-
Notifications
You must be signed in to change notification settings - Fork 45
146 lines (131 loc) · 6.57 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: Verify and Release
on:
workflow_dispatch:
inputs:
release:
description: 'Version to release'
required: true
permissions: read-all
env:
javaVersion: java21
jobs:
release:
name: Release
runs-on: ubuntu-24.04
permissions:
contents: write # Needed for checkout, git-auto-commit-action, and creating releases
packages: write # Needed for publishing packages
id-token: write # Required for SLSA provenance and SBOM attestation
actions: read # Basic read access to actions
security-events: write # Needed for SBOM attestation
statuses: write # Required for commit statuses updated by actions
issues: read # Needed for release notes generation capability
pull-requests: read # Access for potential PR-related operations
pages: read
deployments: write
attestations: write # Required to create and persist attestations
strategy:
fail-fast: false
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: block
allowed-endpoints: >
api.adoptopenjdk.net:443
api.adoptium.net:443
api.github.com:443
archive.apache.org:443
azure.archive.ubuntu.com:80
azure.archive.ubuntu.com:443
security.ubuntu.com:80
security.ubuntu.com:443
github.com:443
maven.java.net:443
maven.vaadin.com:443
objects.githubusercontent.com:443
oss.sonatype.org:443
raw.githubusercontent.com:443
repo.maven.apache.org:443
maven.mirrors.opennms.org:443
repo1.maven.org:443
repository.mulesoft.org:443
tools.google.com:80
tools.vaadin.com:443
uploads.github.com:443
spdx.org:443
sonarcloud.io:443
repository.jboss.org:443
repository.sonatype.org:443
files.pythonhosted.org:443
pypi.org:443
www.bridgecrew.cloud:443
docs.github.com:433
dlcdn.apache.org:443
esm.ubuntu.com:443
fulcio.sigstore.dev:443
packages.microsoft.com:443
rekor.sigstore.dev:443
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
- name: Set up JDK 21
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
with:
distribution: 'temurin'
java-version: '21-ea'
cache: 'maven'
- name: APT update
run: sudo apt-get update
- name: Install buildtools
run: sudo apt-get install -y graphviz build-essential fakeroot devscripts debhelper dh-make wget
- name: Remove localtime
run: sudo rm /etc/localtime
- name: Set Swedish localtime
run: sudo ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
- name: Update tzdata
run: sudo dpkg-reconfigure -f noninteractive tzdata
- name: Download Maven
run: wget https://dlcdn.apache.org/maven/maven-3/3.9.9/binaries/apache-maven-3.9.9-bin.tar.gz
- name: Unpack Maven
run: tar xzvf apache-maven-3.9.9-bin.tar.gz
- name: Set Maven
run: mv apache-maven-3.9.9 maven
- name: Set Version for release
run: maven/bin/mvn -B --file parent-pom/pom.xml versions:set -DnewVersion="${{ github.event.inputs.release }}" -Pall-modules versions:commit
- uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
with:
commit_message: Automated Release ${{ github.event.inputs.release }}
branch: release-${{ github.event.inputs.release }}
tagging_message: '${{ github.event.inputs.release }}'
create_branch: true
- name: Build with Maven
run: maven/bin/mvn -B --file pom.xml clean install -Prelease-site,all-modules -DforkMode=once '-Dtest=!**ITest*,!**DocumentationTest*' -Dmaven.test.skip=true -DfailIfNoTests=false -Dsurefire.failIfNoSpecifiedTests=false -Dsurefire.reportNameSuffix=UNIT
- name: Generate artifact attestation
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
id: attest
with:
subject-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb'
bundle-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl'
- name: Copy artifact attestation
run: cp ${{ steps.attest.outputs.bundle-path }} cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl
- name: Generate SBOM attestation
id: attestsbom
uses: actions/attest-sbom@115c3be05ff3974bcbd596578934b3f9ce39bf68 # v2.2.0
with:
subject-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb'
sbom-path: 'cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json'
- name: Copy SBOM attestation
run: cp ${{ steps.attestsbom.outputs.bundle-path }} cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json.intoto.jsonl
- name: Create a GitHub release
uses: ncipollo/release-action@cdcc88a9acf3ca41c16c37bb7d21b9ad48560d87 # v1.15.0
with:
tag: '${{ github.event.inputs.release }}'
generateReleaseNotes: false
name: Release ${{ github.event.inputs.release }}
artifacts: "cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb,cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl,cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json,cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json.intoto.jsonl,cia-dist-cloudformation/target/dependency/cia-dist-cloudformation-${{ github.event.inputs.release }}.template,citizen-intelligence-agency/target/site/com.hack23.cia_citizen-intelligence-agency-${{ github.event.inputs.release }}.spdx.json,cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json,cia-dist-cloudformation/target/dependency/cia-dist-cloudformation-${{ github.event.inputs.release }}.template"
- name: Submit Dependency Release
uses: advanced-security/maven-dependency-submission-action@4f64ddab9d742a4806eeb588d238e4c311a8397d