Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add provenance instruction for maven and gradle #573

Merged
merged 1 commit into from
Jul 18, 2022
Merged

Add provenance instruction for maven and gradle #573

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
155 changes: 155 additions & 0 deletions internal/builders/generic/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ project simply generates provenance as a separate step in an existing workflow.
- [Integration With Other Build Systems](#integration-with-other-build-systems)
- [Provenance for GoReleaser](#provenance-for-goreleaser)
- [Provenance for Bazel](#provenance-for-bazel)
- [Provenance for Java](#provenance-for-java)

---

Expand Down Expand Up @@ -424,3 +425,157 @@ jobs:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true # upload to a new release
```

### Provenance for Java

If you develop with Java and use [Maven](#maven) or [Gradle](#gradle), you can
easily generate SLSA3 provenance by updating your existing workflow with the
steps indicated in the workflow below:

#### Maven
```
jobs:
build:
# ==================================================
#
# Step 1: Declare an `outputs` for the artifacts generated by
# the build and their hashes.
#
# ==================================================
outputs:
artifacts: ${{ steps.build.outputs.artifacts }}
hashes: ${{ steps.hash.outputs.hashes }}

[...]

steps:
[...]
- name: Build using maven
# =================================================
#
# Step 2: Add an `id: build` field
# to your maven build step.
#
# =================================================
id: build
run: |
# Your normal build workflow targets here
mvn clean package

# ======================================================
#
# Step 3: Save the location of the maven output files
# for easier reference
#
# =====================================================
ARTIFACT_PATTERN=./target/$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout)-$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)*.jar
echo "::set-output name=artifact_pattern::$ARTIFACT_PATTERN"

# ========================================================
#
# Step 4: Add a step to generate the provenance subjects
# as shown below. Update the sha256 sum arguments
# to include all binaries that you generate
# provenance for.
#
# ========================================================
- name: Generate subject
id: hash
run: |
echo "::set-output name=hashes::$(sha256sum ${{ steps.build.outputs.artifact_pattern }} | base64 -w0)"

- name: Upload build artifacts
Copy link
Collaborator

@laurentsimon laurentsimon Jul 18, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an optional step correct? Only needed if we want to later upload to the results for the release.
Fine for this PR, just want to be sure.

uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
name: maven-build-outputs
path: ${{ steps.build.outputs.artifact_pattern }}
if-no-files-found: error

# =========================================================
#
# Step 5: Call the generic workflow to generate provenance
# by declaring the job below.
#
# =========================================================
provenance:
needs: [build]
permissions:
actions: read
id-token: write
contents: read
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
# TODO: uncomment when ready
# upload-assets: true # upload to a new release
```

#### Gradle
```
jobs:
build:
# ==================================================
#
# Step 1: Declare an `outputs` for the artifacts generated by
# the build and their hashes.
#
# ==================================================
outputs:
hashes: ${{ steps.hash.outputs.hashes }}

[...]

steps:
[...]
- name: Build using gradle
# =================================================
#
# Step 2: Add an `id: build` field
# to your gradle build step.
#
# =================================================
id: build
run: |
# Your normal build workflow targets here
./gradlew clean build

# ========================================================
#
# Step 4: Add a step to generate the provenance subjects
# as shown below. Update the sha256 sum arguments
# to include all binaries that you generate
# provenance for.
# This build assumes build artifacts are saved
# in ./build/libs
#
# ========================================================
- name: Generate subject
id: hash
run: |
echo "::set-output name=hashes::$(sha256sum ./build/libs/* | base64 -w0)"

- name: Upload build artifacts
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
name: gradle-build-outputs
path: ./build/libs/
if-no-files-found: error

# =========================================================
#
# Step 5: Call the generic workflow to generate provenance
# by declaring the job below.
#
# =========================================================
provenance:
needs: [build]
permissions:
actions: read
id-token: write
contents: read
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
# TODO: uncomment when ready
# upload-assets: true # upload to a new release
```