1+ name : Publish Binaries
2+
3+ on :
4+ workflow_dispatch :
5+ inputs :
6+ build-run-id :
7+ description : " Workflow run id that produced signed artifacts (from go.yml build job)"
8+ required : true
9+ type : number
10+
11+ permissions :
12+ contents : read
13+ actions : read
14+ attestations : read
15+ packages : write
16+
17+ jobs :
18+
19+ publish :
20+ name : 🚚 Publish
21+ runs-on : ubuntu-latest
22+ env :
23+ # docs.github.com/en/actions/reference/workflows-and-actions/contexts#github-context
24+ GROUP_GITHUB : ${{ format('com.github.{0}', github.repository_owner) }}
25+ GROUP_OSSRH : com.celzero
26+ # project artifactId; see: pom.xml
27+ ARTIFACT : firestack
28+ REPO_GITHUB : github
29+ # central.sonatype.org/pages/ossrh-eol
30+ # or "central"
31+ REPO_OSSRH : ossrh
32+ # artefact type
33+ PACK : aar
34+ # final out from make-aar
35+ FOUT : firestack.aar
36+ FOUTDBG : firestack-debug.aar
37+ # artifact classifier; full unused
38+ CLASSFULL : full
39+ CLASSDBG : debug
40+ # artifact bytecode sources
41+ SOURCES : build/intra/tun2socks-sources.jar
42+ # POM for Maven Central
43+ POM_OSSRH : ossrhpom.xml
44+ DIST_DIR : dist
45+ steps :
46+ - name : 🥏 Checkout
47+ uses : actions/checkout@v6
48+ with :
49+ persist-credentials : false
50+
51+ - name : ℹ️ Source run metadata
52+ id : runmeta
53+ env :
54+ RUN_ID : ${{ inputs.build-run-id }}
55+ GH_TOKEN : ${{ github.token }}
56+ run : |
57+ set -euo pipefail
58+ info=$(gh run view "$RUN_ID" --json headSha,headBranch,event,displayTitle)
59+ echo "$info" | jq
60+ sha=$(echo "$info" | jq -r '.headSha')
61+ if [ -z "$sha" ] || [ "$sha" = "null" ]; then
62+ echo "::error::unable to resolve head sha for run $RUN_ID" >&2
63+ exit 11
64+ fi
65+ # git version (short commit sha)
66+ printf 'sha=%s\n' "$sha" >> "$GITHUB_OUTPUT"
67+ printf 'vcsver=%s\n' "${sha:0:10}" >> "$GITHUB_OUTPUT"
68+
69+ name : ⬇️ Download artifacts
70+ uses : actions/download-artifact@v4
71+ with :
72+ pattern : firestack-aar-*
73+ run-id : ${{ inputs.build-run-id }}
74+ github-token : ${{ github.token }}
75+ path : ${{ env.DIST_DIR }}
76+
77+ - name : ⬇️ Download SBOM artifact
78+ uses : actions/download-artifact@v4
79+ with :
80+ pattern : firestack-sbom-*
81+ run-id : ${{ inputs.build-run-id }}
82+ github-token : ${{ github.token }}
83+ path : sbom
84+
85+ - name : 🔐 Verify artifact attestations
86+ env :
87+ REPO : ${{ github.repository }}
88+ ART_DIR : ${{ env.DIST_DIR }}
89+ GH_TOKEN : ${{ github.token }}
90+ run : |
91+ set -euo pipefail
92+ for file in "$ART_DIR/${FOUT}" "$ART_DIR/${FOUTDBG}"; do
93+ if [ ! -f "$file" ]; then
94+ echo "::error::missing artifact $file" >&2
95+ exit 12
96+ fi
97+ gh attestation verify "$file" -R "$REPO"
98+ done
99+
100+ name : 🔐 Verify SBOM attestation
101+ env :
102+ REPO : ${{ github.repository }}
103+ GH_TOKEN : ${{ github.token }}
104+ run : |
105+ set -euo pipefail
106+ sbom_file=$(find sbom -name manifest.spdx.json -print -quit)
107+ if [ -z "$sbom_file" ]; then
108+ echo "::error::SBOM file not found in sbom/" >&2
