build: Fix SLSA provenance #84
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: EarlyAccess | |
| on: | |
| push: | |
| branches: [ development ] | |
| permissions: | |
| contents: read | |
| actions: write | |
| env: | |
| REPO_OWNER: 'kordamp' | |
| REPO_NAME: 'jarviz' | |
| GITHUB_BOT_EMAIL: '41898282+github-actions[bot]@users.noreply.github.com' | |
| jobs: | |
| precheck: | |
| name: Precheck | |
| if: github.repository == 'kordamp/jarviz' && startsWith(github.event.head_commit.message, 'Releasing version') != true | |
| runs-on: ubuntu-latest | |
| outputs: | |
| VERSION: ${{ steps.vars.outputs.VERSION }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Cancel previous run | |
| uses: styfle/[email protected] | |
| with: | |
| access_token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Version | |
| id: vars | |
| shell: bash | |
| run: | | |
| echo "VERSION=$(cat VERSION)" >> $GITHUB_OUTPUT | |
| release: | |
| name: Release | |
| needs: [precheck] | |
| if: endsWith(${{ needs.precheck.outputs.VERSION }}, '-SNAPSHOT') | |
| runs-on: ubuntu-latest | |
| outputs: | |
| JAR_SIZE: ${{ steps.bach.outputs.JAR_SIZE }} | |
| JAR_CSUM: ${{ steps.bach.outputs.JAR_CSUM }} | |
| DOC_SIZE: ${{ steps.bach.outputs.DOC_SIZE }} | |
| HASHES: ${{ steps.slsa.outputs.HASHES }} | |
| TAGNAME: ${{ steps.slsa.outputs.TAGNAME }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: ${{ vars.JAVA_VERSION }} | |
| distribution: ${{ vars.JAVA_DISTRO }} | |
| cache: gradle | |
| - name: Build | |
| run: ./gradlew -PreproducibleBuild=true build -S | |
| - name: Assemble | |
| uses: jreleaser/release-action@v2 | |
| with: | |
| version: early-access | |
| arguments: assemble | |
| env: | |
| JRELEASER_PROJECT_VERSION: ${{ needs.precheck.outputs.VERSION }} | |
| JRELEASER_BRANCH: development | |
| - name: Release | |
| uses: jreleaser/release-action@v2 | |
| with: | |
| version: early-access | |
| arguments: full-release | |
| env: | |
| JRELEASER_PROJECT_VERSION: ${{ needs.precheck.outputs.VERSION }} | |
| JRELEASER_BRANCH: development | |
| JRELEASER_GITHUB_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }} | |
| JRELEASER_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| JRELEASER_GPG_PUBLIC_KEY: ${{ secrets.GPG_PUBLIC_KEY }} | |
| JRELEASER_GPG_SECRET_KEY: ${{ secrets.GPG_SECRET_KEY }} | |
| - name: Grab bach-info | |
| id: bach | |
| shell: bash | |
| run: | | |
| JAR_SIZE=$(ls -l out/jreleaser/artifacts/jarviz-tool-provider/jarviz-tool-provider-early-access.jar | awk '{print $5}') | |
| JAR_CSUM=$(shasum -a 256 out/jreleaser/artifacts/jarviz-tool-provider/jarviz-tool-provider-early-access.jar | awk '{print $1}') | |
| DOC_SIZE=$(ls -l README.adoc | awk '{print $5}') | |
| echo "JAR_SIZE=$(echo $JAR_SIZE)" >> $GITHUB_OUTPUT | |
| echo "JAR_CSUM=$(echo $JAR_CSUM)" >> $GITHUB_OUTPUT | |
| echo "DOC_SIZE=$(echo $DOC_SIZE)" >> $GITHUB_OUTPUT | |
| - name: JReleaser release output | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: jarviz-release | |
| path: | | |
| out/jreleaser/trace.log | |
| out/jreleaser/output.properties | |
| - name: SLSA | |
| shell: bash | |
| id: slsa | |
| run: | | |
| echo "HASHES=$(cat out/jreleaser/checksums/checksums_sha256.txt | base64 -w0)" >> "$GITHUB_OUTPUT" | |
| echo "TAGNAME=$(grep tagName out/jreleaser/output.properties | awk -F'=' '{print $2}')" >> "$GITHUB_OUTPUT" | |
| provenance: | |
| needs: [release] | |
| permissions: | |
| actions: read | |
| id-token: write | |
| contents: write | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| base64-subjects: ${{ needs.release.outputs.HASHES }} | |
| upload-assets: true | |
| upload-tag-name: ${{ needs.release.outputs.TAGNAME }} | |
| provenance-name: jarviz-all-${{ needs.release.outputs.TAGNAME }}.intoto.jsonl | |
| update-bach-info: | |
| name: Update bach-info | |
| needs: [precheck, release] | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: kordamp/bach-info | |
| ref: 'main' | |
| fetch-depth: 0 | |
| token: ${{ secrets.GIT_ACCESS_TOKEN }} | |
| - name: Download bach-info script | |
| run: | | |
| curl -sL https://raw.githubusercontent.com/kordamp/jarviz/main/.github/scripts/update-bach-info.sh --output update-bach-info.sh | |
| chmod +x update-bach-info.sh | |
| - name: Commit | |
| env: | |
| TAG: "early-access" | |
| VERSION: ${{ needs.precheck.outputs.VERSION }} | |
| JAR_SIZE: ${{ needs.release.outputs.JAR_SIZE }} | |
| JAR_CSUM: ${{ needs.release.outputs.JAR_CSUM }} | |
| DOC_SIZE: ${{ needs.release.outputs.DOC_SIZE }} | |
| run: sh update-bach-info.sh |