Tag and Build Release #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tag and Build Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| release_version: | |
| description: new release version | |
| required: true | |
| default: (for example, 0.1.0) | |
| jobs: | |
| checks: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check inputs | |
| run: | | |
| if [[ ! "${{ github.event.inputs.release_version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo 'version "${{ github.event.inputs.release_version }}" not in ###.###.### format' | |
| exit 1 | |
| fi | |
| ci: | |
| permissions: | |
| id-token: write # To run github oidc tests | |
| uses: ./.github/workflows/ci.yaml | |
| create-tag: | |
| needs: [checks, ci] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: tag | |
| uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 | |
| with: | |
| script: | | |
| github.rest.git.createRef({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| ref: "refs/tags/v${{ github.event.inputs.release_version }}", | |
| sha: context.sha | |
| }) | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: [create-tag] | |
| outputs: | |
| hashes: ${{ steps.hash.outputs.hashes }} | |
| steps: | |
| - name: checkout tag | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| with: | |
| ref: "refs/tags/v${{ github.event.inputs.release_version }}" | |
| - name: Set up JDK 11 | |
| uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 | |
| with: | |
| java-version: 11 | |
| distribution: 'temurin' | |
| - name: Build project | |
| run: | | |
| ./gradlew clean :sigstore-java:createReleaseBundle -Pversion=${{ github.event.inputs.release_version }} -Prelease -PskipSign | |
| - name: Hash Artifacts | |
| id: hash | |
| run: | | |
| cd sigstore-java/build/release | |
| echo "hashes=$(sha256sum ./* | base64 -w0)" >> $GITHUB_OUTPUT | |
| sha256sum ./* | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: project-release-artifacts | |
| path: ./sigstore-java/build/release/ | |
| if-no-files-found: error | |
| provenance: | |
| needs: [build] | |
| permissions: | |
| actions: read # To read the workflow path. | |
| id-token: write # To sign the provenance. | |
| contents: write # To add assets to a release. | |
| # use tags here: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| attestation-name: "sigstore-java-${{ github.event.inputs.release_version }}.attestation.intoto.jsonl" | |
| base64-subjects: "${{ needs.build.outputs.hashes }}" | |
| create-release: | |
| runs-on: ubuntu-latest | |
| needs: [provenance, build] | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Download attestation | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: "${{ needs.provenance.outputs.attestation-name }}" | |
| path: ./release/ | |
| - name: Download gradle release artifacts | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: project-release-artifacts | |
| path: ./release/ | |
| - name: Create draft release | |
| uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag=v0.1.15 | |
| with: | |
| tag_name: v${{ github.event.inputs.release_version }} | |
| body: "See [CHANGELOG.md](https://github.com/${{ vars.GITHUB_REPOSITORY }}/blob/main/CHANGELOG.md) for more details." | |
| files: ./release/* |