This PR adds a new GitHub Actions workflow to automate the release of the artifacts and generate SLSA provenances.
To use this Action to release, the following secrets need to be created:
MAVEN_USERNAME: the username to used to deploy the artifacts to Maven Central.
MAVEN_CENTRAL_TOKEN: the token that you can obtain from the Maven Central portal
MAVEN_GPG_PRIVATE_KEY: the GPG private key
MAVEN_GPG_PASSPHRASE: the GPG private key passphrase
When the project is ready for the next release, the version should be bumped as usual and committed to the repo. Then a draft release and tag can be created using GitHub's release feature.. Once the release is created, the release.yaml GitHub Action will automatically run and deploy the artifact to Maven Central.
Having automatic releases and generating provenances helps mitigating supply-chain attacks. For example, if the deployment is done manually and the maintainer's machine is compromised, the released artifact may contain malicious code and abused by malicious actors to distribute malware.
Description
This PR adds a new GitHub Actions workflow to automate the release of the artifacts and generate SLSA provenances.
To use this Action to release, the following secrets need to be created:
MAVEN_USERNAME
: the username to used to deploy the artifacts to Maven Central.MAVEN_CENTRAL_TOKEN
: the token that you can obtain from the Maven Central portalMAVEN_GPG_PRIVATE_KEY
: the GPG private keyMAVEN_GPG_PASSPHRASE
: the GPG private key passphraseWhen the project is ready for the next release, the version should be bumped as usual and committed to the repo. Then a draft release and tag can be created using GitHub's release feature.. Once the release is created, the
release.yaml
GitHub Action will automatically run and deploy the artifact to Maven Central.For more information, see the documentation here: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#Publishing-using-Apache-Maven
Motivation
Having automatic releases and generating provenances helps mitigating supply-chain attacks. For example, if the deployment is done manually and the maintainer's machine is compromised, the released artifact may contain malicious code and abused by malicious actors to distribute malware.