From 614721da7a3c4e72aa887c899cabe2000c1e0e28 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Wed, 26 Jul 2023 21:02:30 +0100 Subject: [PATCH 01/46] chore: Make maven publisher an action Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .github/workflows/publish_maven.yml | 124 ---------------------------- actions/maven/publish/action.yml | 117 ++++++++++++++++++++++++++ internal/builders/maven/README.md | 26 +++--- 3 files changed, 131 insertions(+), 136 deletions(-) delete mode 100644 .github/workflows/publish_maven.yml create mode 100644 actions/maven/publish/action.yml diff --git a/.github/workflows/publish_maven.yml b/.github/workflows/publish_maven.yml deleted file mode 100644 index cac8f2f10c..0000000000 --- a/.github/workflows/publish_maven.yml +++ /dev/null @@ -1,124 +0,0 @@ -# Copyright 2023 SLSA Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -permissions: - contents: read - -on: - workflow_call: - inputs: - provenance-download-name: - description: "The artifact name for the package provenance." - required: true - type: string - provenance-download-sha256: - description: "The sha256 of the package provenance artifact." - required: false - type: string - target-download-sha256: - description: "The sha256 of the target directory." - required: true - type: string - secrets: - maven-username: - description: "Maven username" - required: false - maven-password: - description: "Maven password" - required: false - gpg-key-pass: - description: "gpg-key-pass" - required: false - gpg-private-key: - description: "gpg-key-pass" - required: false - -jobs: - setup-java: - runs-on: ubuntu-latest - steps: - - name: Checkout the project repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main - - name: Set up Java for publishing to Maven Central Repository - uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 - env: - MAVEN_USERNAME: ${{ secrets.maven-username }} - MAVEN_PASSWORD: ${{ secrets.maven-password }} - GPG_KEY_PASS: ${{ secrets.gpg-key-pass }} - with: - java-version: '11' - distribution: 'temurin' - server-id: ossrh - server-username: MAVEN_USERNAME - server-password: MAVEN_PASSWORD - gpg-private-key: ${{ secrets.gpg-private-key }} - gpg-passphrase: GPG_KEY_PASS - - - name: Download the slsa attestation - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main - with: - name: "${{ inputs.provenance-download-name }}" - path: slsa-attestations - sha256: "${{ inputs.provenance-download-sha256 }}" - - - name: Download the target dir - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main - with: - name: target - path: ./ - sha256: "${{ inputs.target-download-sha256 }}" - - - name: Publish to the Maven Central Repository - shell: bash - env: - MAVEN_USERNAME: "${{ secrets.maven-username }}" - MAVEN_PASSWORD: "${{ secrets.maven-password }}" - GPG_KEY_PASS: "${{ secrets.gpg-key-pass }}" - SLSA_DIR: "${{ inputs.provenance-download-name }}" - PROVENANCE_FILES: "${{ inputs.provenance-download-name }}" - run: | - # Build and run custom plugin - cd plugin && mvn clean install && cd .. - # Re-indexing the secondary jar files for deploy - mvn javadoc:jar source:jar - # Retrieve project version - VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) - ARTIFACTID=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.artifactId -q -DforceStdout) - # Reset the environment variables add in the base provenance - FILES="slsa-attestations/${PROVENANCE_FILES}/${ARTIFACTID}-${VERSION}.jar.intoto.build.slsa" - TYPES=slsa - CLASSIFIERS=jar.intoto.build - # Find all necessary built jar files and attach them to the environment variable deploy - # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars - for name in $(find ./ -name "$ARTIFACTID-$VERSION-*.jar") - do - # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. - TARGET=$(echo "${name}" | rev | cut -d\- -f1 | rev) - FILES=$FILES,$name - TYPES=$TYPES,${TARGET##*.} - CLASSIFIERS=$CLASSIFIERS,${TARGET%.*} - done - - # Find all generated provenance files and attach them the the environment variable for deploy - # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars - for name in $(find ./ -name "$ARTIFACTID-$VERSION-*.jar.intoto.build.slsa") - do - # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. - TARGET=$(echo "${name}" | rev | cut -d\- -f1 | rev) - FILES=$FILES,$name - TYPES=$TYPES",slsa" - CLASSIFIERS=$CLASSIFIERS,${TARGET::-9} - done - # Sign and deploy the files to the ossrh remote repository - mvn validate jar:jar -Dfile=target/"${ARTIFACTID}"-"${VERSION}".jar -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -Dfiles="${FILES}" -Dtypes="${TYPES}" -Dclassifiers="${CLASSIFIERS}" -DpomFile=pom.xml gpg:sign-and-deploy-file diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml new file mode 100644 index 0000000000..39513982e2 --- /dev/null +++ b/actions/maven/publish/action.yml @@ -0,0 +1,117 @@ +# Copyright 2023 SLSA Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +inputs: + provenance-download-name: + description: "The artifact name for the package provenance." + required: true + type: string + provenance-download-sha256: + description: "The sha256 of the package provenance artifact." + required: false + type: string + target-download-sha256: + description: "The sha256 of the target directory." + required: true + type: string + maven-username: + description: "Maven username" + required: false + maven-password: + description: "Maven password" + required: false + gpg-key-pass: + description: "gpg-key-pass" + required: false + gpg-private-key: + description: "gpg-key-pass" + required: false +runs: + using: "composite" + steps: + - name: Checkout the project repository + uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@v1.8.0-rc.1 + - name: Set up Java for publishing to Maven Central Repository + uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3 + env: + MAVEN_USERNAME: ${{ inputs.maven-username }} + MAVEN_PASSWORD: ${{ inputs.maven-password }} + GPG_KEY_PASS: ${{ inputs.gpg-key-pass }} + with: + java-version: '11' + distribution: 'temurin' + server-id: ossrh + server-username: MAVEN_USERNAME + server-password: MAVEN_PASSWORD + gpg-private-key: ${{ inputs.gpg-private-key }} + gpg-passphrase: GPG_KEY_PASS + + - name: Download the slsa attestation + uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.8.0-rc.1 + with: + name: "${{ inputs.provenance-download-name }}" + path: slsa-attestations + sha256: "${{ inputs.provenance-download-sha256 }}" + + - name: Download the target dir + uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.8.0-rc.1 + with: + name: target + path: ./ + sha256: "${{ inputs.target-download-sha256 }}" + + - name: Publish to the Maven Central Repository + shell: bash + env: + MAVEN_USERNAME: "${{ inputs.maven-username }}" + MAVEN_PASSWORD: "${{ inputs.maven-password }}" + GPG_KEY_PASS: "${{ inputs.gpg-key-pass }}" + SLSA_DIR: "${{ inputs.provenance-download-name }}" + PROVENANCE_FILES: "${{ inputs.provenance-download-name }}" + run: | + # Build and run custom plugin + cd plugin && mvn clean install && cd .. + # Re-indexing the secondary jar files for deploy + mvn javadoc:jar source:jar + # Retrieve project version + VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) + ARTIFACTID=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.artifactId -q -DforceStdout) + # Reset the environment variables add in the base provenance + FILES="slsa-attestations/${PROVENANCE_FILES}/${ARTIFACTID}-${VERSION}.jar.intoto.build.slsa" + TYPES=slsa + CLASSIFIERS=jar.intoto.build + # Find all necessary built jar files and attach them to the environment variable deploy + # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars + for name in $(find ./ -name "$ARTIFACTID-$VERSION-*.jar") + do + # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. + TARGET=$(echo "${name}" | rev | cut -d\- -f1 | rev) + FILES=$FILES,$name + TYPES=$TYPES,${TARGET##*.} + CLASSIFIERS=$CLASSIFIERS,${TARGET%.