slsa-framework · laurentsimon · Aug 1, 2023 · Jul 26, 2023 · Jul 26, 2023 · Jul 26, 2023
@@ -0,0 +1,70 @@
+# Publishing SLSA3+ provenance to Maven Central
+
+This document explains how to publish SLSA3+ artifacts and provenance to Maven central.
+
+The publish Action is in its early stages and is likely to develop over time. Future breaking changes may occur.
+
+To get started with publishing artifacts to Maven Central Repository, see [this guide](https://maven.apache.org/repository/guide-central-repository-upload.html).
+
+Before you use this publish Action, you will need to configure your Github project with the correct secrets. See [this guide](https://docs.github.com/en/actions/publishing-packages/publishing-java-packages-with-maven) for more.
+
+## Using the Maven Publish action
+
+To use the Maven action you need to add the step in your release workflow that invokes it.
+
+Before using the Maven publish action, you should have a workflow that invokes the [Maven builder](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/maven/README.md). It will look something like this:
+
+```yaml
+name: Release Maven project
+on:
+  - workflow_dispatch
+
+permissions: read-all
+
+jobs:
+  build:
+    permissions:
+      id-token: write
+      contents: read
+      actions: read
+      packages: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      rekor-log-public: true
+```
+
+To use the Publish action, you need to add another job:
+
+```yaml
+publish:
+  runs-on: ubuntu-latest
+  needs: build
+  permissions:
+    id-token: write
+    contents: read
+    actions: read
+  steps:
+    - name: publish
+      id: publish
+      uses: slsa-framework/slsa-github-generator/actions/maven/[email protected]
+      with:
+        provenance-download-name: "${{ needs.build.outputs.provenance-download-name }}"
+        provenance-download-sha256: "${{ needs.build.outputs.provenance-download-sha256 }}"
+        target-download-sha256: "${{ needs.build.outputs.target-download-sha256 }}"
+        maven-username: ${{ secrets.OSSRH_USERNAME }}
+        maven-password: ${{ secrets.OSSRH_PASSWORD }}
+        gpg-key-pass: ${{ secrets.GPG_PASSPHRASE }}
+        gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+```
+
+Set the values of "maven-username", "maven-password", "gpg-key-pass" and " gpg-private-key" for your account. The parameters to `provenance-download-name`, `provenance-download-sha256` and `target-download-sha256` should not be changed.
+
+Once you trigger this workflow, your artifacts and provenance files will be added to a staging repository in Maven Central. You need to close the staging repository and then release:
+
+Closing the staging repository:
+
+![closing the staging repository](/actions/gradle/publish/images/gradle-publisher-staging-repository.png)
+
+Releasing:
+
+![releasing the Gradle artefacts](/actions/gradle/publish/images/gradle-publisher-release-closed-repository.png)
@@ -0,0 +1,124 @@
+# Copyright 2023 SLSA Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+inputs:
+  provenance-download-name:
+    description: "The artifact name for the package provenance."
+    required: true
+    type: string
+  provenance-download-sha256:
+    description: "The sha256 of the package provenance artifact."
+    required: true
+    type: string
+  target-download-sha256:
+    description: "The sha256 of the target directory."
+    required: true
+    type: string
+  maven-username:
+    description: "Maven username"
+    required: true
+  maven-password:
+    description: "Maven password"
+    required: true
+  gpg-key-pass:
+    description: "gpg-key-pass"
+    required: true
+  gpg-private-key:
+    description: "gpg-key-pass"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout the project repository
+      uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources.
