Closed netomi closed 9 months ago
I have created a PR to use jreleaser and it works nicely. One thing where I am unsure is the SLSA attestation. The builder approach does not seem to be available anymore, jreleaser itself generates the provenance using the generic workflow (which I reused). Additionally there is a slsa catalog in the configuration, but that does not seem to be sufficient to generate the intoto.jsonl file that gets uploaded. Can you shed some light on that @aalmiray . For me the current status is already good but would have been curious about the builder approach.
That is correct. JReleaser can not generate the final attestation file. The slsa catalog it generates is used as input for either the generic SLSA Github builder provided by the SLSA project or the Java builder provided by jreleaser/release-action https://github.com/jreleaser/release-action/tree/java#slsa-builder
Both builders must be executed using Github Actions at the moment.
In contrast, JReleaser's own release uses the generic builder because it requires assembling artifacts in multiple platforms and several steps are involved. The generic and java builders expect a single build step & platform at the moment.
Currently various tools are used during the release workflow:
We want to use jreleaser instead which should be capable of replacing these tools.