109+ exit 13
110+ fi
111+ gh attestation verify "$sbom_file" -R "$REPO" --predicate-type "https://spdx.dev/Document/v2.2"
112+
113+ name : 🏷️ Setup for GitHub Packages
114+ uses : actions/setup-java@v4
115+ with :
116+ java-version : ' 17'
117+ distribution : ' temurin'
118+
119+ - name : 😺 Publish to GitHub Packages
120+ shell : bash
121+ env :
122+ REPOSITORY : ${{ github.repository }}
123+ GITHUB_ACTOR : ${{ github.actor }}
124+ GITHUB_TOKEN : ${{ github.token }}
125+ VCSVER : ${{ steps.runmeta.outputs.vcsver }}
126+ run : |
127+ mvn deploy:deploy-file \
128+ -DgroupId="${GROUP_GITHUB}" \
129+ -DartifactId="${ARTIFACT}" \
130+ -Dversion="$VCSVER" \
131+ -Dpackaging="${PACK}" \
132+ -Dfile="${DIST_DIR}/${FOUT}" \
133+ -Dfiles="${DIST_DIR}/${FOUTDBG}" \
134+ -Dtypes="${PACK}" \
135+ -Dclassifiers=${CLASSDBG} \
136+ -DrepositoryId="${REPO_GITHUB}" \
137+ -Dsources="${DIST_DIR}/${SOURCES}" \
138+ -Durl="https://maven.pkg.github.com/${REPOSITORY}"
139+
140+ name : 🏛️ Setup for Maven Central
141+ uses : actions/setup-java@v4
142+ with :
143+ java-version : ' 17'
144+ distribution : ' temurin'
145+ server-id : ossrh
146+ server-username : MAVEN_USERNAME
147+ server-password : MAVEN_PASSWORD
148+ gpg-private-key : ${{ secrets.OSSRH_CELZERO_GPG_PRIVATE_KEY }}
149+ gpg-passphrase : ${{ secrets.OSSRH_CELZERO_GPG_PASSPHRASE }}
150+
151+ - name : 📦 Publish to Maven Central
152+ shell : bash
153+ env :
154+ MAVEN_USERNAME : ${{ secrets.OSSRH_USERNAME }}
155+ MAVEN_PASSWORD : ${{ secrets.OSSRH_TOKEN }}
156+ MAVEN_NS : ${{ secrets.OSSRH_CELZERO_NAMESPACE }}
157+ MAVEN_GPG_PASSPHRASE : ${{ secrets.OSSRH_CELZERO_GPG_PASSPHRASE }}
158+ VCSVER : ${{ steps.runmeta.outputs.vcsver }}
159+ run : |
160+ mvn -f ${POM_OSSRH} versions:set -DnewVersion=${VCSVER} -DgenerateBackupPoms=false
161+
162+ mvn gpg:sign-and-deploy-file \
163+ -DgroupId="${GROUP_OSSRH}" \
164+ -DartifactId="${ARTIFACT}" \
165+ -Dversion="$VCSVER" \
166+ -Dpackaging="${PACK}" \
167+ -Dfile="${DIST_DIR}/${FOUT}" \
168+ -DrepositoryId="${REPO_OSSRH}" \
169+ -DpomFile=${POM_OSSRH} \
170+ -Dgpg.keyname=C3F3F4A160BB2CFFB5528699F19CE6642C40085C \
171+ -Dsources="${DIST_DIR}/${SOURCES}" \
172+ -Durl="https://ossrh-staging-api.central.sonatype.com/service/local/staging/deploy/maven2/"
173+
174+ mvn gpg:sign-and-deploy-file \
175+ -DgroupId="${GROUP_OSSRH}" \
176+ -DartifactId="${ARTIFACT}" \
177+ -Dversion="$VCSVER" \
178+ -Dpackaging="${PACK}" \
179+ -Dfile="${DIST_DIR}/${FOUTDBG}" \
180+ -Dclassifier=${CLASSDBG} \
181+ -DrepositoryId="${REPO_OSSRH}" \
182+ -DgeneratePom=false \
183+ -Dgpg.keyname=C3F3F4A160BB2CFFB5528699F19CE6642C40085C \
184+ -Durl="https://ossrh-staging-api.central.sonatype.com/service/local/staging/deploy/maven2/"
185+
186+ tok=$(printf "${MAVEN_USERNAME}:${MAVEN_PASSWORD}" | base64)
187+ curl -D - -X POST -H "Authorization: Bearer ${tok}" \
188+ "https://ossrh-staging-api.central.sonatype.com/manual/upload/defaultRepository/${GROUP_OSSRH}?publishing_type=automatic"
0 commit comments