Verify and Release #69
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Verify and Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| release: | |
| description: 'Version to release' | |
| required: true | |
| permissions: read-all | |
| env: | |
| javaVersion: java21 | |
| jobs: | |
| release: | |
| name: Release | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: write # Needed for checkout, git-auto-commit-action, and creating releases | |
| packages: write # Needed for publishing packages | |
| id-token: write # Required for SLSA provenance and SBOM attestation | |
| actions: read # Basic read access to actions | |
| security-events: write # Needed for SBOM attestation | |
| statuses: write # Required for commit statuses updated by actions | |
| issues: read # Needed for release notes generation capability | |
| pull-requests: read # Access for potential PR-related operations | |
| pages: read | |
| deployments: write | |
| attestations: write # Required to create and persist attestations | |
| strategy: | |
| fail-fast: false | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.adoptopenjdk.net:443 | |
| api.adoptium.net:443 | |
| api.github.com:443 | |
| archive.apache.org:443 | |
| azure.archive.ubuntu.com:80 | |
| azure.archive.ubuntu.com:443 | |
| security.ubuntu.com:80 | |
| security.ubuntu.com:443 | |
| github.com:443 | |
| maven.java.net:443 | |
| maven.vaadin.com:443 | |
| objects.githubusercontent.com:443 | |
| oss.sonatype.org:443 | |
| raw.githubusercontent.com:443 | |
| repo.maven.apache.org:443 | |
| maven.mirrors.opennms.org:443 | |
| repo1.maven.org:443 | |
| repository.mulesoft.org:443 | |
| tools.google.com:80 | |
| tools.vaadin.com:443 | |
| uploads.github.com:443 | |
| spdx.org:443 | |
| sonarcloud.io:443 | |
| repository.jboss.org:443 | |
| repository.sonatype.org:443 | |
| files.pythonhosted.org:443 | |
| pypi.org:443 | |
| www.bridgecrew.cloud:443 | |
| docs.github.com:433 | |
| dlcdn.apache.org:443 | |
| esm.ubuntu.com:443 | |
| fulcio.sigstore.dev:443 | |
| packages.microsoft.com:443 | |
| rekor.sigstore.dev:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| # We must fetch at least the immediate parents so that if this is | |
| # a pull request then we can checkout the head. | |
| fetch-depth: 2 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21-ea' | |
| cache: 'maven' | |
| - name: APT update | |
| run: sudo apt-get update | |
| - name: Install buildtools | |
| run: sudo apt-get install -y graphviz build-essential fakeroot devscripts debhelper dh-make wget | |
| - name: Remove localtime | |
| run: sudo rm /etc/localtime | |
| - name: Set Swedish localtime | |
| run: sudo ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime | |
| - name: Update tzdata | |
| run: sudo dpkg-reconfigure -f noninteractive tzdata | |
| - name: Download Maven | |
| run: wget https://dlcdn.apache.org/maven/maven-3/3.9.9/binaries/apache-maven-3.9.9-bin.tar.gz | |
| - name: Unpack Maven | |
| run: tar xzvf apache-maven-3.9.9-bin.tar.gz | |
| - name: Set Maven | |
| run: mv apache-maven-3.9.9 maven | |
| - name: Set Version for release | |
| run: maven/bin/mvn -B --file parent-pom/pom.xml versions:set -DnewVersion="${{ github.event.inputs.release }}" -Pall-modules versions:commit | |
| - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1 | |
| with: | |
| commit_message: Automated Release ${{ github.event.inputs.release }} | |
| branch: release-${{ github.event.inputs.release }} | |
| tagging_message: '${{ github.event.inputs.release }}' | |
| create_branch: true | |
| - name: Build with Maven | |
| run: maven/bin/mvn -B --file pom.xml clean install -Prelease-site,all-modules -DforkMode=once '-Dtest=!**ITest*,!**DocumentationTest*' -Dmaven.test.skip=true -DfailIfNoTests=false -Dsurefire.failIfNoSpecifiedTests=false -Dsurefire.reportNameSuffix=UNIT | |
| - name: Generate artifact attestation | |
| uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 | |
| id: attest | |
| with: | |
| subject-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb' | |
| bundle-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl' | |
| - name: Copy artifact attestation | |
| run: cp ${{ steps.attest.outputs.bundle-path }} cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl | |
| - name: Generate SBOM attestation | |
| id: attestsbom | |
| uses: actions/attest-sbom@cbfd0027ae731a5892db25ecd226930d7ffd19eb # v2.1.0 | |
| with: | |
| subject-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb' | |
| sbom-path: 'cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json' | |
| - name: Copy SBOM attestation | |
| run: cp ${{ steps.attestsbom.outputs.bundle-path }} cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json.intoto.jsonl | |
| - name: Create a GitHub release | |
| uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
| with: | |
| tag: '${{ github.event.inputs.release }}' | |
| generateReleaseNotes: false | |
| name: Release ${{ github.event.inputs.release }} | |
| artifacts: "cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb,cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl,cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json,cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json.intoto.jsonl,cia-dist-cloudformation/target/dependency/cia-dist-cloudformation-${{ github.event.inputs.release }}.template,citizen-intelligence-agency/target/site/com.hack23.cia_citizen-intelligence-agency-${{ github.event.inputs.release }}.spdx.json,cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json,cia-dist-cloudformation/target/dependency/cia-dist-cloudformation-${{ github.event.inputs.release }}.template" | |
| - name: Submit Dependency Release | |
| uses: advanced-security/maven-dependency-submission-action@4f64ddab9d742a4806eeb588d238e4c311a8397d |