Release to maven central (sigstore-java only)

Signed-off-by: Appu Goundan <[email protected]>
sigstore · Jan 23, 2024 · be3059c · be3059c
1 parent 55f36f4
commit be3059c
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 57 deletions.
diff --git a/.github/workflows/tag-and-build-release.yaml → ...flows/release-sigstore-java-from-tag.yaml b/.github/workflows/tag-and-build-release.yaml → ...flows/release-sigstore-java-from-tag.yaml
@@ -1,47 +1,39 @@
-name: Tag and Build Release
+name: Release sigstore-java to Maven Central
 on:
   workflow_dispatch:
     inputs:
       release_version:
-        description: new release version
+        description: version (ex 1.0.0) from existing tag (ex v1.0.0)
         required: true
-        default: (for example, 0.1.0)
 
 jobs:
   checks:
     runs-on: ubuntu-latest
     steps:
-      - name: Check inputs
+      - name: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: "refs/tags/v${{ github.event.inputs.release_version }}"
+      - name: verify tag matches gradle version
         run: |
-          if [[ ! "${{ github.event.inputs.release_version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo 'version "${{ github.event.inputs.release_version }}" not in ###.###.### format'
+          set -Eeo pipefail
+          version=$(grep "^version=" gradle.properties | cut -d'=' -f2)
+          if [[ ! "$version" == "${{ github.event.inputs.release_version }}" ]]; then
+            echo "tag ${{ github.event.inputs.release_version }} does not match gradle.properties $version"
             exit 1
           fi
+
   ci:
+    needs: [checks]
     permissions:
       id-token: write # To run github oidc tests
     uses: ./.github/workflows/ci.yaml
 
-  create-tag:
-    needs: [checks, ci]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - name: tag
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          script: |
-            github.rest.git.createRef({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              ref: "refs/tags/v${{ github.event.inputs.release_version }}",
-              sha: context.sha
-            })
-
   build:
+    permissions:
+      id-token: write # To sign the artifacts
     runs-on: ubuntu-latest
-    needs: [create-tag]
+    needs: [checks, ci]
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
     steps:
@@ -56,22 +48,30 @@ jobs:
           java-version: 11
           distribution: 'temurin'
 
-      - name: Build project
+      - name: Build, Sign and Release to Maven Central
         run: |
-          ./gradlew clean :sigstore-java:createReleaseBundle -Pversion=${{ github.event.inputs.release_version }} -Prelease -PskipSign
+          ./gradlew clean :sigstore-java:publishMavenJavaPublicationToSonatypeRepository -Prelease
+        env:
+          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.PGP_PRIVATE_KEY }}
+          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.PGP_PASSPHRASE }}
+          ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.SONATYPE_USERNAME }}
+          ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_PASSWORD }}
 
-      - name: Hash Artifacts
+      - name: SLSA -- Hash Artifacts
         id: hash
         run: |
-          cd sigstore-java/build/release
+          mkdir slsa-files
+          cp sigstore-java/build/libs/*.jar slsa-files
+          cp sigstore-java/build/publications/mavenJava/pom-default.xml slsa-files/sigstore-java-${{ github.event.inputs.release_version }}.pom
+          cp sigstore-java/build/publications/mavenJava/module.json slsa-files/sigstore-java-${{ github.event.inputs.release_version }}.module
+          cd slsa-files
           echo "hashes=$(sha256sum ./* | base64 -w0)" >> $GITHUB_OUTPUT
-          sha256sum ./*
 
       - name: Upload build artifacts
         uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
         with:
           name: project-release-artifacts
-          path: ./sigstore-java/build/release/
+          path: ./slsa-files
           if-no-files-found: error
 
   provenance:
@@ -81,19 +81,21 @@ jobs:
       id-token: write # To sign the provenance.
       contents: write # To add assets to a release.
     # use tags here: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
+    # remember to update "Download Attestations" when SLSA updates to actions/download-artifact@v4
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
     with:
-      attestation-name: "sigstore-java-${{ github.event.inputs.release_version }}.attestation.intoto.jsonl"
+      provenance-name: "sigstore-java-${{ github.event.inputs.release_version }}.attestation.intoto.jsonl"
       base64-subjects: "${{ needs.build.outputs.hashes }}"
 
-  create-release:
+  create-release-on-github:
     runs-on: ubuntu-latest
     needs: [provenance, build]
     permissions:
       contents: write
     steps:
       - name: Download attestation
-        uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+        # keep at v3.x since slsa generator uses 3.x (update this when slsa-framework updates)
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: "${{ needs.provenance.outputs.attestation-name }}"
           path: ./release/
@@ -102,7 +104,7 @@ jobs:
         with:
           name: project-release-artifacts
           path: ./release/
-      - name: Create draft release
+      - name: Create release
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag=v0.1.15
         with:
           tag_name: v${{ github.event.inputs.release_version }}

diff --git a/build-logic/publishing/src/main/kotlin/build-logic.publish-to-central.gradle.kts b/build-logic/publishing/src/main/kotlin/build-logic.publish-to-central.gradle.kts
@@ -1,5 +1,3 @@
-import org.gradle.api.publish.internal.PublicationInternal
-
 plugins {
     id("java-library")
     id("maven-publish")
@@ -61,27 +59,11 @@ publishing {
             }
         }
     }
-}
-
-val createReleaseBundle by tasks.registering(Sync::class) {
-    description = "This task should be used by github actions to create release artifacts along with a slsa attestation"
-    val releaseDir = layout.buildDirectory.dir("release")
-    outputs.dir(releaseDir)
-
-    into(releaseDir)
-    rename("pom-default.xml", "${project.name}-${project.version}.pom")
-    rename("module.json", "${project.name}-${project.version}.module")
-}
-
-publishing {
-    publications.configureEach {
-        (this as PublicationInternal<*>).allPublishableArtifacts {
-            val publicationArtifact = this
-            createReleaseBundle.configure {
-                dependsOn(publicationArtifact)
-                from(publicationArtifact.file)
-            }
+    repositories {
+        maven {
+            name = "sonatype"
+            url = uri("https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/")
+            credentials(PasswordCredentials::class)
         }
     }
 }
-