*} + done + + # Find all generated provenance files and attach them the the environment variable for deploy + # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars + for name in $(find ./ -name "$ARTIFACTID-$VERSION-*.jar.intoto.build.slsa") + do + # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. + TARGET=$(echo "${name}" | rev | cut -d\- -f1 | rev) + FILES=$FILES,$name + TYPES=$TYPES",slsa" + CLASSIFIERS=$CLASSIFIERS,${TARGET::-9} + done + # Sign and deploy the files to the ossrh remote repository + mvn validate jar:jar -Dfile=target/"${ARTIFACTID}"-"${VERSION}".jar -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -Dfiles="${FILES}" -Dtypes="${TYPES}" -Dclassifiers="${CLASSIFIERS}" -DpomFile=pom.xml gpg:sign-and-deploy-file diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md index d6606194a9..60339bd1ee 100644 --- a/internal/builders/maven/README.md +++ b/internal/builders/maven/README.md @@ -86,25 +86,27 @@ jobs: Now, when you invoke this workflow, the Maven builder will build both your artifacts and the provenance files for them. -You can also release artifacts to Maven Central by adding the following step to your workflow: +You can also release artifacts to Maven Central with [the slsa-github-generator Maven publisher](https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/maven/publish/action.yml) by adding the following step to your workflow: ```yaml publish: - needs: build - uses: slsa-framework/slsa-github-generator/.github/workflows/publish_maven.yml@v1.7.0 - with: - provenance-download-name: "${{ needs.build.outputs.provenance-download-name }}" - provenance-download-sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - target-download-sha256: "${{ needs.build.outputs.target-download-sha256 }}" - secrets: - maven-username: ${{ secrets.OSSRH_USERNAME }} - maven-password: ${{ secrets.OSSRH_PASSWORD }} - gpg-key-pass: ${{ secrets.GPG_PASSPHRASE }} - gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} + - name: publish + id: publish + uses: slsa-framework/slsa-github-generator/actions/maven/publish@main + with: + provenance-download-name: "${{ needs.usetrw.outputs.provenance-download-name }}" + provenance-download-sha256: "${{ needs.usetrw.outputs.provenance-download-sha256 }}" + target-download-sha256: "${{ needs.usetrw.outputs.target-download-sha256 }}" + maven-username: ${{ secrets.OSSRH_USERNAME }} + maven-password: ${{ secrets.OSSRH_PASSWORD }} + gpg-key-pass: ${{ secrets.GPG_PASSPHRASE }} + gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} ``` Now your workflow will build your artifacts and publish them to a staging repository in Maven Central. +In the above example of the publisher, the job that invokes the Maven builder is called `usetrw`. The publisher uses output from that job. + ### Private Repositories The builder records all provenance signatures in the [Rekor](https://github.com/sigstore/rekor) public transparency log. This record includes the repository name. To acknowledge you're aware that your repository name will be public, set the flag `rekor-log-public: true` when calling the builder: From a7778a88478ab273034eca35bc8828216f21acaa Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Wed, 26 Jul 2023 23:19:24 +0100 Subject: [PATCH 02/46] fix nits Signed-off-by: AdamKorcz --- actions/maven/publish/action.yml | 10 +++++----- internal/builders/maven/README.md | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 39513982e2..5a6720ec14 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -86,15 +86,15 @@ runs: # Re-indexing the secondary jar files for deploy mvn javadoc:jar source:jar # Retrieve project version - VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) + version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) ARTIFACTID=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.artifactId -q -DforceStdout) # Reset the environment variables add in the base provenance - FILES="slsa-attestations/${PROVENANCE_FILES}/${ARTIFACTID}-${VERSION}.jar.intoto.build.slsa" + FILES="slsa-attestations/${PROVENANCE_FILES}/${ARTIFACTID}-${version}.jar.intoto.build.slsa" TYPES=slsa CLASSIFIERS=jar.intoto.build # Find all necessary built jar files and attach them to the environment variable deploy # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars - for name in $(find ./ -name "$ARTIFACTID-$VERSION-*.jar") + for name in $(find ./ -name "$ARTIFACTID-$version-*.jar") do # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. TARGET=$(echo "${name}" | rev | cut -d\- -f1 | rev) @@ -105,7 +105,7 @@ runs: # Find all generated provenance files and attach them the the environment variable for deploy # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars - for name in $(find ./ -name "$ARTIFACTID-$VERSION-*.jar.intoto.build.slsa") + for name in $(find ./ -name "$ARTIFACTID-$version-*.jar.intoto.build.slsa") do # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. TARGET=$(echo "${name}" | rev | cut -d\- -f1 | rev) @@ -114,4 +114,4 @@ runs: CLASSIFIERS=$CLASSIFIERS,${TARGET::-9} done # Sign and deploy the files to the ossrh remote repository - mvn validate jar:jar -Dfile=target/"${ARTIFACTID}"-"${VERSION}".jar -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -Dfiles="${FILES}" -Dtypes="${TYPES}" -Dclassifiers="${CLASSIFIERS}" -DpomFile=pom.xml gpg:sign-and-deploy-file + mvn validate jar:jar -Dfile=target/"${ARTIFACTID}"-"${version}".jar -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -Dfiles="${FILES}" -Dtypes="${TYPES}" -Dclassifiers="${CLASSIFIERS}" -DpomFile=pom.xml gpg:sign-and-deploy-file diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md index 60339bd1ee..aecaa69be1 100644 --- a/internal/builders/maven/README.md +++ b/internal/builders/maven/README.md @@ -92,11 +92,11 @@ You can also release artifacts to Maven Central with [the slsa-github-generator publish: - name: publish id: publish - uses: slsa-framework/slsa-github-generator/actions/maven/publish@main + uses: slsa-framework/slsa-github-generator/actions/maven/publish@@v1.7.0 with: - provenance-download-name: "${{ needs.usetrw.outputs.provenance-download-name }}" - provenance-download-sha256: "${{ needs.usetrw.outputs.provenance-download-sha256 }}" - target-download-sha256: "${{ needs.usetrw.outputs.target-download-sha256 }}" + provenance-download-name: "${{ needs.build.outputs.provenance-download-name }}" + provenance-download-sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" + target-download-sha256: "${{ needs.build.outputs.target-download-sha256 }}" maven-username: ${{ secrets.OSSRH_USERNAME }} maven-password: ${{ secrets.OSSRH_PASSWORD }} gpg-key-pass: ${{ secrets.GPG_PASSPHRASE }} @@ -105,7 +105,7 @@ You can also release artifacts to Maven Central with [the slsa-github-generator Now your workflow will build your artifacts and publish them to a staging repository in Maven Central. -In the above example of the publisher, the job that invokes the Maven builder is called `usetrw`. The publisher uses output from that job. +In the above example of the publish Action, the job that invokes the Maven builder is called `build`. The publish Action uses output from that job. ### Private Repositories From eb64e502a8399256ee4f748bd8da057ddc5aea6c Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Wed, 26 Jul 2023 23:22:34 +0100 Subject: [PATCH 03/46] lowercase more variables Signed-off-by: AdamKorcz --- actions/maven/publish/action.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 5a6720ec14..571b8cca52 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -87,31 +87,31 @@ runs: mvn javadoc:jar source:jar # Retrieve project version version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) - ARTIFACTID=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.artifactId -q -DforceStdout) + artifactid=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.artifactId -q -DforceStdout) # Reset the environment variables add in the base provenance - FILES="slsa-attestations/${PROVENANCE_FILES}/${ARTIFACTID}-${version}.jar.intoto.build.slsa" - TYPES=slsa - CLASSIFIERS=jar.intoto.build + files="slsa-attestations/${PROVENANCE_FILES}/${artifactid}-${version}.jar.intoto.build.slsa" + types=slsa + classifiers=jar.intoto.build # Find all necessary built jar files and attach them to the environment variable deploy # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars - for name in $(find ./ -name "$ARTIFACTID-$version-*.jar") + for name in $(find ./ -name "$artifactid-$version-*.jar") do # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. - TARGET=$(echo "${name}" | rev | cut -d\- -f1 | rev) - FILES=$FILES,$name - TYPES=$TYPES,${TARGET##*.} - CLASSIFIERS=$CLASSIFIERS,${TARGET%.*} + target=$(echo "${name}" | rev | cut -d\- -f1 | rev) + files=$files,$name + types=$types,${target##*.} + classifiers=$classifiers,${target%.