Skip to content

Commit

Permalink
Test slsa builder.
Browse files Browse the repository at this point in the history
  • Loading branch information
@netomi
netomi committed Dec 8, 2023
1 parent ea7e013 commit da78a64
Show file tree
Hide file tree
Showing 2 changed files with 87 additions and 65 deletions.
138 changes: 74 additions & 64 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
permissions:
contents: write
# don't run this workflow in forks
if: github.repository == 'eclipse-cbi/macos-notarization-service'
# if: github.repository == 'eclipse-cbi/macos-notarization-service'
outputs:
version: ${{ steps.set-version.outputs.VERSION }}
steps:
Expand Down Expand Up @@ -70,70 +70,80 @@ jobs:
needs: ['precheck']
permissions:
contents: write
outputs:
hashes: ${{ steps.slsa.outputs.HASHES }}
tagname: ${{ steps.slsa.outputs.TAGNAME }}
steps:
- name: Setup Git User
run: |
git config --global user.name '${{ env.BOT_USER_NAME }}'
git config --global user.email '${{ env.BOT_EMAIL }}'
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ github.ref }}
fetch-depth: 0

- name: Setup Java
uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
with:
java-version: ${{ env.JAVA_VERSION }}
distribution: ${{ env.JAVA_DISTRO }}
cache: maven

- name: Build and Test Package
run: |
./mvnw -ntp -B -Pdist -Prelease -Psbom clean package
- name: Release with JReleaser
uses: jreleaser/release-action@v2
with:
version: '1.9.0'
arguments: full-release
env:
JRELEASER_PROJECT_VERSION: ${{ needs.precheck.outputs.version }}
JRELEASER_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: JReleaser release output
if: always()
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: jreleaser-release
path: |
out/jreleaser/trace.log
out/jreleaser/output.properties
- name: Generate Hashes for SLSA provenance
shell: bash
id: slsa
run: |
echo "HASHES=$(cat out/jreleaser/checksums/checksums_sha256.txt | base64 -w0)" >> "$GITHUB_OUTPUT"
echo "TAGNAME=$(grep tagName out/jreleaser/output.properties | awk -F'=' '{print $2}')" >> "$GITHUB_OUTPUT"
provenance:
name: Provenance
needs: ['precheck', 'release']
permissions:
actions: read
id-token: write
contents: write
# Can't pin with hash due to how this workflow works.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
# outputs:
# hashes: ${{ steps.slsa.outputs.HASHES }}
# tagname: ${{ steps.slsa.outputs.TAGNAME }}
# steps:
# - name: Setup Git User
# run: |
# git config --global user.name '${{ env.BOT_USER_NAME }}'
# git config --global user.email '${{ env.BOT_EMAIL }}'

# - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
# with:
# ref: ${{ github.ref }}
# fetch-depth: 0

# - name: Setup Java
# uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
# with:
# java-version: ${{ env.JAVA_VERSION }}
# distribution: ${{ env.JAVA_DISTRO }}
# cache: maven
#
# - name: Build and Test Package
# run: |
# ./mvnw -ntp -B -Pdist -Prelease -Psbom clean package

uses: jreleaser/release-action/.github/workflows/[email protected]
with:
base64-subjects: ${{ needs.release.outputs.hashes }}
upload-assets: true
upload-tag-name: ${{ needs.release.outputs.tagname }}
provenance-name: macos-notarization-service-${{ needs.precheck.outputs.version }}.zip.intoto.jsonl
project-version: ${{ needs.precheck.outputs.version }}
jreleaser-version: '1.9.0'
java-version: ${{ env.JAVA_VERSION }}
java-distribution: ${{ env.JAVA_DISTRO }}
rekor-log-public: true
secrets:
github-token: ${{ secrets.GITHUB_TOKEN }}

# - name: Release with JReleaser
# uses: jreleaser/release-action@v2
# with:
# version: '1.9.0'
# arguments: full-release
# env:
# JRELEASER_PROJECT_VERSION: ${{ needs.precheck.outputs.version }}
# JRELEASER_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# - name: JReleaser release output
# if: always()
# uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
# with:
# name: jreleaser-release
# path: |
# out/jreleaser/trace.log
# out/jreleaser/output.properties
#
# - name: Generate Hashes for SLSA provenance
# shell: bash
# id: slsa
# run: |
# echo "HASHES=$(cat out/jreleaser/checksums/checksums_sha256.txt | base64 -w0)" >> "$GITHUB_OUTPUT"
# echo "TAGNAME=$(grep tagName out/jreleaser/output.properties | awk -F'=' '{print $2}')" >> "$GITHUB_OUTPUT"

# provenance:
# name: Provenance
# needs: ['precheck', 'release']
# permissions:
# actions: read
# id-token: write
# contents: write
# # Can't pin with hash due to how this workflow works.
# uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
# with:
# base64-subjects: ${{ needs.release.outputs.hashes }}
# upload-assets: true
# upload-tag-name: ${{ needs.release.outputs.tagname }}
# provenance-name: macos-notarization-service-${{ needs.precheck.outputs.version }}.zip.intoto.jsonl

prepare-for-next-development-cycle:
runs-on: ubuntu-latest
Expand Down
14 changes: 13 additions & 1 deletion jreleaser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,9 +93,21 @@ catalog:
sbom:
cyclonedx:
active: ALWAYS
slsa:
active: ALWAYS
attestationName: {{projectName}}-{{projectVersion}}.zip.intoto.jsonl

hooks:
script:
before:
- run: './mvnw -ntp -B -Pdist -Prelease -Psbom clean verify package'
condition: '"{{ Env.CI }}" == true'
verbose: true
filter:
includes: ['assemble']

distributions:
app:
type: BINARY
type: JAVA_BINARY
artifacts:
- path: target/distributions/{{projectName}}-{{projectVersion}}.zip

0 comments on commit da78a64

Please sign in to comment.