Migrate to a CI build with SLSA provenance (#896)

pnacht · web-flow · commit b3c6899aea4a · 2023-02-13T20:57:06.000-08:00
Signed-off-by: Pedro Kaj Kjellerup Nacht &lt;pnacht@google.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,71 @@
+# This workflow publishes a new release to Maven central.
+#
+# The release MUST be initiated by running the release.sh script. That script will run
+# ./mvnw release:prepare and make the necessary changes for this workflow to then take
+# over and perform the actual release.
+
+name: Publish new release
+on:
+  push:
+    tags:
+      - "*"
+      - "!*.pr*"
+      - "!*b"
+
+jobs:
+  release:
+    runs-on: "ubuntu-20.04"
+    env:
+      JAVA_OPTS: "-XX:+TieredCompilation -XX:TieredStopAtLevel=1"
+      TAG: ${{ github.ref_name }}
+    outputs:
+      hash: ${{ steps.hash.outputs.hash }}
+      artifact_name: ${{ steps.hash.outputs.artifact_name }}
+    steps:
+      - name: Validate version name
+        run: |
+          [[ "$TAG" =~ jackson-core-[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)? ]] || exit 1
+      - uses: actions/checkout@v3
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          distribution: "temurin"
+          java-version: "8"
+          cache: "maven"
+          server-id: sonatype-nexus-staging
+          server-username: CI_DEPLOY_USERNAME
+          server-password: CI_DEPLOY_PASSWORD
+          # See https://github.com/actions/setup-java/blob/v2/docs/advanced-usage.md#Publishing-using-Apache-Maven
+          # gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
+          # gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
+      - name: Perform release
+        # The following command will only succeed if the preparation was done via the
+        # release.sh script.
+        run: ./mvnw -B -q -ff -ntp release:perform -DlocalCheckout=true
+      - name: Generate hash
+        id: hash
+        run: |
+          ARTIFACT_NAME="$( \
+            ./mvnw help:evaluate \
+              -Dexpression=project.artifactId -q -DforceStdout)-$( \
+            ./mvnw help:evaluate \
+              -Dexpression=project.version -q -DforceStdout)"
+          echo "artifact_name=$ARTIFACT_NAME" >> "$GITHUB_OUTPUT"
+
+          cd ./target
+          echo "hash=$( \
+            sha256sum $ARTIFACT_NAME*.jar | \
+            base64 -w0 \
+          )" >> "$GITHUB_OUTPUT"
+
+  provenance:
+    needs: [release]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+    with:
+      base64-subjects: "${{ needs.release.outputs.hash }}"
+      provenance-name: "${{ needs.release.outputs.artifact_name }}.jar.intoto.jsonl"
+      upload-assets: true # Optional: Upload to a new release
diff --git a/release.sh b/release.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# This script simulates the Maven Release Plugin, but only performs
+# release:clean and release:prepare. The release:perform step is handled by the
+# CI when the tag is pushed.
+#
+# However, release:perform on Git requires the release.properties file. We must
+# therefore modify the first commit created by release:prepare to include this
+# file, and then delete the file in the second commit.
+#
+# This will ensure that release.properties is available to release:perform in
+# the CI, while keeping with the expectation that this file does not get
+# commited (long-term) to the repository.
+
+set -euo pipefail
+
+# Prepare but don't push, we'll need to modify the commits
+./mvnw release:clean release:prepare -DpushChanges=false
+
+# Step back to the first commit (from SNAPSHOT to release)
+git reset HEAD~1
+
+# delete tag created by release:prepare
+tag_name="$(git tag --points-at)"
+git tag -d "$tag_name"
+
+# Add release.properties to that commit
+git add release.properties
+git commit --amend --no-edit
+
+# recreate tag
+git tag "$tag_name" -m "[maven-release-plugin] copy for tag $tag_name"
+
+# Recreate second commit (from release to SNAPSHOT), removing
+# release.properties from the repository
+git rm release.properties
+git add pom.xml
+git commit -m "[maven-release-plugin] prepare for next development iteration"
+
+# push everything
+git push
+git push origin "$tag_name"
+
+# clean up
+rm pom.xml.releaseBackup