*} done # Find all generated provenance files and attach them the the environment variable for deploy # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars - for name in $(find ./ -name "$ARTIFACTID-$version-*.jar.intoto.build.slsa") + for name in $(find ./ -name "$artifactid-$version-*.jar.intoto.build.slsa") do # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. - TARGET=$(echo "${name}" | rev | cut -d\- -f1 | rev) - FILES=$FILES,$name - TYPES=$TYPES",slsa" - CLASSIFIERS=$CLASSIFIERS,${TARGET::-9} + target=$(echo "${name}" | rev | cut -d\- -f1 | rev) + files=$files,$name + types=$types",slsa" + classifiers=$classifiers,${target::-9} done # Sign and deploy the files to the ossrh remote repository - mvn validate jar:jar -Dfile=target/"${ARTIFACTID}"-"${version}".jar -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -Dfiles="${FILES}" -Dtypes="${TYPES}" -Dclassifiers="${CLASSIFIERS}" -DpomFile=pom.xml gpg:sign-and-deploy-file + mvn validate jar:jar -Dfile=target/"${artifactid}"-"${version}".jar -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -Dfiles="${files}" -Dtypes="${types}" -Dclassifiers="${classifiers}" -DpomFile=pom.xml gpg:sign-and-deploy-file From 3e04e306919d23cde6d3ef9549f571b2058b3f3a Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Wed, 26 Jul 2023 23:33:56 +0100 Subject: [PATCH 04/46] remove '@' Signed-off-by: AdamKorcz --- internal/builders/maven/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md index aecaa69be1..3eb9415f79 100644 --- a/internal/builders/maven/README.md +++ b/internal/builders/maven/README.md @@ -92,7 +92,7 @@ You can also release artifacts to Maven Central with [the slsa-github-generator publish: - name: publish id: publish - uses: slsa-framework/slsa-github-generator/actions/maven/publish@@v1.7.0 + uses: slsa-framework/slsa-github-generator/actions/maven/publish@v1.7.0 with: provenance-download-name: "${{ needs.build.outputs.provenance-download-name }}" provenance-download-sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" From d2cacb8e1616cf2c1efb8cc6451fa0b8337ce15f Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Wed, 26 Jul 2023 23:36:41 +0100 Subject: [PATCH 05/46] use secure-project-checkout at main Signed-off-by: AdamKorcz --- actions/maven/publish/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 571b8cca52..ccfdb96186 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -42,7 +42,7 @@ runs: using: "composite" steps: - name: Checkout the project repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@v1.8.0-rc.1 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main - name: Set up Java for publishing to Maven Central Repository uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3 env: From 2d1b88a31356b0c1e613b9286d38bf208483a0d4 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 28 Jul 2023 20:51:26 +0100 Subject: [PATCH 06/46] Nnnnnnnnn (#1) * Create JarfileHashMojo.java Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Create pom.xml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Delete JarfileHashMojo.java Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Delete pom.xml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update README.md Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update README.md Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * Update README.md Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --------- Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 19 ++++++++----------- internal/builders/maven/README.md | 24 ++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 11 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index ccfdb96186..d8e857a795 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -20,7 +20,7 @@ inputs: type: string provenance-download-sha256: description: "The sha256 of the package provenance artifact." - required: false + required: true type: string target-download-sha256: description: "The sha256 of the target directory." @@ -28,21 +28,21 @@ inputs: type: string maven-username: description: "Maven username" - required: false + required: true maven-password: description: "Maven password" - required: false + required: true gpg-key-pass: description: "gpg-key-pass" - required: false + required: true gpg-private-key: description: "gpg-key-pass" - required: false + required: true runs: using: "composite" steps: - name: Checkout the project repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main + uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources. - name: Set up Java for publishing to Maven Central Repository uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3 env: @@ -81,9 +81,6 @@ runs: SLSA_DIR: "${{ inputs.provenance-download-name }}" PROVENANCE_FILES: "${{ inputs.provenance-download-name }}" run: | - # Build and run custom plugin - cd plugin && mvn clean install && cd .. - # Re-indexing the secondary jar files for deploy mvn javadoc:jar source:jar # Retrieve project version version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) @@ -97,7 +94,7 @@ runs: for name in $(find ./ -name "$artifactid-$version-*.jar") do # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. - target=$(echo "${name}" | rev | cut -d\- -f1 | rev) + target=$(echo "${name}" | rev | cut -d- -f1 | rev) files=$files,$name types=$types,${target##*.} classifiers=$classifiers,${target%.*} @@ -108,7 +105,7 @@ runs: for name in $(find ./ -name "$artifactid-$version-*.jar.intoto.build.slsa") do # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. - target=$(echo "${name}" | rev | cut -d\- -f1 | rev) + target=$(echo "${name}" | rev | cut -d- -f1 | rev) files=$files,$name types=$types",slsa" classifiers=$classifiers,${target::-9} diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md index 3eb9415f79..84c5128fb7 100644 --- a/internal/builders/maven/README.md +++ b/internal/builders/maven/README.md @@ -86,6 +86,8 @@ jobs: Now, when you invoke this workflow, the Maven builder will build both your artifacts and the provenance files for them. +### Releasing directly to Maven Central + You can also release artifacts to Maven Central with [the slsa-github-generator Maven publisher](https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/maven/publish/action.yml) by adding the following step to your workflow: ```yaml @@ -107,6 +109,28 @@ Now your workflow will build your artifacts and publish them to a staging reposi In the above example of the publish Action, the job that invokes the Maven builder is called `build`. The publish Action uses output from that job. +#### Publisher requirements + +Besides adding the above workflow to your CI pipeline, you also need to add the following plugin to your `pom.xml`: + +```java + + io.github.adamkorcz + slsa-hashing-plugin + 0.0.1 + + + + hash-jarfile + + + + + ${SLSA_OUTPUTS_ARTIFACTS_FILE} + + +``` + ### Private Repositories The builder records all provenance signatures in the [Rekor](https://github.com/sigstore/rekor) public transparency log. This record includes the repository name. To acknowledge you're aware that your repository name will be public, set the flag `rekor-log-public: true` when calling the builder: From 0bf054b05c3d1346d0d1b539b708196e8147a339 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 28 Jul 2023 20:54:47 +0100 Subject: [PATCH 07/46] Update README.md Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- internal/builders/maven/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md index 84c5128fb7..16c2c2fb72 100644 --- a/internal/builders/maven/README.md +++ b/internal/builders/maven/README.md @@ -19,6 +19,7 @@ workflow the "Maven builder" from now on. - [Limitations](#limitations) - [Generating Provenance](#generating-provenance) - [Getting Started](#getting-started) + - [Releasing directly to Maven Central](#releasing-directly-to-maven-central) - [Private Repositories](#private-repositories) - [Verification](#verification) From e8023f3a6e5aa00b4e6809981627e04d2157c82f Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 28 Jul 2023 20:57:27 +0100 Subject: [PATCH 08/46] Update README.md Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- internal/builders/maven/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md index 16c2c2fb72..0dfc29ff49 100644 --- a/internal/builders/maven/README.md +++ b/internal/builders/maven/README.md @@ -20,6 +20,7 @@ workflow the "Maven builder" from now on. - [Generating Provenance](#generating-provenance) - [Getting Started](#getting-started) - [Releasing directly to Maven Central](#releasing-directly-to-maven-central) + - [Publisher requirements](#publisher-requirements) - [Private Repositories](#private-repositories) - [Verification](#verification) From 2581ef96c50bb9c46a999cf2a68ae77e432d00f8 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Sat, 29 Jul 2023 18:10:56 +0100 Subject: [PATCH 09/46] remove .intoto Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index d8e857a795..39d9e6f06a 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -86,7 +86,7 @@ runs: version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) artifactid=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.artifactId -q -DforceStdout) # Reset the environment variables add in the base provenance - files="slsa-attestations/${PROVENANCE_FILES}/${artifactid}-${version}.jar.intoto.build.slsa" + files="slsa-attestations/${PROVENANCE_FILES}/${artifactid}-${version}.jar.build.slsa" types=slsa classifiers=jar.intoto.build # Find all necessary built jar files and attach them to the environment variable deploy From 9b2cae961ae82e3fffd0371f0a2d3abd35f63f45 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Sat, 29 Jul 2023 18:11:29 +0100 Subject: [PATCH 10/46] remove two more cases of .intoto Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 