Verify and Release #64
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Verify and Release | |
on: | |
workflow_dispatch: | |
inputs: | |
release: | |
description: 'Version to release' | |
required: true | |
permissions: write-all | |
env: | |
javaVersion: java21 | |
jobs: | |
release: | |
name: Release | |
runs-on: ubuntu-24.04 | |
strategy: | |
fail-fast: false | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
allowed-endpoints: > | |
api.adoptopenjdk.net:443 | |
api.adoptium.net:443 | |
api.github.com:443 | |
archive.apache.org:443 | |
azure.archive.ubuntu.com:80 | |
azure.archive.ubuntu.com:443 | |
security.ubuntu.com:80 | |
security.ubuntu.com:443 | |
github.com:443 | |
maven.java.net:443 | |
maven.vaadin.com:443 | |
objects.githubusercontent.com:443 | |
oss.sonatype.org:443 | |
raw.githubusercontent.com:443 | |
repo.maven.apache.org:443 | |
maven.mirrors.opennms.org:443 | |
repo1.maven.org:443 | |
repository.mulesoft.org:443 | |
tools.google.com:80 | |
tools.vaadin.com:443 | |
uploads.github.com:443 | |
spdx.org:443 | |
sonarcloud.io:443 | |
repository.jboss.org:443 | |
repository.sonatype.org:443 | |
files.pythonhosted.org:443 | |
pypi.org:443 | |
www.bridgecrew.cloud:443 | |
docs.github.com:433 | |
- name: Checkout repository | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
# We must fetch at least the immediate parents so that if this is | |
# a pull request then we can checkout the head. | |
fetch-depth: 2 | |
- name: Set up JDK 21 | |
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 | |
with: | |
distribution: 'temurin' | |
java-version: '21-ea' | |
cache: 'maven' | |
- name: APT update | |
run: sudo apt-get update | |
- name: Install buildtools | |
run: sudo apt-get install -y graphviz build-essential fakeroot devscripts debhelper dh-make wget | |
- name: Remove localtime | |
run: sudo rm /etc/localtime | |
- name: Set Swedish localtime | |
run: sudo ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime | |
- name: Update tzdata | |
run: sudo dpkg-reconfigure -f noninteractive tzdata | |
- name: Download Maven | |
run: wget https://dlcdn.apache.org/maven/maven-3/3.9.9/binaries/apache-maven-3.9.9-bin.tar.gz | |
- name: Unpack Maven | |
run: tar xzvf apache-maven-3.9.9-bin.tar.gz | |
- name: Set Maven | |
run: mv apache-maven-3.9.9 maven | |
- name: Set Version for release | |
run: maven/bin/mvn -B --file parent-pom/pom.xml versions:set -DnewVersion="${{ github.event.inputs.release }}" -Pall-modules versions:commit | |
- uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1 | |
with: | |
commit_message: Automated Release ${{ github.event.inputs.release }} | |
branch: release-${{ github.event.inputs.release }} | |
tagging_message: '${{ github.event.inputs.release }}' | |
create_branch: true | |
- name: Build with Maven | |
run: maven/bin/mvn -B --file pom.xml clean install -Prelease-site,all-modules -DforkMode=once '-Dtest=!**ITest*,!**DocumentationTest*' -Dmaven.test.skip=true -DfailIfNoTests=false -Dsurefire.failIfNoSpecifiedTests=false -Dsurefire.reportNameSuffix=UNIT | |
- name: Generate artifact attestation | |
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 | |
id: attest | |
with: | |
subject-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb' | |
bundle-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl' | |
- name: Copy artifact attestation | |
run: cp ${{ steps.attest.outputs.bundle-path }} cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl | |
- name: Generate SBOM attestation | |
id: attestsbom | |
uses: actions/attest-sbom@cbfd0027ae731a5892db25ecd226930d7ffd19eb # v2.1.0 | |
with: | |
subject-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb' | |
sbom-path: 'cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json' | |
- name: Copy SBOM attestation | |
run: cp ${{ steps.attestsbom.outputs.bundle-path }} cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json.intoto.jsonl | |
- name: Create a GitHub release | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
tag: '${{ github.event.inputs.release }}' | |
generateReleaseNotes: false | |
name: Release ${{ github.event.inputs.release }} | |
artifacts: "cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb,cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl,cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json,cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json.intoto.jsonl,cia-dist-cloudformation/target/dependency/cia-dist-cloudformation-${{ github.event.inputs.release }}.template,citizen-intelligence-agency/target/site/com.hack23.cia_citizen-intelligence-agency-${{ github.event.inputs.release }}.spdx.json,cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json,cia-dist-cloudformation/target/dependency/cia-dist-cloudformation-${{ github.event.inputs.release }}.template" |