From 3b9d04cac46fe3f10cdd7b8fac7489dea67f03a6 Mon Sep 17 00:00:00 2001 From: Appu Goundan Date: Tue, 23 Jan 2024 15:26:08 -0500 Subject: [PATCH] Release plugins to gradle plugin portal Signed-off-by: Appu Goundan --- ...lease-sigstore-gradle-plugin-from-tag.yaml | 119 ++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 .github/workflows/release-sigstore-gradle-plugin-from-tag.yaml diff --git a/.github/workflows/release-sigstore-gradle-plugin-from-tag.yaml b/.github/workflows/release-sigstore-gradle-plugin-from-tag.yaml new file mode 100644 index 00000000..68fba486 --- /dev/null +++ b/.github/workflows/release-sigstore-gradle-plugin-from-tag.yaml @@ -0,0 +1,119 @@ +name: Release sigstore gradle plugins to Gradle Plugin Portal +on: + workflow_dispatch: + +jobs: + process-tag: + runs-on: ubuntu-latest + outputs: + version: ${{ steps.version.outputs.version }} + steps: + - name: checkout tag + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: process tag + id: version + run: | + TAG=${{ github.ref_name }} + echo "version=${TAG#"v"}" >> $GITHUB_OUTPUT + - name: verify tag matches gradle version + run: | + set -Eeo pipefail + version=$(grep "^version=" gradle.properties | cut -d'=' -f2) + if [[ ! "$version" == "${{ steps.version.outputs.version }}" ]]; then + echo "tagged version ${{ github.ref }} (as ${{ steps.version.outputs.version }}) does not match gradle.properties $version" + exit 1 + fi + + ci: + needs: [process-tag] + permissions: + id-token: write # To run github oidc tests + uses: ./.github/workflows/ci.yaml + + build: + permissions: + id-token: write # To sign the artifacts + runs-on: ubuntu-latest + needs: [ci, process-tag] + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + steps: + - name: checkout tag + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Set up JDK 11 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 + with: + java-version: 11 + distribution: 'temurin' + + - name: Build, Sign and Release to Gradle Plugin Portal + run: | + ./gradlew publishPlugins -Prelease assemble -x publishPlugins +# ./gradlew publishPlugins -Prelease -Pgradle.publish.key=$GRADLE_PUBLISH_KEY -Pgradle.publish.secret=$GRADLE_PUBLISH_SECRET + env: + ORG_GRADLE_PROJECT_signingKey: ${{ secrets.PGP_PRIVATE_KEY }} + ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.PGP_PASSPHRASE }} +# GRADLE_PUBLISH_KEY: ${{ secrets.GRADLE_PUBLISH_KEY }} +# GRADLE_PUBLISH_SECRET: ${{ secrets.GRADLE_PUBLISH_SECRET }} + + - name: SLSA -- Hash Artifacts + id: hash + run: | + mkdir slsa-files + cp sigstore-gradle/sigstore-gradle-sign-plugin/build/libs/*.jar slsa-files + cp sigstore-gradle/sigstore-gradle-sign-plugin/build/publications/pluginMaven/pom-default.xml slsa-files/sigstore-gradle-sign-plugin-${{ needs.process-tag.outputs.version }}.pom + cp sigstore-gradle/sigstore-gradle-sign-plugin/build/publications/pluginMaven/module.json slsa-files/sigstore-gradle-sign-plugin-${{ needs.process-tag.outputs.version }}.module + cp sigstore-gradle/sigstore-gradle-sign-base-plugin/build/libs/*.jar slsa-files + cp sigstore-gradle/sigstore-gradle-sign-base-plugin/build/publications/pluginMaven/pom-default.xml slsa-files/sigstore-gradle-sign-base-plugin-${{ needs.process-tag.outputs.version }}.pom + cp sigstore-gradle/sigstore-gradle-sign-base-plugin/build/publications/pluginMaven/module.json slsa-files/sigstore-gradle-sign-base-plugin-${{ needs.process-tag.outputs.version }}.module + cd slsa-files + echo "hashes=$(sha256sum ./* | base64 -w0)" >> $GITHUB_OUTPUT + + - name: Upload build artifacts + uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 + with: + name: project-release-artifacts + path: ./slsa-files + if-no-files-found: error + + provenance: + needs: [build, process-tag] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + # use tags here: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators + # remember to update "Download Attestations" when SLSA updates to actions/download-artifact@v4 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + with: + provenance-name: "sigstore-gradle-sign-plugin-${{ needs.process-tag.outputs.version }}.attestation.intoto.jsonl" + base64-subjects: "${{ needs.build.outputs.hashes }}" + + create-release-on-github: + runs-on: ubuntu-latest + needs: [provenance, build, process-tag] + permissions: + contents: write + steps: + - name: Download attestation + # keep at v3.x since slsa generator uses 3.x (update this when slsa-framework updates) + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: "${{ needs.provenance.outputs.attestation-name }}" + path: ./release/ + - name: Copy attestation for base plugin + run: | + cp "./release/${{ needs.provenance.outputs.attestation-name }}" "./release/sigstore-gradle-sign-base-plugin-${{ needs.process-tag.outputs.version }}.attestation.intoto.jsonl" + - name: Download gradle release artifacts + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + with: + name: project-release-artifacts + path: ./release/ + - name: Create release + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag=v0.1.15 + with: + tag_name: v${{ needs.process-tag.outputs.version }} + name: v${{ needs.process-tag.outputs.version }}-gradle + body: "See [CHANGELOG.md](https://github.com/${{ vars.GITHUB_REPOSITORY }}/blob/main/CHANGELOG.md) for more details." + files: ./release/*