+    - name: Set up Java for publishing to Maven Central Repository
+      uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3
+      env:
+        MAVEN_USERNAME: ${{ inputs.maven-username }}
+        MAVEN_PASSWORD: ${{ inputs.maven-password }}
+        GPG_KEY_PASS: ${{ inputs.gpg-key-pass }}
+      with:
+        java-version: '11'
+        distribution: 'temurin'
+        server-id: ossrh
+        server-username: MAVEN_USERNAME
+        server-password: MAVEN_PASSWORD
+        gpg-private-key: ${{ inputs.gpg-private-key }}
+        gpg-passphrase: GPG_KEY_PASS
+
+    - name: Download the slsa attestation
+      uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main
+      with:
+        name: "${{ inputs.provenance-download-name }}"
+        path: slsa-attestations
+        sha256: "${{ inputs.provenance-download-sha256 }}"
+
+    - name: Download the target dir
+      uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main
+      with:
+        name: target
+        path: ./
+        sha256: "${{ inputs.target-download-sha256 }}"
+
+    - name: Checkout the tool repository
+      uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
+      with:
+        repository: AdamKorcz/slsa-github-generator
+        ref: maven-publisher-to-action #main
+        path: __BUILDER_CHECKOUT_DIR__
+
+    - name: Publish to the Maven Central Repository
+      shell: bash
+      env:
+        MAVEN_USERNAME: "${{ inputs.maven-username }}"
+        MAVEN_PASSWORD: "${{ inputs.maven-password }}"
+        GPG_KEY_PASS: "${{ inputs.gpg-key-pass }}"
+        SLSA_DIR: "${{ inputs.provenance-download-name }}"
+        PROVENANCE_FILES: "${{ inputs.provenance-download-name }}"
+      run: |
+        #mv __BUILDER_CHECKOUT_DIR__ ../
+        find ../.. -name "*.java"
+        echo "ls"
+        ls
+        echo "ls .."
+        ls ..
+        echo "ls __BUILDER_CHECKOUT_DIR__"
+        ls __BUILDER_CHECKOUT_DIR__
+
+        cd __BUILDER_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd -
+        mvn javadoc:jar source:jar
+        # Retrieve project version
+        export version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout)
+        export artifactid=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.artifactId -q -DforceStdout)
+        # Reset the environment variables add in the base provenance
+        export files="slsa-attestations/${PROVENANCE_FILES}/${artifactid}-${version}.jar.build.slsa"
+        export types=slsa
+        export classifiers=jar.build
+        # Find all necessary built jar files and attach them to the environment variable deploy
+        while read -r name; do
+          target=$(echo "${name}" | rev | cut -d- -f1 | rev)
+          files=$files,$name
+          types=$types,${target##*.}
+          classifiers=$classifiers,${target%.*}
+        done <<<"$(find ./ -name "$artifactid-$version-*.jar")"
+        # Find all generated provenance files and attach them the the environment variable for deploy
+        while read -r name; do
+          target=$(echo "${name}" | rev | cut -d- -f1 | rev)
+          files=$files,$name
+          types=$types",slsa"
+          classifiers=$classifiers,${target::-9}
+        done <<<"$(find ./ -name "$artifactid-$version-*.jar.build.slsa")"
+        # Sign and deploy the files to the ossrh remote repository
+        mvn validate jar:jar -Dfile=target/"${artifactid}"-"${version}".jar -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -Dfiles="${files}" -Dtypes="${types}" -Dclassifiers="${classifiers}" -DpomFile=pom.xml gpg:sign-and-deploy-file
@@ -0,0 +1,42 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>dev.slsa.slsaframework</groupId>
+    <artifactId>hash-maven-plugin</artifactId>
+    <packaging>maven-plugin</packaging>
+    <version>0.0.1</version>
+
+    <name>Jarfile Hashing Maven Mojo</name>
+    <url>http://maven.apache.org</url>
+
+    <properties>
+        <maven.compiler.target>1.8</maven.compiler.target>
+        <maven.compiler.source>1.8</maven.compiler.source>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.maven</groupId>
+            <artifactId>maven-plugin-api</artifactId>
+            <version>3.6.3</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.maven.plugin-tools</groupId>
+            <artifactId>maven-plugin-annotations</artifactId>
+            <version>3.6.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.maven</groupId>
+            <artifactId>maven-project</artifactId>
+            <version>2.2.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.json</groupId>
+            <artifactId>json</artifactId>
+            <version>20230227</version>
+        </dependency>
+    </dependencies>
+</project>