behnazh-w
commented
3 months ago I will close this PR because the artifacts need to be released to Maven Central from an Oracle internal service.
Closed behnazh-w closed 3 months ago
behnazh-w
commented
3 months ago I will close this PR because the artifacts need to be released to Maven Central from an Oracle internal service.
Description
This PR adds a new GitHub Actions workflow to automate the release of the artifacts and generate SLSA provenances.
To use this Action to release, the following secrets need to be created:
MAVEN_USERNAME: the username to used to deploy the artifacts to Maven Central.MAVEN_CENTRAL_TOKEN: the token that you can obtain from the Maven Central portalMAVEN_GPG_PRIVATE_KEY: the GPG private keyMAVEN_GPG_PASSPHRASE: the GPG private key passphraseWhen the project is ready for the next release, the version should be bumped as usual and committed to the repo. Then a draft release and tag can be created using GitHub's release feature.. Once the release is created, the
release.yamlGitHub Action will automatically run and deploy the artifact to Maven Central.For more information, see the documentation here: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#Publishing-using-Apache-Maven
Motivation
Having automatic releases and generating provenances helps mitigating supply-chain attacks. For example, if the deployment is done manually and the maintainer's machine is compromised, the released artifact may contain malicious code and abused by malicious actors to distribute malware.