39d9e6f06a..9458b59db5 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -88,7 +88,7 @@ runs: # Reset the environment variables add in the base provenance files="slsa-attestations/${PROVENANCE_FILES}/${artifactid}-${version}.jar.build.slsa" types=slsa - classifiers=jar.intoto.build + classifiers=jar.build # Find all necessary built jar files and attach them to the environment variable deploy # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars for name in $(find ./ -name "$artifactid-$version-*.jar") @@ -102,7 +102,7 @@ runs: # Find all generated provenance files and attach them the the environment variable for deploy # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars - for name in $(find ./ -name "$artifactid-$version-*.jar.intoto.build.slsa") + for name in $(find ./ -name "$artifactid-$version-*.jar.build.slsa") do # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. target=$(echo "${name}" | rev | cut -d- -f1 | rev) From e23e88e52b2d18341f04ee0ec30d587116765df1 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Sat, 29 Jul 2023 18:12:42 +0100 Subject: [PATCH 11/46] Update README.md Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- internal/builders/maven/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md index 0dfc29ff49..bb5c972da2 100644 --- a/internal/builders/maven/README.md +++ b/internal/builders/maven/README.md @@ -19,7 +19,7 @@ workflow the "Maven builder" from now on. - [Limitations](#limitations) - [Generating Provenance](#generating-provenance) - [Getting Started](#getting-started) - - [Releasing directly to Maven Central](#releasing-directly-to-maven-central) + - [Releasing to Maven Central](#releasing-directly-to-maven-central) - [Publisher requirements](#publisher-requirements) - [Private Repositories](#private-repositories) - [Verification](#verification) @@ -88,9 +88,9 @@ jobs: Now, when you invoke this workflow, the Maven builder will build both your artifacts and the provenance files for them. -### Releasing directly to Maven Central +### Releasing to Maven Central -You can also release artifacts to Maven Central with [the slsa-github-generator Maven publisher](https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/maven/publish/action.yml) by adding the following step to your workflow: +You can also release artifacts to Maven Central with [the slsa-github-generator Maven publish action](https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/maven/publish/action.yml) by adding the following step to your workflow: ```yaml publish: From 45afa7818ba2cca41322ded960b512ec811aae19 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Sat, 29 Jul 2023 18:13:17 +0100 Subject: [PATCH 12/46] Update README.md Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- internal/builders/maven/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md index bb5c972da2..4297f1256e 100644 --- a/internal/builders/maven/README.md +++ b/internal/builders/maven/README.md @@ -111,7 +111,7 @@ Now your workflow will build your artifacts and publish them to a staging reposi In the above example of the publish Action, the job that invokes the Maven builder is called `build`. The publish Action uses output from that job. -#### Publisher requirements +#### Action requirements Besides adding the above workflow to your CI pipeline, you also need to add the following plugin to your `pom.xml`: From 8cb0d9971dfca2e49602ab17c7b737e2d41bd410 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Mon, 31 Jul 2023 19:07:24 +0100 Subject: [PATCH 13/46] Update actions/maven/publish/action.yml Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 9458b59db5..e0e20cd4f6 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -104,7 +104,6 @@ runs: # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars for name in $(find ./ -name "$artifactid-$version-*.jar.build.slsa") do - # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. target=$(echo "${name}" | rev | cut -d- -f1 | rev) files=$files,$name types=$types",slsa" From aa0ab4759d49f920c1a51da2fcc762ed0b03e6bb Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Mon, 31 Jul 2023 19:07:31 +0100 Subject: [PATCH 14/46] Update actions/maven/publish/action.yml Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index e0e20cd4f6..09e8483c6d 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -93,7 +93,6 @@ runs: # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars for name in $(find ./ -name "$artifactid-$version-*.jar") do - # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. target=$(echo "${name}" | rev | cut -d- -f1 | rev) files=$files,$name types=$types,${target##*.} From b12e9f33779e7cedee929398d81b2b084b878a13 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Mon, 31 Jul 2023 23:43:11 +0100 Subject: [PATCH 15/46] Install hashing plugin from tool dir (#2) Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 9 +++ .../maven/publish/slsa-hashing-plugin/pom.xml | 42 ++++++++++ .../slsa-framework/JarfileHashMojo.java | 81 +++++++++++++++++++ internal/builders/maven/action.yml | 12 ++- 4 files changed, 143 insertions(+), 1 deletion(-) create mode 100644 actions/maven/publish/slsa-hashing-plugin/pom.xml create mode 100644 actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 09e8483c6d..23110caad3 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -72,6 +72,13 @@ runs: path: ./ sha256: "${{ inputs.target-download-sha256 }}" + - name: Checkout the tool repository + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main + with: + repository: slsa-framework/slsa-github-generator + ref: main + path: __TOOL_CHECKOUT_DIR__ + - name: Publish to the Maven Central Repository shell: bash env: @@ -81,6 +88,8 @@ runs: SLSA_DIR: "${{ inputs.provenance-download-name }}" PROVENANCE_FILES: "${{ inputs.provenance-download-name }}" run: | + mv ./__TOOL_CHECKOUT_DIR__ ../__TOOL_CHECKOUT_DIR__ + cd ../__TOOL_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd - mvn javadoc:jar source:jar # Retrieve project version version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) diff --git a/actions/maven/publish/slsa-hashing-plugin/pom.xml b/actions/maven/publish/slsa-hashing-plugin/pom.xml new file mode 100644 index 0000000000..6ca83aecb4 --- /dev/null +++ b/actions/maven/publish/slsa-hashing-plugin/pom.xml @@ -0,0 +1,42 @@ + + + 4.0.0 + dev.slsa.slsaframework + hash-maven-plugin + maven-plugin + 0.0.1 + + Jarfile Hashing Maven Mojo + http://maven.apache.org + + + 1.8 + 1.8 + + + + + org.apache.maven + maven-plugin-api + 3.6.3 + + + org.apache.maven.plugin-tools + maven-plugin-annotations + 3.6.0 + provided + + + org.apache.maven + maven-project + 2.2.1 + + + org.json + json + 20230227 + + + diff --git a/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java b/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java new file mode 100644 index 0000000000..c252a07174 --- /dev/null +++ b/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java @@ -0,0 +1,81 @@ +package dev.slsa.slsaframework; + +import org.apache.maven.plugin.AbstractMojo; +import org.apache.maven.plugin.MojoExecutionException; +import org.apache.maven.plugin.MojoFailureException; +import org.apache.maven.plugins.annotations.LifecyclePhase; +import org.apache.maven.plugins.annotations.Mojo; +import org.apache.maven.plugins.annotations.Parameter; +import org.apache.maven.project.MavenProject; + +import org.json.JSONObject; + +import java.io.File; +import java.io.IOException; +import java.math.BigInteger; +import java.nio.file.Files; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.List; +import java.util.LinkedList; + +@Mojo(name = "hash-jarfile", defaultPhase = LifecyclePhase.PACKAGE) +public class JarfileHashMojo extends AbstractMojo { + private final String jsonBase = "{\"version\": 1, \"attestations\":[%ATTESTATIONS%]}"; + private final String attestationTemplate = "{\"name\": \"%NAME%\",\"subjects\":[{\"name\": \"%NAME%\",\"digest\":{\"sha256\":\"%HASH%\"}}]}"; + + @Parameter(defaultValue = "${project}", required = true, readonly = true) + private MavenProject project; + + @Parameter(property = "hash-jarfile.outputJsonPath", defaultValue = "") + private String outputJsonPath; + + public void execute() throws MojoExecutionException, MojoFailureException { + try { + StringBuilder attestations = new StringBuilder(); + + File targetDir = new File(project.getBasedir(), "target"); + File outputJson = this.getOutputJsonFile(targetDir.getAbsolutePath()); + for (File file : targetDir.listFiles()) { + String filePath = file.getAbsolutePath(); + if (!filePath.endsWith("original") && (filePath.endsWith(".pom") || filePath.endsWith(".jar"))) { + byte[] data = Files.readAllBytes(file.toPath()); + byte[] hash = MessageDigest.getInstance("SHA-256").digest(data); + String checksum = new BigInteger(1, hash).toString(16); + + String attestation = attestationTemplate.replaceAll("%NAME%", file.getName()); + attestation = attestation.replaceAll("%HASH%", checksum); + if (attestations.length() > 0) { + attestations.append(","); + } + attestations.append(attestation); + } + } + String json = jsonBase.replaceAll("%ATTESTATIONS%", attestations.toString()); + + Files.write(outputJson.toPath(), new JSONObject(json).toString(4).getBytes()); + } catch (IOException | NoSuchAlgorithmException e) { + throw new MojoFailureException("Fail to generate hash for the jar files", e); + } + + } + + private File getOutputJsonFile(String targetDir) { + try { + if (this.outputJsonPath != null && this.outputJsonPath.length() > 0) { + File outputJson = new File(outputJsonPath); + if (!outputJson.exists() || !outputJson.isFile()) { + outputJson.getParentFile().mkdirs(); + Files.createFile(outputJson.toPath()); + } + + if (Files.isWritable(outputJson.toPath())) { + return outputJson; + } + } + return new File(targetDir, "hash.json"); + } catch (IOException e) { + return new File(targetDir, "hash.json"); + } + } +} diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 0341de7353..2db8c77be8 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -58,11 +58,21 @@ runs: with: distribution: temurin java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }} + - name: Checkout the tool repository + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main + with: + repository: slsa-framework/slsa-github-generator + ref: main + path: __TOOL_CHECKOUT_DIR__ - name: Run mvn package shell: bash env: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} - run: cd plugin && mvn clean install && cd .. && mvn package + run: | + mv ./__TOOL_CHECKOUT_DIR__ ../__TOOL_CHECKOUT_DIR__ + cd ../__TOOL_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd - && mvn package + ls + pwd - name: Upload target id: upload-target uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@main From cfd45ea2055dc4a9df501b11c17b473b8c8fe5b0 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Mon, 31 Jul 2023 23:59:35 +0100 Subject: [PATCH 16/46] Add README for Maven publisher Signed-off-by: AdamKorcz --- actions/maven/publish/README.md | 70 +++++++++++++++++++++++++++++++ internal/builders/maven/README.md | 31 +++----------- 2 files changed, 76 insertions(+), 25 deletions(-) create mode 100644 actions/maven/publish/README.md diff --git a/actions/maven/publish/README.md b/actions/maven/publish/README.md new file mode 100644 index 0000000000..6f5ab4d32f --- /dev/null +++ b/actions/maven/publish/README.md @@ -0,0 +1,70 @@ +# Publishing SLSA3+ provenance to Maven Central + +This document explains how to publish SLSA3+ artifacts and provenance to Maven central. + +The publish Action is in its early stages and is likely to develop over time. Future breaking changes may occur. + +To get started with publishing artifacts to Maven Central Repository, see [this guide](https://maven.apache.org/repository/guide-central-repository-upload.html). + +Before you use this publish Action, you will need to configure your Github project with the correct secrets. See [this guide](https://docs.github.com/en/actions/publishing-packages/publishing-java-packages-with-maven) for more. + +## Using the Maven Publish action + +To use the Maven action you need to add the step in your release workflow that invokes it. + +Before using the Maven publish action, you should have a workflow that invokes the [Maven builder](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/maven/README.md). It will look something like this: + +```yaml +name: Release Maven project +on: + - workflow_dispatch + +permissions: read-all + +jobs: + build: + permissions: + id-token: write + contents: read + actions: read + packages: read + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@v1.7.0 + with: + rekor-log-public: true +``` + +To use the Publish action, you need to add another job: + +```yaml +publish: + runs-on: ubuntu-latest + needs: build + permissions: + id-token: write + contents: read + actions: read + steps: + - name: publish + id: publish + uses: slsa-framework/slsa-github-generator/actions/maven/publish@v1.7.0 + with: + provenance-download-name: "${{ needs.build.outputs.provenance-download-name }}" + provenance-download-sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" + target-download-sha256: "${{ needs.build.outputs.target-download-sha256 }}" + maven-username: ${{ secrets.OSSRH_USERNAME }} + maven-password: ${{ secrets.OSSRH_PASSWORD }} + gpg-key-pass: ${{ secrets.GPG_PASSPHRASE }} + gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} +``` + +Set the values of "maven-username", "maven-password", "gpg-key-pass" and " gpg-private-key" for your account. The parameters to `provenance-download-name`, `provenance-download-sha256` and `target-download-sha256` should not be changed. + +Once you trigger this workflow, your artifacts and provenance files will be added to a staging repository in Maven Central. You need to close the staging repository and then release: + +Closing the staging repository: + +![closing the staging repository](/actions/gradle/publish/images/gradle-publisher-staging-repository.png) + +Releasing: + +![releasing the Gradle artefacts](/actions/gradle/publish/images/gradle-publisher-release-closed-repository.png) diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md index 4297f1256e..dd67f84212 100644 --- a/internal/builders/maven/README.md +++ b/internal/builders/maven/README.md @@ -19,8 +19,8 @@ workflow the "Maven builder" from now on. - [Limitations](#limitations) - [Generating Provenance](#generating-provenance) - [Getting Started](#getting-started) - - [Releasing to Maven Central](#releasing-directly-to-maven-central) - - [Publisher requirements](#publisher-requirements) + - [Releasing to Maven Central](#releasing-to-maven-central) + - [Action requirements](#action-requirements) - [Private Repositories](#private-repositories) - [Verification](#verification) @@ -90,35 +90,16 @@ Now, when you invoke this workflow, the Maven builder will build both your artif ### Releasing to Maven Central -You can also release artifacts to Maven Central with [the slsa-github-generator Maven publish action](https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/maven/publish/action.yml) by adding the following step to your workflow: - -```yaml - publish: - - name: publish - id: publish - uses: slsa-framework/slsa-github-generator/actions/maven/publish@v1.7.0 - with: - provenance-download-name: "${{ needs.build.outputs.provenance-download-name }}" - provenance-download-sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" - target-download-sha256: "${{ needs.build.outputs.target-download-sha256 }}" - maven-username: ${{ secrets.OSSRH_USERNAME }} - maven-password: ${{ secrets.OSSRH_PASSWORD }} - gpg-key-pass: ${{ secrets.GPG_PASSPHRASE }} - gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} -``` - -Now your workflow will build your artifacts and publish them to a staging repository in Maven Central. - -In the above example of the publish Action, the job that invokes the Maven builder is called `build`. The publish Action uses output from that job. +You can also release artifacts to Maven Central with [the slsa-github-generator Maven publish action](https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/maven/publish/README.md). #### Action requirements Besides adding the above workflow to your CI pipeline, you also need to add the following plugin to your `pom.xml`: -```java +```xml - io.github.adamkorcz - slsa-hashing-plugin + dev.slsa.slsaframework + hash-maven-plugin 0.0.1 From effc1d6a478e0578479b09e63017385038a73f35 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 11:31:12 +0100 Subject: [PATCH 17/46] Update actions/maven/publish/action.yml Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 23110caad3..983e3ac968 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -59,7 +59,7 @@ runs: gpg-passphrase: GPG_KEY_PASS - name: Download the slsa attestation - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.8.0-rc.1 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main with: name: "${{ inputs.provenance-download-name }}" path: slsa-attestations From 16bafbd24b374a473d85daa5261fdd3c01a03a14 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 11:31:23 +0100 Subject: [PATCH 18/46] Update actions/maven/publish/action.yml Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 983e3ac968..49715ec314 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -66,7 +66,7 @@ runs: sha256: "${{ inputs.provenance-download-sha256 }}" - name: Download the target dir - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.8.0-rc.1 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main with: name: target path: ./ From 9637b4a2383fded2a04309e473a98448701e43ba Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 11:32:15 +0100 Subject: [PATCH 19/46] Update internal/builders/maven/action.yml Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- internal/builders/maven/action.