fix: Update maven helper plugin build (#3746)

# Summary

Attempt to fix
#3663 (comment)

Update the build definition for the maven slsa-hashing-plugin. It seems
to be pretty old and slightly misconfigured. @ianlewis @ramonpetgrave64
This might fix the testing issue? I'm not exactly sure how to trigger
the original failure though.

If after merging the fix doesn't work, then we will revert.

## Testing Process

We were able to partially test the fix locally, but we can't be 100%
sure until after merging.
We have an new pre-submit e2e test workflow that we can invoke from
within this repo to test the changes, though a more full test should
still be invoked from example-package.

## Checklist

- [x] Review the contributing
[guidelines](https://github.com/slsa-framework/slsa-github-generator/blob/main/CONTRIBUTING.md)
- [x] Add a reference to related issues in the PR description.
- [x] Update documentation if applicable.
- [x] Add unit tests if applicable.
- [ ] Add changes to the
[CHANGELOG](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
if applicable.

Signed-off-by: Appu Goundan <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>

Author: loosebazooka

.github/workflows/pre-submit.e2e.maven.yml

@@ -0,0 +1,57 @@
+# Copyright 2023 SLSA Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: pre-submit e2e maven
+
+on:
+  # builder_maven_slsa3.yml relies on .github/actions/verify-token, which does not support merge_group and pull_request events.
+  push:
+  workflow_dispatch:
+
+permissions: read-all
+
+env:
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  build:
+    permissions:
+      id-token: write # For signing.
+      contents: read # For repo checkout of private repos.
+      actions: read # For getting workflow run on private repos.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@main
+    with:
+      directory: ./e2e/maven/workflow_dispatch
+
+  verify:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: slsa-framework/slsa-github-generator/actions/maven/secure-download-attestations@main
+        with:
+          name: "${{ needs.build.outputs.provenance-download-name }}"
+          sha256: "${{ needs.build.outputs.provenance-download-sha256 }}"
+          path: ./
+      - uses: slsa-framework/slsa-github-generator/actions/maven/secure-download-target@main
+        with:
+          name: "${{ needs.build.outputs.target-download-name }}"
+          sha256: "${{ needs.build.outputs.target-download-sha256 }}"
+          path: ./
+      - uses: slsa-framework/slsa-verifier/actions/[email protected]
+      - name: Verify artifact
+        env:
+          PROVENANCE_PATH: ${{ needs.build.outputs.provenance-download-name }}
+          TARGET_PATH: ${{ needs.build.outputs.target-download-name }}
+        run: slsa-verifier verify-artifact "$TARGET_PATH" --provenance-path "$PROVENANCE_PATH"

.gitignore

@@ -18,6 +18,9 @@
 vendor/
 node_modules/
 
+# maven
+target/
+
 # Go workspace file
 go.work
 go.work.sum

actions/maven/publish/slsa-hashing-plugin/pom.xml

@@ -10,6 +10,7 @@
 
     <name>Jarfile Hashing Maven Mojo</name>
     <url>http://maven.apache.org</url>
+    <description>A slsa maven helper plugin</description>
 
     <properties>
         <maven.compiler.target>1.8</maven.compiler.target>
@@ -21,6 +22,7 @@
             <groupId>org.apache.maven</groupId>
             <artifactId>maven-plugin-api</artifactId>
             <version>3.9.8</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.apache.maven.plugin-tools</groupId>
@@ -30,13 +32,39 @@
         </dependency>
         <dependency>
             <groupId>org.apache.maven</groupId>
-            <artifactId>maven-project</artifactId>
-            <version>2.2.1</version>
+            <artifactId>maven-core</artifactId>
+            <version>3.9.8</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.json</groupId>
             <artifactId>json</artifactId>
             <version>20231013</version>
         </dependency>
     </dependencies>
+
+    <build>
+      <plugins>
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-plugin-plugin</artifactId>
+            <version>3.6.0</version>
+            <configuration>
+              <skipErrorNoDescriptorsFound>true</skipErrorNoDescriptorsFound>
+            </configuration>
+            <executions>
+              <execution>
+                <id>default-descriptor</id>
+                <phase>process-classes</phase>
+              </execution>
+              <execution>
+                <id>help-goal</id>
+                <goals>
+                  <goal>helpmojo</goal>
+                </goals>
+              </execution>
+            </executions>
+         </plugin>
+      </plugins>
+    </build>
 </project>

e2e/README.md

@@ -0,0 +1,3 @@
+# E2E Tests
+
+This folder contains test data for some end-to-end (E2E) tests.

