f1 | rev)
files=$files,$name
types=$types",slsa"
classifiers=$classifiers,${target::-9}
Expand Down
24 changes: 24 additions & 0 deletions internal/builders/maven/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,8 @@ jobs:

Now, when you invoke this workflow, the Maven builder will build both your artifacts and the provenance files for them.

### Releasing directly to Maven Central

You can also release artifacts to Maven Central with [the slsa-github-generator Maven publisher](https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/maven/publish/action.yml) by adding the following step to your workflow:

```yaml
Expand All @@ -107,6 +109,28 @@ Now your workflow will build your artifacts and publish them to a staging reposi

In the above example of the publish Action, the job that invokes the Maven builder is called `build`. The publish Action uses output from that job.

#### Publisher requirements

Besides adding the above workflow to your CI pipeline, you also need to add the following plugin to your `pom.xml`:

```java
<plugin>
<groupId>io.github.adamkorcz</groupId>
<artifactId>slsa-hashing-plugin</artifactId>
<version>0.0.1</version>
<executions>
<execution>
<goals>
<goal>hash-jarfile</goal>
</goals>
</execution>
</executions>
<configuration>
<outputJsonPath>${SLSA_OUTPUTS_ARTIFACTS_FILE}</outputJsonPath>
</configuration>
</plugin>
```

### Private Repositories

The builder records all provenance signatures in the [Rekor](https://github.com/sigstore/rekor) public transparency log. This record includes the repository name. To acknowledge you're aware that your repository name will be public, set the flag `rekor-log-public: true` when calling the builder:
Expand Down