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 2db8c77be8..2158e4fca5 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -69,8 +69,11 @@ runs: env: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} run: | - mv ./__TOOL_CHECKOUT_DIR__ ../__TOOL_CHECKOUT_DIR__ - cd ../__TOOL_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd - && mvn package + mv ./__TOOL_CHECKOUT_DIR__ ../__TOOL_CHECKOUT_DIR__ \ + && cd ../__TOOL_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin \ + && mvn clean install \ + && cd - \ + && mvn package ls pwd - name: Upload target From 06281272457a5ac3bd0d2439d426a52e8ab1b55e Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Tue, 1 Aug 2023 12:11:36 +0100 Subject: [PATCH 20/46] Add flag for maven plugin Signed-off-by: AdamKorcz --- .../io/github/slsa-framework/JarfileHashMojo.java | 11 +++++++++++ internal/builders/maven/action.yml | 4 +--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java b/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java index c252a07174..1db5b220e6 100644 --- a/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java +++ b/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java @@ -30,7 +30,18 @@ public class JarfileHashMojo extends AbstractMojo { @Parameter(property = "hash-jarfile.outputJsonPath", defaultValue = "") private String outputJsonPath; + @Parameter(property = "run.hash.jarfile", defaultValue = "false") + private Boolean runHashJarfile; + + public void execute() throws MojoExecutionException, MojoFailureException { + if (!runHashJarfile) { + getLog().info("SLSA Hash Jarfile plugin is skipped."); + return; + } + + getLog().info("Start running SLSA Hash Jarfile plugin."); + try { StringBuilder attestations = new StringBuilder(); diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 2158e4fca5..627b34721b 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -73,9 +73,7 @@ runs: && cd ../__TOOL_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin \ && mvn clean install \ && cd - \ - && mvn package - ls - pwd + && mvn package -Drun.hash.jarfile=true - name: Upload target id: upload-target uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@main From 819ced329c5adcd5fa12766937f83fd4c1f79514 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Tue, 1 Aug 2023 12:13:11 +0100 Subject: [PATCH 21/46] add license header to Mojo Signed-off-by: AdamKorcz --- .../io/github/slsa-framework/JarfileHashMojo.java | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java b/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java index 1db5b220e6..312912c0f8 100644 --- a/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java +++ b/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java @@ -1,3 +1,17 @@ +// Copyright 2023 SLSA Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package dev.slsa.slsaframework; import org.apache.maven.plugin.AbstractMojo; From 8c63c0c99f7cb00b5aa6722e3991cfef0e3a2aba Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Tue, 1 Aug 2023 12:18:58 +0100 Subject: [PATCH 22/46] Log error if Mojo cannot create json output file Signed-off-by: AdamKorcz --- .../src/main/java/io/github/slsa-framework/JarfileHashMojo.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java b/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java index 312912c0f8..61598f64c2 100644 --- a/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java +++ b/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java @@ -98,8 +98,10 @@ private File getOutputJsonFile(String targetDir) { return outputJson; } } + getLog().error("Could not generate the output json file."); return new File(targetDir, "hash.json"); } catch (IOException e) { + getLog().error("Could not generate the output json file."); return new File(targetDir, "hash.json"); } } From b4204f3935cf920bffe923f98debdb6de5442c1e Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Tue, 1 Aug 2023 12:31:55 +0100 Subject: [PATCH 23/46] testing latest changes Signed-off-by: AdamKorcz --- actions/maven/publish/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 49715ec314..f0fef2ee03 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -75,8 +75,8 @@ runs: - name: Checkout the tool repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main with: - repository: slsa-framework/slsa-github-generator - ref: main + repository: AdamKorcz/slsa-github-generator + ref: maven-publisher-to-action #main path: __TOOL_CHECKOUT_DIR__ - name: Publish to the Maven Central Repository From 32e30536db63ed0680111098d8bfdfa909c7a33f Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:52:34 +0100 Subject: [PATCH 24/46] Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index f0fef2ee03..02ce155eea 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -90,6 +90,10 @@ runs: run: | mv ./__TOOL_CHECKOUT_DIR__ ../__TOOL_CHECKOUT_DIR__ cd ../__TOOL_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd - + echo "ls" + ls + find . -name *.build.slsa + .build.slsa mvn javadoc:jar source:jar # Retrieve project version version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) @@ -108,6 +112,9 @@ runs: classifiers=$classifiers,${target%.*} done + echo "files now: " + echo "${files}" + # Find all generated provenance files and attach them the the environment variable for deploy # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars for name in $(find ./ -name "$artifactid-$version-*.jar.build.slsa") @@ -117,5 +124,8 @@ runs: types=$types",slsa" classifiers=$classifiers,${target::-9} done + + echo "files now: " + echo "${files}" # Sign and deploy the files to the ossrh remote repository mvn validate jar:jar -Dfile=target/"${artifactid}"-"${version}".jar -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -Dfiles="${files}" -Dtypes="${types}" -Dclassifiers="${classifiers}" -DpomFile=pom.xml gpg:sign-and-deploy-file From b66be392072b77583c4ba4a1bd144c1ed8dc8e2c Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:56:50 +0100 Subject: [PATCH 25/46] Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 02ce155eea..5d7430fcbd 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -92,8 +92,8 @@ runs: cd ../__TOOL_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd - echo "ls" ls + echo "find.........." find . -name *.build.slsa - .build.slsa mvn javadoc:jar source:jar # Retrieve project version version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) From 0067b58f9bb649d8dbf545c4d9e0da1de10615fd Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 13:03:54 +0100 Subject: [PATCH 26/46] Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 5d7430fcbd..ddde02f23d 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -90,10 +90,6 @@ runs: run: | mv ./__TOOL_CHECKOUT_DIR__ ../__TOOL_CHECKOUT_DIR__ cd ../__TOOL_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd - - echo "ls" - ls - echo "find.........." - find . -name *.build.slsa mvn javadoc:jar source:jar # Retrieve project version version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) @@ -111,10 +107,6 @@ runs: types=$types,${target##*.} classifiers=$classifiers,${target%.*} done - - echo "files now: " - echo "${files}" - # Find all generated provenance files and attach them the the environment variable for deploy # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars for name in $(find ./ -name "$artifactid-$version-*.jar.build.slsa") @@ -124,8 +116,5 @@ runs: types=$types",slsa" classifiers=$classifiers,${target::-9} done - - echo "files now: " - echo "${files}" # Sign and deploy the files to the ossrh remote repository mvn validate jar:jar -Dfile=target/"${artifactid}"-"${version}".jar -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -Dfiles="${files}" -Dtypes="${types}" -Dclassifiers="${classifiers}" -DpomFile=pom.xml gpg:sign-and-deploy-file From 36b7d85cb6a9181b764c8520769d3b638c72bf4b Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 13:07:48 +0100 Subject: [PATCH 27/46] Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index ddde02f23d..c15ee0b788 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -75,8 +75,8 @@ runs: - name: Checkout the tool repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main with: - repository: AdamKorcz/slsa-github-generator - ref: maven-publisher-to-action #main + repository: slsa-framework/slsa-github-generator + ref: main path: __TOOL_CHECKOUT_DIR__ - name: Publish to the Maven Central Repository From a2303e9666979cdd3f23ac1543b44f3214ff696e Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 20:11:36 +0100 Subject: [PATCH 28/46] Update actions/maven/publish/action.yml Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index c15ee0b788..dccf001df9 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -99,14 +99,12 @@ runs: types=slsa classifiers=jar.build # Find all necessary built jar files and attach them to the environment variable deploy - # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars - for name in $(find ./ -name "$artifactid-$version-*.jar") - do + while read -r name; do target=$(echo "${name}" | rev | cut -d- -f1 | rev) files=$files,$name types=$types,${target##*.