sigstore · loosebazooka · Jan 25, 2024 · Dec 27, 2023
diff --git a/.github/workflows/release-sigstore-java-from-tag.yaml b/.github/workflows/release-sigstore-java-from-tag.yaml
@@ -0,0 +1,112 @@
+name: Release sigstore-java to Maven Central
+on:
+  workflow_dispatch:
+  # user is expected to use a tag as the branch to run the action on
+
+jobs:
+  process-tag:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: process tag
+        id: version
+        run: |
+          TAG=${{ github.ref_name }}
+          echo "version=${TAG#"v"}" >> $GITHUB_OUTPUT
+      - name: verify tag matches gradle version
+        run: |
+          set -Eeo pipefail
+          version=$(grep "^version=" gradle.properties | cut -d'=' -f2)
+          if [[ ! "$version" == "${{ steps.version.outputs.version }}" ]]; then
+            echo "tagged version ${{ github.ref }} (as ${{ steps.version.outputs.version }}) does not match gradle.properties $version"
+            exit 1
+          fi
+
+  ci:
+    needs: [process-tag]
+    permissions:
+      id-token: write # To run github oidc tests
+    uses: ./.github/workflows/ci.yaml
+
+  build:
+    permissions:
+      id-token: write # To sign the artifacts
+    runs-on: ubuntu-latest
+    needs: [ci, process-tag]
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    steps:
+      - name: checkout tag
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
+        with:
+          java-version: 11
+          distribution: 'temurin'
+
+      - name: Build, Sign and Release to Maven Central
+        run: |
+          ./gradlew clean :sigstore-java:publishMavenJavaPublicationToSonatypeRepository -Prelease
+        env:
+          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.PGP_PRIVATE_KEY }}
+          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.PGP_PASSPHRASE }}
+          ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.SONATYPE_USERNAME }}
+          ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_PASSWORD }}
+
+      - name: SLSA -- Hash Artifacts
+        id: hash
+        run: |
+          mkdir slsa-files
+          cp sigstore-java/build/libs/*.jar slsa-files
+          cp sigstore-java/build/publications/mavenJava/pom-default.xml slsa-files/sigstore-java-${{ needs.process-tag.outputs.version }}.pom
+          cp sigstore-java/build/publications/mavenJava/module.json slsa-files/sigstore-java-${{ needs.process-tag.outputs.version }}.module
+          cd slsa-files
+          echo "hashes=$(sha256sum ./* | base64 -w0)" >> $GITHUB_OUTPUT
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
+        with:
+          name: project-release-artifacts
+          path: ./slsa-files
+          if-no-files-found: error
+
+  provenance:
+    needs: [build, process-tag]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    # use tags here: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
+    # remember to update "Download Attestations" when SLSA updates to actions/download-artifact@v4
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      provenance-name: "sigstore-java-${{ needs.process-tag.outputs.version }}.attestation.intoto.jsonl"
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+
+  create-release-on-github:
+    runs-on: ubuntu-latest
+    needs: [provenance, build, process-tag]
+    permissions:
+      contents: write
+    steps:
+      - name: Download attestation
+        # keep at v3.x since slsa generator uses 3.x (update this when slsa-framework updates)
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: "${{ needs.provenance.outputs.attestation-name }}"
+          path: ./release/
+      - name: Download gradle release artifacts
+        uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+        with:
+          name: project-release-artifacts
+          path: ./release/
+      - name: Create release
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag=v0.1.15
+        with:
+          tag_name: v${{ needs.process-tag.outputs.version }}
+          body: "See [CHANGELOG.md](https://github.com/${{ vars.GITHUB_REPOSITORY }}/blob/main/CHANGELOG.md) for more details."
+          files: ./release/*
diff --git a/.github/workflows/tag-and-build-release.yaml b/.github/workflows/tag-and-build-release.yaml
diff --git a/build-logic/publishing/src/main/kotlin/build-logic.publish-to-central.gradle.kts b/build-logic/publishing/src/main/kotlin/build-logic.publish-to-central.gradle.kts
@@ -1,5 +1,3 @@
-import org.gradle.api.publish.internal.PublicationInternal
-
 plugins {
     id("java-library")
     id("maven-publish")
@@ -61,27 +59,11 @@ publishing {
             }
         }
     }
-}
-
-val createReleaseBundle by tasks.registering(Sync::class) {
-    description = "This task should be used by github actions to create release artifacts along with a slsa attestation"
-    val releaseDir = layout.buildDirectory.dir("release")
-    outputs.dir(releaseDir)
-
-    into(releaseDir)
-    rename("pom-default.xml", "${project.name}-${project.version}.pom")
-    rename("module.json", "${project.name}-${project.version}.module")
-}
-
-publishing {
-    publications.configureEach {
-        (this as PublicationInternal<*>).allPublishableArtifacts {
-            val publicationArtifact = this
-            createReleaseBundle.configure {
-                dependsOn(publicationArtifact)
-                from(publicationArtifact.file)
-            }
+    repositories {
+        maven {
+            name = "sonatype"
+            url = uri("https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/")
+            credentials(PasswordCredentials::class)
         }
     }
 }
-