feat(ci): add slsa provenance for release artifacts #263
Conversation
|
|
.github/workflows/release.yml
Outdated
| ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository | ||
| # Publish both locally and to Sonatype. | ||
| # The artifacts stored locally will be used to generate the SLSA provenance. | ||
| ./gradlew publishToMavenLocal publishToSonatype closeAndReleaseSonatypeStagingRepository |
There was a problem hiding this comment.
Instead of publishing to maven local, which may (will) be polluted by many unrelated artifacts, you can use publishToBuildRepository. This will create a Maven-like repository in $ROOT/build/repo which will contain all the artifacts you want (plus the metadata files, pom, Gradle .module, version catalog, etc.).
There was a problem hiding this comment.
Instead of publishing to maven local, which may (will) be polluted by many unrelated artifacts, you can use
publishToBuildRepository.
Thanks @melix. When I use publishToBuildRepository locally, it tries to authenticate with ge.micronaut.io:
A build scan was not published as you have not authenticated with server 'ge.micronaut.io'.
* What went wrong:
For more information, please see https://gradle.com/help/gradle-authenticating-with-gradle-enterprise.
Task 'publishToBuildRepository' not found in root project 'micronaut'.
Is there a way to use it locally for testing without authenticating?
There was a problem hiding this comment.
Ah sorry, this error is unrelated. It says that it won't publish a build scan on ge.micronaut.io, but this isn't the cause of the problem, it's because I used the wrong task name, it's publishAllPublicationsToBuildRepository (you can also use pAPTBR).
| # The artifacts stored locally will be used to generate the SLSA provenance. | ||
| ./gradlew publishToMavenLocal publishToSonatype closeAndReleaseSonatypeStagingRepository | ||
| # Read the current version from gradle.properties. | ||
| VERSION=$(./gradlew properties | grep 'version:' | awk '{print $2}') |
There was a problem hiding this comment.
I may be wrong, but I think that if you use the publishToBuildRepository task, then you don't need to search for the group or version anymore, and you can use the build/repo directory as the upload source for GH.
There was a problem hiding this comment.
I still need to read the group because I need to resolve the path to the artifacts for uploading them as artifacts. The path can be different in different repositories that use this template.
I read the version just to make sure the artifacts are collected from the right path, but that is just to be extra cautious.
behnazh-w
force-pushed
the
add-slsa-provenance
branch
from
83a0a49 to
bf15270
Compare
|
The final release artifacts would look something like this on micronaut-core for example: It adds the provenance as @sdelamo @melix please let me know if it looks good or you have any questions. |
|
IMO that would clutter the release assets section. Is it possible to package all the ZIPs into a single archive? |
.github/workflows/release.yml
Outdated
| # the provenance will attest to the artifact files and not the aggregated zip file. | ||
| run: | | ||
| ARTIFACTS="" | ||
| for dir in dist/* ; do |
There was a problem hiding this comment.
I seems a bit strange to look for the artifacts in build/repo, but then use those in dist for uploading. I think we should use build/repo for both. Also I agree with @alvarosanchez that it would be nice if we had a single zip, with possibly nested zips in it.
If it helps we could even have a Gradle task to do it.
There was a problem hiding this comment.
I think we should use build/repo for both.
Sure, I'll change that.
I can definitely wrap all ZIP files in a single archive. But I thought having separate archives immediately shows to the end user that for example |
I don't think users really care. In practice, you don't select each artifact separately, you'll likely depend on |
behnazh-w
force-pushed
the
add-slsa-provenance
branch
from
bf15270 to
8938a2b
Compare
@melix @alvarosanchez I've packaged all the artifacts into a single ZIP file. See commit 8938a2b. |
Due to an [ongoing issue](https://github.com/orgs/community/discussions/37942), Provenance regularly fails when we are publishing a release. We will remove it for now. Revert "feat(ci): add slsa provenance for release artifacts (#263)" This reverts commit 608ba93.
The Open Source Security Foundation has been developing a standard for supply chain security called SLSA to allow users of open source projects to verify the artifacts and their build pipelines. To make that possible, the release pipelines should generate a provenance that provides verifiable information about how the software artifacts are built.
This PR adds a reusable GitHub Actions workflow to generate the provenance and publish that together with the artifacts as GitHub release artifacts. This would help users verify that the release artifacts are built from the
release.ymlworkflow and not somewhere else. You can read more about this provenance generator here.Looking forward to the feedback and discussions.