e2e/maven/workflow_dispatch/pom.xml

@@ -0,0 +1,163 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+   <modelVersion>4.0.0</modelVersion>
+   <groupId>io.github.adamkorcz</groupId>
+   <artifactId>test-java-project</artifactId>
+   <version>1.21.97</version>
+   <packaging>jar</packaging>
+   <name>Adams test java project</name>
+   <description>A test java project.</description>
+   <url>https://github.com/AdamKorcz/test-java-project</url>
+   <properties>
+      <maven.compiler.source>1.8</maven.compiler.source>
+      <maven.compiler.target>1.8</maven.compiler.target>
+   </properties>
+   <distributionManagement>
+      <snapshotRepository>
+         <id>ossrh</id>
+         <url>https://s01.oss.sonatype.org/content/repositories/snapshots</url>
+      </snapshotRepository>
+      <repository>
+         <id>ossrh</id>
+         <url>https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/</url>
+      </repository>
+   </distributionManagement>
+   <licenses>
+      <license>
+         <name>MIT License</name>
+         <url>http://www.opensource.org/licenses/mit-license.php</url>
+      </license>
+   </licenses>
+   <developers>
+      <developer>
+         <name>Adam K</name>
+         <email>[email protected]</email>
+         <organization>Ada Logics</organization>
+         <organizationUrl>http://www.adalogics.com</organizationUrl>
+      </developer>
+   </developers>
+   <scm>
+      <connection>scm:git:git://github.com/adamkorcz/test-java-project.git</connection>
+      <developerConnection>scm:git:ssh://github.com:simpligility/test-java-project.git</developerConnection>
+      <url>http://github.com/adamkorcz/test-java-project/tree/main</url>
+   </scm>
+   <build>
+      <plugins>
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-source-plugin</artifactId>
+            <version>3.3.1</version>
+            <executions>
+               <execution>
+                  <id>attach-sources</id>
+                  <phase>package</phase>
+                  <goals>
+                     <goal>jar-no-fork</goal>
+                  </goals>
+               </execution>
+            </executions>
+         </plugin>
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-javadoc-plugin</artifactId>
+            <version>3.6.3</version>
+            <configuration>
+               <javadocExecutable>${java.home}/bin/javadoc</javadocExecutable>
+            </configuration>
+            <executions>
+               <execution>
+                  <id>attach-javadocs</id>
+                  <goals>
+                     <goal>jar</goal>
+                  </goals>
+               </execution>
+            </executions>
+         </plugin>
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-shade-plugin</artifactId>
+            <version>3.5.1</version>
+            <executions>
+               <execution>
+                  <phase>package</phase>
+                  <goals>
+                     <goal>shade</goal>
+                  </goals>
+                  <configuration>
+                     <transformers>
+                        <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                           <mainClass>hello.HelloWorld</mainClass>
+                        </transformer>
+                     </transformers>
+                  </configuration>
+               </execution>
+            </executions>
+         </plugin>
+         <plugin>
+            <groupId>org.sonatype.plugins</groupId>
+            <artifactId>nexus-staging-maven-plugin</artifactId>
+            <version>1.6.13</version>
+            <extensions>true</extensions>
+            <configuration>
+               <serverId>ossrh</serverId>
+               <nexusUrl>https://s01.oss.sonatype.org/</nexusUrl>
+               <autoReleaseAfterClose>false</autoReleaseAfterClose>
+            </configuration>
+         </plugin>
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-gpg-plugin</artifactId>
+            <version>3.1.0</version>
+            <executions>
+               <execution>
+                  <id>sign-artifacts</id>
+                  <phase>verify</phase>
+                  <goals>
+                     <goal>sign</goal>
+                  </goals>
+               </execution>
+            </executions>
+            <configuration>
+               <gpgArguments>
+                  <argument>--pinentry-mode</argument>
+                  <argument>loopback</argument>
+               </gpgArguments>
+            </configuration>
+         </plugin>
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-deploy-plugin</artifactId>
+            <version>3.1.2</version>
+            <executions>
+              <execution>
+                  <id>deploy-file</id>
+                  <phase>deploy</phase>
+                  <goals>
+                      <goal>deploy-file</goal>
+                  </goals>
+                  <configuration>
+                      <file>textfile.txt</file>
+                      <url>https://s01.oss.sonatype.org/</url>
+                      <repositoryId>io.github.adamkorcz</repositoryId>
+                  </configuration>
+              </execution>
+          </executions>
+         </plugin>         
+         <plugin>
+             <groupId>io.github.slsa-framework.slsa-github-generator</groupId>
+             <artifactId>hash-maven-plugin</artifactId>
+             <version>0.0.1</version>
+             <executions>
+                 <execution>
+                     <goals>
+                         <goal>hash-jarfile</goal>
+                     </goals>
+                 </execution>
+             </executions>
+             <configuration>
+                 <outputJsonPath>${SLSA_OUTPUTS_ARTIFACTS_FILE}</outputJsonPath>
+             </configuration>
+         </plugin>
+      </plugins>
+   </build>
+</project>

e2e/maven/workflow_dispatch/src/main/java/hello/Greeter.java

@@ -0,0 +1,7 @@
+package hello;
+
+public class Greeter {
+  public String sayHello() {
+    return "Hello world!";
+  }
+}

e2e/maven/workflow_dispatch/src/main/java/hello/HelloWorld.java

@@ -0,0 +1,8 @@
+package hello;
+
+public class HelloWorld {
+  public static void main(String[] args) {
+    Greeter greeter = new Greeter();
+    System.out.println(greeter.sayHello());
+  }
+}