Release plugins to gradle plugin portal

Signed-off-by: Appu Goundan <[email protected]>
sigstore · Jan 24, 2024 · 739e25e · 739e25e
1 parent 55f36f4
commit 739e25e
Showing 1 changed file with 119 additions and 0 deletions.
diff --git a/.github/workflows/release-sigstore-gradle-plugin-from-tag.yaml b/.github/workflows/release-sigstore-gradle-plugin-from-tag.yaml
@@ -0,0 +1,119 @@
+name: Release sigstore gradle plugins to Gradle Plugin Portal
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: version (ex 1.0.0) from existing tag (ex v1.0.0)
+        required: true
+
+jobs:
+  checks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: "refs/tags/v${{ github.event.inputs.release_version }}"
+      - name: verify tag matches gradle version
+        run: |
+          set -Eeo pipefail
+          version=$(grep "^version=" gradle.properties | cut -d'=' -f2)
+          if [[ ! "$version" == "${{ github.event.inputs.release_version }}" ]]; then
+            echo "tag ${{ github.event.inputs.release_version }} does not match gradle.properties $version"
+            exit 1
+          fi
+
+  ci:
+    needs: [checks]
+    permissions:
+      id-token: write # To run github oidc tests
+    uses: ./.github/workflows/ci.yaml
+
+  build:
+    permissions:
+      id-token: write # To sign the artifacts
+    runs-on: ubuntu-latest
+    needs: [ci, checks]
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    steps:
+      - name: checkout tag
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: "refs/tags/v${{ github.event.inputs.release_version }}"
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
+        with:
+          java-version: 11
+          distribution: 'temurin'
+
+      - name: Build, Sign and Release to Maven Central
+        run: |
+          ./gradlew publishPlugins -Prelease -Pgradle.publish.key=$GRADLE_PUBLISH_KEY -Pgradle.publish.secret=$GRADLE_PUBLISH_SECRET
+        env:
+          GRADLE_PUBLISH_KEY: ${{ secrets.GRADLE_PUBLISH_KEY }}
+          GRADLE_PUBLISH_SECRET: ${{ secrets.GRADLE_PUBLISH_SECRET }}
+          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.GPG_SIGNING_KEY }}
+          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: SLSA -- Hash Artifacts
+        id: hash
+        run: |
+          mkdir slsa-files
+          cp sigstore-gradle/sigstore-gradle-sign-plugin/build/libs/*.jar slsa-files
+          cp sigstore-gradle/sigstore-gradle-sign-plugin/build/publications/pluginMaven/pom-default.xml slsa-files/sigstore-gradle-sign-plugin-${{ github.event.inputs.release_version }}.pom
+          cp sigstore-gradle/sigstore-gradle-sign-plugin/build/publications/pluginMaven/module.json slsa-files/sigstore-gradle-sign-plugin-${{ github.event.inputs.release_version }}.module
+          cp sigstore-gradle/sigstore-gradle-sign-base-plugin/build/libs/*.jar slsa-files
+          cp sigstore-gradle/sigstore-gradle-sign-base-plugin/build/publications/pluginMaven/pom-default.xml slsa-files/sigstore-gradle-sign-base-plugin-${{ github.event.inputs.release_version }}.pom
+          cp sigstore-gradle/sigstore-gradle-sign-base-plugin/build/publications/pluginMaven/module.json slsa-files/sigstore-gradle-sign-base-plugin-${{ github.event.inputs.release_version }}.module
+          cd slsa-files
+          echo "hashes=$(sha256sum ./* | base64 -w0)" >> $GITHUB_OUTPUT
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
+        with:
+          name: project-release-artifacts
+          path: ./slsa-files
+          if-no-files-found: error
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    # use tags here: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
+    # remember to update "Download Attestations" when SLSA updates to actions/download-artifact@v4
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      provenance-name: "sigstore-gradle-sign-plugin-${{ github.event.inputs.release_version }}.attestation.intoto.jsonl"
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+
+  create-release-on-github:
+    runs-on: ubuntu-latest
+    needs: [provenance, build]
+    permissions:
+      contents: write
+    steps:
+      - name: Download attestation
+        # keep at v3.x since slsa generator uses 3.x (update this when slsa-framework updates)
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: "${{ needs.provenance.outputs.attestation-name }}"
+          path: ./release/
+      - name: Copy attestation for base plugin
+        run: |
+          cp "./release/${{ needs.provenance.outputs.attestation-name }}" "./release/sigstore-gradle-sign-base-plugin-${{ github.event.inputs.release_version }}.attestation.intoto.jsonl"
+      - name: Download gradle release artifacts
+        uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+        with:
+          name: project-release-artifacts
+          path: ./release/
+      - name: Create release
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag=v0.1.15
+        with:
+          tag_name: v${{ github.event.inputs.release_version }}
+          name: v${{ github.event.inputs.release_version }}-gradle
+          body: "See [CHANGELOG.md](https://github.com/${{ vars.GITHUB_REPOSITORY }}/blob/main/CHANGELOG.md) for more details."
+          files: ./release/*