} classifiers=$classifiers,${target%.*} - done + done <<<"$(find ./ -name "$artifactid-$version-*.jar")" # Find all generated provenance files and attach them the the environment variable for deploy # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars for name in $(find ./ -name "$artifactid-$version-*.jar.build.slsa") From 89d60b13a40f888caaf25159f8acb03238fab303 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 20:11:46 +0100 Subject: [PATCH 29/46] Update actions/maven/publish/action.yml Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index dccf001df9..ee070b2246 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -106,13 +106,11 @@ runs: classifiers=$classifiers,${target%.*} done <<<"$(find ./ -name "$artifactid-$version-*.jar")" # Find all generated provenance files and attach them the the environment variable for deploy - # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars - for name in $(find ./ -name "$artifactid-$version-*.jar.build.slsa") - do + while read -r name; do target=$(echo "${name}" | rev | cut -d- -f1 | rev) files=$files,$name types=$types",slsa" classifiers=$classifiers,${target::-9} - done + done <<<"$(find ./ -name "$artifactid-$version-*.jar.build.slsa")" # Sign and deploy the files to the ossrh remote repository mvn validate jar:jar -Dfile=target/"${artifactid}"-"${version}".jar -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -Dfiles="${files}" -Dtypes="${types}" -Dclassifiers="${classifiers}" -DpomFile=pom.xml gpg:sign-and-deploy-file From 640cc3eb5a8985365f6e504f3735876b749d9811 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 20:12:59 +0100 Subject: [PATCH 30/46] export variables Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index ee070b2246..5f5c1ddce7 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -92,12 +92,12 @@ runs: cd ../__TOOL_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd - mvn javadoc:jar source:jar # Retrieve project version - version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) - artifactid=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.artifactId -q -DforceStdout) + export version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) + export artifactid=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.artifactId -q -DforceStdout) # Reset the environment variables add in the base provenance - files="slsa-attestations/${PROVENANCE_FILES}/${artifactid}-${version}.jar.build.slsa" - types=slsa - classifiers=jar.build + export files="slsa-attestations/${PROVENANCE_FILES}/${artifactid}-${version}.jar.build.slsa" + export types=slsa + export classifiers=jar.build # Find all necessary built jar files and attach them to the environment variable deploy while read -r name; do target=$(echo "${name}" | rev | cut -d- -f1 | rev) From d9f366ee3e2d47607741da7d152d625c65c0accc Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 20:18:14 +0100 Subject: [PATCH 31/46] testing exported variables Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 5f5c1ddce7..33d4682de4 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -75,8 +75,8 @@ runs: - name: Checkout the tool repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main with: - repository: slsa-framework/slsa-github-generator - ref: main + repository: AdamKorcz/slsa-github-generator + ref: maven-publisher-to-action #main path: __TOOL_CHECKOUT_DIR__ - name: Publish to the Maven Central Repository From 9bee2f41b9f39693736699ce7a7e8859b1621e13 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 20:24:14 +0100 Subject: [PATCH 32/46] rename __TOOL_CHECKOUT_DIR__ to __BUILDER_CHECKOUT_DIR__ Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 33d4682de4..0d6de605bb 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -41,6 +41,13 @@ inputs: runs: using: "composite" steps: + - name: Checkout the tool repository + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main + with: + repository: AdamKorcz/slsa-github-generator + ref: maven-publisher-to-action #main + path: __BUILDER_CHECKOUT_DIR__ + - name: Checkout the project repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources. - name: Set up Java for publishing to Maven Central Repository @@ -72,13 +79,6 @@ runs: path: ./ sha256: "${{ inputs.target-download-sha256 }}" - - name: Checkout the tool repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main - with: - repository: AdamKorcz/slsa-github-generator - ref: maven-publisher-to-action #main - path: __TOOL_CHECKOUT_DIR__ - - name: Publish to the Maven Central Repository shell: bash env: @@ -88,8 +88,7 @@ runs: SLSA_DIR: "${{ inputs.provenance-download-name }}" PROVENANCE_FILES: "${{ inputs.provenance-download-name }}" run: | - mv ./__TOOL_CHECKOUT_DIR__ ../__TOOL_CHECKOUT_DIR__ - cd ../__TOOL_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd - + cd ../__BUILDER_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd - mvn javadoc:jar source:jar # Retrieve project version export version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) From 20fa4a74978d51da596eb6965de53ffe7cb2202e Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 20:30:26 +0100 Subject: [PATCH 33/46] debug Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 0d6de605bb..ce47b4464f 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -88,6 +88,13 @@ runs: SLSA_DIR: "${{ inputs.provenance-download-name }}" PROVENANCE_FILES: "${{ inputs.provenance-download-name }}" run: | + echo "ls" + ls + echo "ls .." + ls .. + echo "ls ../__BUILDER_CHECKOUT_DIR__" + ls ../__BUILDER_CHECKOUT_DIR__" + cd ../__BUILDER_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd - mvn javadoc:jar source:jar # Retrieve project version From 6dae01659faf6319bba260e47ea85066575ea543 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 20:35:48 +0100 Subject: [PATCH 34/46] Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index ce47b4464f..f00ac64c65 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -88,6 +88,7 @@ runs: SLSA_DIR: "${{ inputs.provenance-download-name }}" PROVENANCE_FILES: "${{ inputs.provenance-download-name }}" run: | + mv __BUILDER_CHECKOUT_DIR__ ../ echo "ls" ls echo "ls .." From 4c021a1c53e2479e1b1c1d15a4012e6805cc5e2b Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 20:42:53 +0100 Subject: [PATCH 35/46] Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index f00ac64c65..11fd14df16 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -88,7 +88,7 @@ runs: SLSA_DIR: "${{ inputs.provenance-download-name }}" PROVENANCE_FILES: "${{ inputs.provenance-download-name }}" run: | - mv __BUILDER_CHECKOUT_DIR__ ../ + find ../.. -name "*.java" echo "ls" ls echo "ls .." From 7081556bbd17a4c5d149b2c721aa2d7731e20e6e Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 20:50:40 +0100 Subject: [PATCH 36/46] Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 11fd14df16..64cd0a4519 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -41,13 +41,6 @@ inputs: runs: using: "composite" steps: - - name: Checkout the tool repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main - with: - repository: AdamKorcz/slsa-github-generator - ref: maven-publisher-to-action #main - path: __BUILDER_CHECKOUT_DIR__ - - name: Checkout the project repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources. - name: Set up Java for publishing to Maven Central Repository @@ -79,6 +72,13 @@ runs: path: ./ sha256: "${{ inputs.target-download-sha256 }}" + - name: Checkout the tool repository + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main + with: + repository: AdamKorcz/slsa-github-generator + ref: maven-publisher-to-action #main + path: __BUILDER_CHECKOUT_DIR__ + - name: Publish to the Maven Central Repository shell: bash env: @@ -88,6 +88,7 @@ runs: SLSA_DIR: "${{ inputs.provenance-download-name }}" PROVENANCE_FILES: "${{ inputs.provenance-download-name }}" run: | + mv __BUILDER_CHECKOUT_DIR__ ../ find ../.. -name "*.java" echo "ls" ls From 46897c8e306a4efa50b3c0526299fa57d2c0f444 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 20:54:07 +0100 Subject: [PATCH 37/46] Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 64cd0a4519..0b6058e0ec 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -95,7 +95,7 @@ runs: echo "ls .." ls .. echo "ls ../__BUILDER_CHECKOUT_DIR__" - ls ../__BUILDER_CHECKOUT_DIR__" + ls ../__BUILDER_CHECKOUT_DIR__ cd ../__BUILDER_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd - mvn javadoc:jar source:jar From fcb67a533f34319caf144c473210788d46927201 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 1 Aug 2023 21:15:58 +0100 Subject: [PATCH 38/46] Update action.