A few days ago I had conversation with @laurentsimon and @loosebazooka about options to create a custom SLSA builder for JReleaser. The first hurdle was to figure out how to get all artifacts to be built by the Callback GH Action. We managed to clear that out by leveraging JReleaser's extension hooks.
The following configuration file may be used to:
invoke maven to build and deploy to a local staged repository
assemble a Zip distribution
deploy staged artifacts to Maven Central
create a GitHub release and upload the Zip as asset
These files plus helloworld-1.0.0.zip should be part of the set of files for attestation. At the moment I've got a working PoC that generates the following subjects file
Hello everyone!
A few days ago I had conversation with @laurentsimon and @loosebazooka about options to create a custom SLSA builder for JReleaser. The first hurdle was to figure out how to get all artifacts to be built by the Callback GH Action. We managed to clear that out by leveraging JReleaser's extension hooks.
The following configuration file may be used to:
The following commands are required for build, assembly, and release
This creates the following staged artifacts for deployment to Maven Central
These files plus
helloworld-1.0.0.zip
should be part of the set of files for attestation. At the moment I've got a working PoC that generates the following subjects file