search

eclipse-cbi / macos-notarization-service

REST Service to notarize macOS application bundles and DMG
Eclipse Public License 2.0
5 stars 3 forks source link

Use jreleaser for publishing releases #263

Closed netomi closed 9 months ago

netomi commented 10 months ago

Currently various tools are used during the release workflow:

We want to use jreleaser instead which should be capable of replacing these tools.

netomi commented 9 months ago

I have created a PR to use jreleaser and it works nicely. One thing where I am unsure is the SLSA attestation. The builder approach does not seem to be available anymore, jreleaser itself generates the provenance using the generic workflow (which I reused). Additionally there is a slsa catalog in the configuration, but that does not seem to be sufficient to generate the intoto.jsonl file that gets uploaded. Can you shed some light on that @aalmiray . For me the current status is already good but would have been curious about the builder approach.

aalmiray commented 9 months ago

That is correct. JReleaser can not generate the final attestation file. The slsa catalog it generates is used as input for either the generic SLSA Github builder provided by the SLSA project or the Java builder provided by jreleaser/release-action https://github.com/jreleaser/release-action/tree/java#slsa-builder

Both builders must be executed using Github Actions at the moment.

In contrast, JReleaser's own release uses the generic builder because it requires assembling artifacts in multiple platforms and several steps are involved. The generic and java builders expect a single build step & platform at the moment.