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- actions/maven/publish/action.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 0b6058e0ec..932d617f16 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -88,16 +88,16 @@ runs: SLSA_DIR: "${{ inputs.provenance-download-name }}" PROVENANCE_FILES: "${{ inputs.provenance-download-name }}" run: | - mv __BUILDER_CHECKOUT_DIR__ ../ + #mv __BUILDER_CHECKOUT_DIR__ ../ find ../.. -name "*.java" echo "ls" ls echo "ls .." ls .. - echo "ls ../__BUILDER_CHECKOUT_DIR__" - ls ../__BUILDER_CHECKOUT_DIR__ + echo "ls __BUILDER_CHECKOUT_DIR__" + ls __BUILDER_CHECKOUT_DIR__ - cd ../__BUILDER_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd - + cd __BUILDER_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd - mvn javadoc:jar source:jar # Retrieve project version export version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) From 5838ba596adf05dcb9efab1c98d5e3f81f83f8c4 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Tue, 1 Aug 2023 21:28:41 +0100 Subject: [PATCH 39/46] rename Mojo Signed-off-by: AdamKorcz --- actions/maven/publish/slsa-hashing-plugin/pom.xml | 2 +- .../src/main/java/io/github/slsa-framework/JarfileHashMojo.java | 2 +- internal/builders/maven/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/actions/maven/publish/slsa-hashing-plugin/pom.xml b/actions/maven/publish/slsa-hashing-plugin/pom.xml index 6ca83aecb4..dcf8b39851 100644 --- a/actions/maven/publish/slsa-hashing-plugin/pom.xml +++ b/actions/maven/publish/slsa-hashing-plugin/pom.xml @@ -3,7 +3,7 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> 4.0.0 - dev.slsa.slsaframework + io.github.slsa-framework.slsa-github-generator hash-maven-plugin maven-plugin 0.0.1 diff --git a/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java b/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java index 61598f64c2..2128324155 100644 --- a/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java +++ b/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package dev.slsa.slsaframework; +package io.github.slsa-framework.slsa-github-generator; import org.apache.maven.plugin.AbstractMojo; import org.apache.maven.plugin.MojoExecutionException; diff --git a/internal/builders/maven/README.md b/internal/builders/maven/README.md index dd67f84212..6c92522f60 100644 --- a/internal/builders/maven/README.md +++ b/internal/builders/maven/README.md @@ -98,7 +98,7 @@ Besides adding the above workflow to your CI pipeline, you also need to add the ```xml - dev.slsa.slsaframework + io.github.slsa-framework.slsa-github-generator hash-maven-plugin 0.0.1 From 459f39f98593e383b6b0f78c0b1c2cfb8d1a5efb Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Tue, 1 Aug 2023 21:30:20 +0100 Subject: [PATCH 40/46] rename tool dir to builder dir in maven builder Signed-off-by: AdamKorcz --- internal/builders/maven/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 627b34721b..70b814ebc4 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -63,14 +63,14 @@ runs: with: repository: slsa-framework/slsa-github-generator ref: main - path: __TOOL_CHECKOUT_DIR__ + path: __BUILDER_CHECKOUT_DIR__ - name: Run mvn package shell: bash env: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} run: | - mv ./__TOOL_CHECKOUT_DIR__ ../__TOOL_CHECKOUT_DIR__ \ - && cd ../__TOOL_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin \ + mv ./__BUILDER_CHECKOUT_DIR__ ../__BUILDER_CHECKOUT_DIR__ \ + && cd ../__BUILDER_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin \ && mvn clean install \ && cd - \ && mvn package -Drun.hash.jarfile=true From f141f5651cf833c47d6cb1ea28441ae743556f1e Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Tue, 1 Aug 2023 21:33:25 +0100 Subject: [PATCH 41/46] remove packages: read Signed-off-by: AdamKorcz --- actions/maven/publish/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/actions/maven/publish/README.md b/actions/maven/publish/README.md index 6f5ab4d32f..42a35a23b7 100644 --- a/actions/maven/publish/README.md +++ b/actions/maven/publish/README.md @@ -27,7 +27,6 @@ jobs: id-token: write contents: read actions: read - packages: read uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@v1.7.0 with: rekor-log-public: true From 0ca0fa32501740bcadf07cd431e8433f1d30fe85 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Tue, 1 Aug 2023 21:35:43 +0100 Subject: [PATCH 42/46] test Signed-off-by: AdamKorcz --- internal/builders/maven/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 70b814ebc4..115e042b52 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -61,8 +61,8 @@ runs: - name: Checkout the tool repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main with: - repository: slsa-framework/slsa-github-generator - ref: main + repository: AdamKorcz/slsa-github-generator + ref: maven-publisher-to-action #main path: __BUILDER_CHECKOUT_DIR__ - name: Run mvn package shell: bash From d08ce2b75236fc166d9ac69cc2bec94a90073603 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Tue, 1 Aug 2023 21:38:56 +0100 Subject: [PATCH 43/46] remove hyphen in java package name Signed-off-by: AdamKorcz --- .../src/main/java/io/github/slsa-framework/JarfileHashMojo.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java b/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java index 2128324155..036004a849 100644 --- a/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java +++ b/actions/maven/publish/slsa-hashing-plugin/src/main/java/io/github/slsa-framework/JarfileHashMojo.java @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package io.github.slsa-framework.slsa-github-generator; +package io.github.slsaframework; import org.apache.maven.plugin.AbstractMojo; import org.apache.maven.plugin.MojoExecutionException; From 72c56179081fcdb966976ad73b42d4b0b6ddc4b1 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Tue, 1 Aug 2023 21:52:09 +0100 Subject: [PATCH 44/46] revert debugging helpers Signed-off-by: AdamKorcz --- actions/maven/publish/action.yml | 13 ++----------- internal/builders/maven/action.yml | 4 ++-- 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 932d617f16..c9476213b0 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -75,8 +75,8 @@ runs: - name: Checkout the tool repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main with: - repository: AdamKorcz/slsa-github-generator - ref: maven-publisher-to-action #main + repository: slsa-framework/slsa-github-generator + ref: main path: __BUILDER_CHECKOUT_DIR__ - name: Publish to the Maven Central Repository @@ -88,15 +88,6 @@ runs: SLSA_DIR: "${{ inputs.provenance-download-name }}" PROVENANCE_FILES: "${{ inputs.provenance-download-name }}" run: | - #mv __BUILDER_CHECKOUT_DIR__ ../ - find ../.. -name "*.java" - echo "ls" - ls - echo "ls .." - ls .. - echo "ls __BUILDER_CHECKOUT_DIR__" - ls __BUILDER_CHECKOUT_DIR__ - cd __BUILDER_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd - mvn javadoc:jar source:jar # Retrieve project version diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 115e042b52..70b814ebc4 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -61,8 +61,8 @@ runs: - name: Checkout the tool repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main with: - repository: AdamKorcz/slsa-github-generator - ref: maven-publisher-to-action #main + repository: slsa-framework/slsa-github-generator + ref: main path: __BUILDER_CHECKOUT_DIR__ - name: Run mvn package shell: bash From f7fa441497cd8194f293973027df37a423c1dfa5 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 1 Aug 2023 14:53:08 -0700 Subject: [PATCH 45/46] Update action.yml Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- actions/maven/publish/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index c9476213b0..f4b071cd7b 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -72,7 +72,7 @@ runs: path: ./ sha256: "${{ inputs.target-download-sha256 }}" - - name: Checkout the tool repository + - name: Checkout the framework repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main with: repository: slsa-framework/slsa-github-generator From 78a5806e304964b9b6fb29c3e9afff99afacea0c Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 1 Aug 2023 14:55:20 -0700 Subject: [PATCH 46/46] Use v1.8.0 as ref Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- actions/maven/publish/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index f4b071cd7b..529be1bad3 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -76,7 +76,7 @@ runs: uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main with: repository: slsa-framework/slsa-github-generator - ref: main + ref: v1.8.0 path: __BUILDER_CHECKOUT_DIR__ - name: Publish to the Maven Central Repository