Add provenance instruction for maven and gradle (#573)

Signed-off-by: Appu <[email protected]>
slsa-framework · Jul 18, 2022 · ed26cf9 · ed26cf9
1 parent 46e8d32
commit ed26cf9
Showing 1 changed file with 155 additions and 0 deletions.
diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md
@@ -27,6 +27,7 @@ project simply generates provenance as a separate step in an existing workflow.
 - [Integration With Other Build Systems](#integration-with-other-build-systems)
   - [Provenance for GoReleaser](#provenance-for-goreleaser)
   - [Provenance for Bazel](#provenance-for-bazel)
+  - [Provenance for Java](#provenance-for-java)
 
 ---
 
@@ -424,3 +425,157 @@ jobs:
       base64-subjects: "${{ needs.build.outputs.hashes }}"
       upload-assets: true # upload to a new release
 ```
+
+### Provenance for Java
+
+If you develop with Java and use [Maven](#maven) or [Gradle](#gradle), you can
+easily generate SLSA3 provenance by updating your existing workflow with the
+steps indicated in the workflow below:
+
+#### Maven
+```
+jobs:
+  build:
+    # ==================================================
+    #
+    # Step 1: Declare an `outputs` for the artifacts generated by
+    # the build and their hashes.
+    #
+    # ==================================================
+    outputs:
+      artifacts: ${{ steps.build.outputs.artifacts }}
+      hashes: ${{ steps.hash.outputs.hashes }}
+
+    [...]
+
+    steps:
+      [...]
+      - name: Build using maven
+        # =================================================
+        #
+        # Step 2: Add an `id: build` field
+        #         to your maven build step.
+        #
+        # =================================================
+        id: build
+        run: |
+          # Your normal build workflow targets here
+          mvn clean package
+          
+          # ======================================================
+          #
+          # Step 3: Save the location of the maven output files
+          #         for easier reference
+          #
+          # =====================================================
+          ARTIFACT_PATTERN=./target/$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout)-$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)*.jar
+          echo "::set-output name=artifact_pattern::$ARTIFACT_PATTERN"
+
+      # ========================================================
+      #
+      # Step 4: Add a step to generate the provenance subjects
+      #         as shown below. Update the sha256 sum arguments
+      #         to include all binaries that you generate
+      #         provenance for.
+      #
+      # ========================================================
+      - name: Generate subject
+        id: hash
+        run: |
+          echo "::set-output name=hashes::$(sha256sum ${{ steps.build.outputs.artifact_pattern }} | base64 -w0)"
+      
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
+        with:
+          name: maven-build-outputs
+          path: ${{ steps.build.outputs.artifact_pattern }}
+          if-no-files-found: error
+
+  # =========================================================
+  #
+  # Step 5: Call the generic workflow to generate provenance
+  #         by declaring the job below.
+  #
+  # =========================================================
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      id-token: write
+      contents: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+#      TODO: uncomment when ready
+#      upload-assets: true # upload to a new release
+```
+
+#### Gradle
+```
+jobs:
+  build:
+    # ==================================================
+    #
+    # Step 1: Declare an `outputs` for the artifacts generated by
+    # the build and their hashes.
+    #
+    # ==================================================
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+
+    [...]
+
+    steps:
+      [...]
+      - name: Build using gradle
+        # =================================================
+        #
+        # Step 2: Add an `id: build` field
+        #         to your gradle build step.
+        #
+        # =================================================
+        id: build
+        run: |
+          # Your normal build workflow targets here
+          ./gradlew clean build
+
+      # ========================================================
+      #
+      # Step 4: Add a step to generate the provenance subjects
+      #         as shown below. Update the sha256 sum arguments
+      #         to include all binaries that you generate
+      #         provenance for.
+      #         This build assumes build artifacts are saved
+      #         in ./build/libs
+      #
+      # ========================================================
+      - name: Generate subject
+        id: hash
+        run: |
+          echo "::set-output name=hashes::$(sha256sum ./build/libs/* | base64 -w0)"
+      
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
+        with:
+          name: gradle-build-outputs
+          path: ./build/libs/
+          if-no-files-found: error
+
+  # =========================================================
+  #
+  # Step 5: Call the generic workflow to generate provenance
+  #         by declaring the job below.
+  #
+  # =========================================================
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      id-token: write
+      contents: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+#      TODO: uncomment when ready
+#      upload-assets: true # upload to a new release
+```