Skip to content

Add support for verifying dsse-intoto #3006

Add support for verifying dsse-intoto

Add support for verifying dsse-intoto #3006

Workflow file for this run

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow will build a Java project with Gradle and
# cache/restore any dependencies to improve the workflow execution time
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
name: Test
on:
push:
branches:
- '*'
pull_request:
branches:
- main
workflow_call: # allow this workflow to be called by other workflows
concurrency:
# On master/release, we don't want any jobs cancelled
# On PR branches, we cancel the job if new commits are pushed
# More info: https://stackoverflow.com/a/70972844/1261287
group: ${{ github.ref }}-ci
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
jobs:
build:
strategy:
matrix:
java-version: [11, 17]
fail-fast: false
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up JDK ${{ matrix.java-version }}
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
with:
java-version: ${{ matrix.java-version }}
distribution: 'temurin'
- name: Setup Go environment
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: '1.21.x'
# at some point this should just be replaced with something that can bring up a sigstore test env
- name: Install Fulcio
run: go install github.com/sigstore/fulcio@main
- name: Setup Gradle
uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0
# if you need to skip staging due to flakiness use "-PskipStaging"
- name: Test sigstore-java
run: ./gradlew build
- name: Ensure sigstore-java self signing still works
run: ./gradlew sigstore-java:publishToMavenLocal -Prelease -PskipPgpSigning
- name: Test sigstore-java/sandbox
run: |
cd sandbox
./gradlew build