diff --git a/.github/workflows/builder_maven_slsa3.yml b/.github/workflows/builder_maven_slsa3.yml index 76deca85dd..561ff8819d 100644 --- a/.github/workflows/builder_maven_slsa3.yml +++ b/.github/workflows/builder_maven_slsa3.yml @@ -22,21 +22,35 @@ on: required: false type: boolean default: false - artifact-list: - description: "Comma-separated list of paths to artifacts to be released. Use PROJECT_VERSION for the release version, for example: 'artifact-PROJECT_VERSION-sources.jar'" - type: string - required: true jdk-version: description: "The JDK version" required: false default: 17 type: number + + outputs: + provenance-name: + description: "The file name of the attestation upload artifact." + # NOTE: This is an "untrusted" value returned from the build. + value: "${{ fromJSON(jobs.slsa-run.outputs.build-artifacts-outputs).attestation-name }}" + + provenance-download-name: + description: "The name of the provenance attestation uploaded to the workflow run." + value: "${{ jobs.slsa-run.outputs.attestations-download-name }}" + + provenance-download-sha256: + description: "The sha256 of the provenance attestation uploaded to the workflow run." + value: "${{ jobs.slsa-run.outputs.attestations-download-sha256 }}" + + target-download-sha256: + description: "The sha256 of the target uploaded to the workflow run." + value: "${{ fromJSON(jobs.slsa-run.outputs.build-artifacts-outputs).target-download-sha256 }}" jobs: slsa-setup: permissions: id-token: write # For token creation. outputs: - slsa-token: ${{ steps.generate.outputs.slsa-token }} + slsa-token: "${{ steps.generate.outputs.slsa-token }}" runs-on: ubuntu-latest steps: - name: Generate the token @@ -44,13 +58,13 @@ jobs: uses: slsa-framework/slsa-github-generator/actions/delegator/setup-generic@main with: slsa-workflow-recipient: "delegator_lowperms-generic_slsa3.yml" - slsa-rekor-log-public: ${{ inputs.rekor-log-public }} + slsa-rekor-log-public: "${{ inputs.rekor-log-public }}" slsa-runner-label: "ubuntu-latest" slsa-build-action-path: "./internal/builders/maven" - slsa-workflow-inputs: ${{ toJson(inputs) }} + slsa-workflow-inputs: "${{ toJson(inputs) }}" slsa-run: - needs: [slsa-setup] + needs: slsa-setup permissions: id-token: write # For signing. contents: read # For asset uploads. @@ -58,6 +72,6 @@ jobs: packages: write # To publish to GitHub packages. uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@main with: - slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} + slsa-token: "${{ needs.slsa-setup.outputs.slsa-token }}" # TODO(#2154): need to add support for uploading provenance and artifact to registry diff --git a/.github/workflows/publish_maven.yml b/.github/workflows/publish_maven.yml new file mode 100644 index 0000000000..102937b86b --- /dev/null +++ b/.github/workflows/publish_maven.yml @@ -0,0 +1,127 @@ +# Copyright 2023 SLSA Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +on: + workflow_call: + inputs: + provenance-download-name: + description: "The artifact name for the package provenance." + required: true + type: string + provenance-download-sha256: + description: "The sha256 of the package provenance artifact." + required: false + type: string + target-download-sha256: + description: "The sha256 of the target directory." + required: true + type: string + secrets: + maven-username: + description: "Maven username" + required: false + maven-password: + description: "Maven password" + required: false + gpg-key-pass: + description: "gpg-key-pass" + required: false + gpg-private-key: + description: "gpg-key-pass" + required: false + +jobs: + setup-java: + runs-on: ubuntu-latest + steps: + - name: Checkout the project repository + uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main + - name: Set up Java for publishing to Maven Central Repository + uses: actions/setup-java@v3 + env: + MAVEN_USERNAME: ${{ secrets.maven-username }} + MAVEN_PASSWORD: ${{ secrets.maven-password }} + GPG_KEY_PASS: ${{ secrets.gpg-key-pass }} + with: + java-version: '11' + distribution: 'temurin' + server-id: ossrh + server-username: MAVEN_USERNAME + server-password: MAVEN_PASSWORD + gpg-private-key: ${{ secrets.gpg-private-key }} + gpg-passphrase: GPG_KEY_PASS + + - name: Download the slsa attestation + uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main + with: + name: "${{ inputs.provenance-download-name }}" + path: slsa-attestations + sha256: "${{ inputs.provenance-download-sha256 }}" + + - name: Download the target dir + uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main + with: + name: target + path: ./ + sha256: "${{ inputs.target-download-sha256 }}" + + - name: Publish to the Maven Central Repository + shell: bash + env: + MAVEN_USERNAME: "${{ secrets.maven-username }}" + MAVEN_PASSWORD: "${{ secrets.maven-password }}" + GPG_KEY_PASS: "${{ secrets.gpg-key-pass }}" + SLSA_DIR: "${{ inputs.provenance-download-name }}" + PROVENANCE_FILES: "${{ inputs.provenance-download-name }}" + run: | + # Build and run custom plugin + cd plugin && mvn clean install && cd .. + # Re-indexing the secondary jar files for deploy + mvn javadoc:jar source:jar + echo "find javadoc" + find . -name "*javadoc*" + echo "end find javadoc" + # Retrieve project version + VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) + ARTIFACTID=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.artifactId -q -DforceStdout) + # Reset the environment variables add in the base provenance + FILES="slsa-attestations/${PROVENANCE_FILES}/${ARTIFACTID}-${VERSION}.jar.intoto.build.slsa" + TYPES=slsa + CLASSIFIERS=jar.intoto.build + # Find all necessary built jar files and attach them to the environment variable deploy + # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars + for name in $(find ./ -name "$ARTIFACTID-$VERSION-*.jar") + do + # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. + TARGET=$(echo "${name}" | rev | cut -d\- -f1 | rev) + FILES=$FILES,$name + TYPES=$TYPES,${TARGET##*.} + CLASSIFIERS=$CLASSIFIERS,${TARGET%.*} + echo "FILESSS: ${FILES}" + done + echo "find ./ -name {ARTIFACTID}-{VERSION}-*.jar" + find ./ -name "${ARTIFACTID}-${VERSION}-*.jar" + + # Find all generated provenance files and attach them the the environment variable for deploy + # shellcheck disable=SC2044 # We don't spawn a new sub shell since we are appending to global env vars + for name in $(find ./ -name "$ARTIFACTID-$VERSION-*.jar.intoto.build.slsa") + do + # shellcheck disable=SC1001 # shellcheck complains over \- but the line does what it should. + TARGET=$(echo "${name}" | rev | cut -d\- -f1 | rev) + FILES=$FILES,$name + TYPES=$TYPES",slsa" + CLASSIFIERS=$CLASSIFIERS,${TARGET::-9} + done + # Sign and deploy the files to the ossrh remote repository + mvn validate jar:jar -Dfile=target/"${ARTIFACTID}"-"${VERSION}".jar -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -Dfiles="${FILES}" -Dtypes="${TYPES}" -Dclassifiers="${CLASSIFIERS}" -DpomFile=pom.xml gpg:sign-and-deploy-file diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 9a212ce59c..95a00ae9c0 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -39,6 +39,13 @@ inputs: slsa-workflow-secret13: {} slsa-workflow-secret14: {} slsa-workflow-secret15: {} +outputs: + target-download-sha256: + description: > + The sha256 digest of the "target" directory. + + Users should verify the download against this digest to prevent tampering. + value: ${{ steps.upload-target.outputs.sha256 }} on: workflow_call: @@ -52,21 +59,13 @@ runs: distribution: temurin java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }} - name: Run mvn package - shell: bash - run: mvn package - - name: Put release artifacts in one directory shell: bash env: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} - ARTIFACT_LIST: ${{ fromJson(inputs.slsa-workflow-inputs).artifact-list }} - run: ./../__TOOL_ACTION_DIR__/collect_release_artifacts.sh - - name: Upload built artifacts - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + run: cd plugin && mvn clean install && cd .. && mvn package + - name: Upload target + id: upload-target + uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@main with: - path: ./release-files-for-slsa/* - - name: Make outputs - id: make-outputs - shell: bash - env: - SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} - run: ./../__TOOL_CHECKOUT_DIR__/internal/builders/gradle/create_attestation.sh + name: target + path: target diff --git a/internal/builders/maven/collect_release_artifacts.sh b/internal/builders/maven/collect_release_artifacts.sh deleted file mode 100755 index 639721e995..0000000000 --- a/internal/builders/maven/collect_release_artifacts.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash -eu -# -# Copyright 2023 SLSA Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -euo pipefail - -mkdir release-files-for-slsa -project_version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \ - -Dexpression=project.version -q -DforceStdout -f "pom.xml") - -ls -# Move artifacts from the user-supplied artifact list -IFS=',' read -ra artifact_array <<< "$ARTIFACT_LIST" -for i in "${artifact_array[@]}" -do - i="${i#"${i%%[![:space:]]*}"}" # trim leading whitespace - i="${i%"${i##*[![:space:]]}"}" # trim trailing whitespace - # shellcheck disable=SC2001 - i=$(echo "$i" | sed 's/\"//') - # Check if $i is empty - if [ -z "$i" ] - then - continue - fi - - # Replace 'PROJECT_VERSION' with $project_version - path_with_version="${i//PROJECT_VERSION/"$project_version"}" - - # Move the file - bn=$(basename -- "$path_with_version") - mv "$path_with_version" release-files-for-slsa/"$bn" -done