|
| 1 | +name: Release sigstore gradle plugins to Gradle Plugin Portal |
| 2 | +on: |
| 3 | + workflow_dispatch: |
| 4 | + |
| 5 | +jobs: |
| 6 | + process-tag: |
| 7 | + runs-on: ubuntu-latest |
| 8 | + outputs: |
| 9 | + version: ${{ steps.version.outputs.version }} |
| 10 | + steps: |
| 11 | + - name: checkout tag |
| 12 | + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 |
| 13 | + - name: process tag |
| 14 | + id: version |
| 15 | + run: | |
| 16 | + TAG=${{ github.ref_name }} |
| 17 | + echo "version=${TAG#"v"}" >> $GITHUB_OUTPUT |
| 18 | + - name: verify tag matches gradle version |
| 19 | + run: | |
| 20 | + set -Eeo pipefail |
| 21 | + version=$(grep "^version=" gradle.properties | cut -d'=' -f2) |
| 22 | + if [[ ! "$version" == "${{ steps.version.outputs.version }}" ]]; then |
| 23 | + echo "tagged version ${{ github.ref }} (as ${{ steps.version.outputs.version }}) does not match gradle.properties $version" |
| 24 | + exit 1 |
| 25 | + fi |
| 26 | +
|
| 27 | + ci: |
| 28 | + needs: [process-tag] |
| 29 | + permissions: |
| 30 | + id-token: write # To run github oidc tests |
| 31 | + uses: ./.github/workflows/ci.yaml |
| 32 | + |
| 33 | + build: |
| 34 | + permissions: |
| 35 | + id-token: write # To sign the artifacts |
| 36 | + runs-on: ubuntu-latest |
| 37 | + needs: [ci, process-tag] |
| 38 | + outputs: |
| 39 | + hashes: ${{ steps.hash.outputs.hashes }} |
| 40 | + steps: |
| 41 | + - name: checkout tag |
| 42 | + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 |
| 43 | + |
| 44 | + - name: Set up JDK 11 |
| 45 | + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 |
| 46 | + with: |
| 47 | + java-version: 11 |
| 48 | + distribution: 'temurin' |
| 49 | + |
| 50 | + - name: Build, Sign and Release to Gradle Plugin Portal |
| 51 | + run: | |
| 52 | + ./gradlew publishPlugins -Prelease assemble -x publishPlugins |
| 53 | +# ./gradlew publishPlugins -Prelease -Pgradle.publish.key=$GRADLE_PUBLISH_KEY -Pgradle.publish.secret=$GRADLE_PUBLISH_SECRET |
| 54 | + env: |
| 55 | + ORG_GRADLE_PROJECT_signingKey: ${{ secrets.PGP_PRIVATE_KEY }} |
| 56 | + ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.PGP_PASSPHRASE }} |
| 57 | +# GRADLE_PUBLISH_KEY: ${{ secrets.GRADLE_PUBLISH_KEY }} |
| 58 | +# GRADLE_PUBLISH_SECRET: ${{ secrets.GRADLE_PUBLISH_SECRET }} |
| 59 | + |
| 60 | + - name: SLSA -- Hash Artifacts |
| 61 | + id: hash |
| 62 | + run: | |
| 63 | + mkdir slsa-files |
| 64 | + cp sigstore-gradle/sigstore-gradle-sign-plugin/build/libs/*.jar slsa-files |
| 65 | + cp sigstore-gradle/sigstore-gradle-sign-plugin/build/publications/pluginMaven/pom-default.xml slsa-files/sigstore-gradle-sign-plugin-${{ needs.process-tag.outputs.version }}.pom |
| 66 | + cp sigstore-gradle/sigstore-gradle-sign-plugin/build/publications/pluginMaven/module.json slsa-files/sigstore-gradle-sign-plugin-${{ needs.process-tag.outputs.version }}.module |
| 67 | + cp sigstore-gradle/sigstore-gradle-sign-base-plugin/build/libs/*.jar slsa-files |
| 68 | + cp sigstore-gradle/sigstore-gradle-sign-base-plugin/build/publications/pluginMaven/pom-default.xml slsa-files/sigstore-gradle-sign-base-plugin-${{ needs.process-tag.outputs.version }}.pom |
| 69 | + cp sigstore-gradle/sigstore-gradle-sign-base-plugin/build/publications/pluginMaven/module.json slsa-files/sigstore-gradle-sign-base-plugin-${{ needs.process-tag.outputs.version }}.module |
| 70 | + cd slsa-files |
| 71 | + echo "hashes=$(sha256sum ./* | base64 -w0)" >> $GITHUB_OUTPUT |
| 72 | +
|
| 73 | + - name: Upload build artifacts |
| 74 | + uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 |
| 75 | + with: |
| 76 | + name: project-release-artifacts |
| 77 | + path: ./slsa-files |
| 78 | + if-no-files-found: error |
| 79 | + |
| 80 | + provenance: |
| 81 | + needs: [build, process-tag] |
| 82 | + permissions: |
| 83 | + actions: read # To read the workflow path. |
| 84 | + id-token: write # To sign the provenance. |
| 85 | + contents: write # To add assets to a release. |
| 86 | + # use tags here: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators |
| 87 | + # remember to update "Download Attestations" when SLSA updates to actions/download-artifact@v4 |
| 88 | + uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] |
| 89 | + with: |
| 90 | + provenance-name: "sigstore-gradle-sign-plugin-${{ needs.process-tag.outputs.version }}.attestation.intoto.jsonl" |
| 91 | + base64-subjects: "${{ needs.build.outputs.hashes }}" |
| 92 | + |
| 93 | + create-release-on-github: |
| 94 | + runs-on: ubuntu-latest |
| 95 | + needs: [provenance, build, process-tag] |
| 96 | + permissions: |
| 97 | + contents: write |
| 98 | + steps: |
| 99 | + - name: Download attestation |
| 100 | + # keep at v3.x since slsa generator uses 3.x (update this when slsa-framework updates) |
| 101 | + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 |
| 102 | + with: |
| 103 | + name: "${{ needs.provenance.outputs.attestation-name }}" |
| 104 | + path: ./release/ |
| 105 | + - name: Copy attestation for base plugin |
| 106 | + run: | |
| 107 | + cp "./release/${{ needs.provenance.outputs.attestation-name }}" "./release/sigstore-gradle-sign-base-plugin-${{ needs.process-tag.outputs.version }}.attestation.intoto.jsonl" |
| 108 | + - name: Download gradle release artifacts |
| 109 | + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 |
| 110 | + with: |
| 111 | + name: project-release-artifacts |
| 112 | + path: ./release/ |
| 113 | + - name: Create release |
| 114 | + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag=v0.1.15 |
| 115 | + with: |
| 116 | + tag_name: v${{ needs.process-tag.outputs.version }} |
| 117 | + name: v${{ needs.process-tag.outputs.version }}-gradle |
| 118 | + body: "See [CHANGELOG.md](https://github.com/${{ vars.GITHUB_REPOSITORY }}/blob/main/CHANGELOG.md) for more details." |
| 119 | + files: ./release/* |
0 commit comments