|
| 1 | +# Copyright © 2025 Cask Data, Inc. |
| 2 | +# Licensed under the Apache License, Version 2.0 (the "License"); you may not |
| 3 | +# use this file except in compliance with the License. You may obtain a copy of |
| 4 | +# the License at |
| 5 | +# http://www.apache.org/licenses/LICENSE-2.0 |
| 6 | +# Unless required by applicable law or agreed to in writing, software |
| 7 | +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 8 | +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 9 | +# License for the specific language governing permissions and limitations under |
| 10 | +# the License. |
| 11 | + |
| 12 | +steps: |
| 13 | + # Step 1: Build Artifacts and Generate SBOM |
| 14 | + - name: 'maven:3.8-jdk-8' |
| 15 | + id: build-and-sbom |
| 16 | + entrypoint: 'mvn' |
| 17 | + env: |
| 18 | + - 'MAVEN_OPTS=-Xmx3200m' |
| 19 | + args: |
| 20 | + - -B |
| 21 | + - -V |
| 22 | + - -DskipTests |
| 23 | + - clean |
| 24 | + - package # Build and package |
| 25 | + - -P release |
| 26 | + - org.cyclonedx:cyclonedx-maven-plugin:2.7.10:makeAggregateBom # Generate SBOM |
| 27 | + |
| 28 | + # Step 2: Prepare and Stage Artifacts for Secure Publishing |
| 29 | + - name: 'gcr.io/cloud-builders/gsutil' |
| 30 | + id: stage-for-secure-publishing |
| 31 | + entrypoint: 'bash' |
| 32 | + args: |
| 33 | + - -c |
| 34 | + - | |
| 35 | + set -ex |
| 36 | +
|
| 37 | + # Check if substitutions are provided |
| 38 | + if [[ -z "${_SECURE_PUBLISH_BUCKET_NAME}" || "${_SECURE_PUBLISH_BUCKET_NAME}" == "YOUR_SECURE_PUBLISH_BUCKET_NAME" ]]; then |
| 39 | + echo "ERROR: _SECURE_PUBLISH_BUCKET_NAME substitution is missing or not set." |
| 40 | + exit 1 |
| 41 | + fi |
| 42 | + if [[ -z "${_APP_VERSION}" ]]; then |
| 43 | + echo "ERROR: _APP_VERSION substitution is missing." |
| 44 | + exit 1 |
| 45 | + fi |
| 46 | +
|
| 47 | + SECURE_GCS_PATH="gs://${_SECURE_PUBLISH_BUCKET_NAME}" |
| 48 | + STAGING_DIR="/workspace/secure-staging" |
| 49 | + mkdir -p "$${STAGING_DIR}" |
| 50 | +
|
| 51 | + echo "Gathering Maven artifacts for Secure Publishing..." |
| 52 | + # Find all relevant artifacts from the build in the root target directory |
| 53 | + find /workspace/target -maxdepth 1 -type f \( -name "*.pom" -o -name "*.jar" \) ! -name "original-*.jar" ! -name "*-tests.jar" -exec cp {} "$${STAGING_DIR}/" \; |
| 54 | +
|
| 55 | + # Add the aggregate SBOM if it's at the root target |
| 56 | + if [ -f /workspace/target/bom.json ]; then |
| 57 | + cp /workspace/target/bom.json "$${STAGING_DIR}/bom.json" |
| 58 | + else |
| 59 | + echo "WARNING: bom.json not found in /workspace/target" |
| 60 | + fi |
| 61 | +
|
| 62 | + echo "Uploading artifacts to Secure Publishing bucket: $${SECURE_GCS_PATH}" |
| 63 | + # Check if there are files to upload |
| 64 | + if [ -n "$(ls -A "$${STAGING_DIR}")" ]; then |
| 65 | + gsutil -m cp -r "$${STAGING_DIR}/." "$${SECURE_GCS_PATH}/" |
| 66 | + else |
| 67 | + echo "No artifacts found in $${STAGING_DIR} to upload." |
| 68 | + exit 1 |
| 69 | + fi |
| 70 | +
|
| 71 | + echo "Generating manifest.json" |
| 72 | + cd "$${STAGING_DIR}" |
| 73 | + printf '{\n "artifacts": [\n' > /workspace/manifest.json |
| 74 | + # escape double quotes in file names |
| 75 | + find . -type f -exec printf ' "%s",\n' {} \; | sed 's/"/\\"/g; s/^ "\\"/ "/' | sed '$ s/,$//' >> /workspace/manifest.json |
| 76 | + printf ' ]\n}\n' >> /workspace/manifest.json |
| 77 | + cd /workspace |
| 78 | + gsutil cp /workspace/manifest.json "$${SECURE_GCS_PATH}/manifest.json" |
| 79 | + echo "Secure Publishing staging complete." |
| 80 | +
|
| 81 | +options: |
| 82 | + requestedVerifyOption: VERIFIED |
| 83 | + logging: CLOUD_LOGGING_ONLY |
| 84 | + machineType: 'E2_HIGHCPU_32' |
0 commit comments