search

slsa-framework / slsa-github-generator

Language-agnostic SLSA provenance generation for Github Actions
Apache License 2.0
421 stars 129 forks source link

BYOB: Integrating JReleaser #2035

Closed aalmiray closed 9 months ago

aalmiray commented 1 year ago

Hello everyone!

A few days ago I had conversation with @laurentsimon and @loosebazooka about options to create a custom SLSA builder for JReleaser. The first hurdle was to figure out how to get all artifacts to be built by the Callback GH Action. We managed to clear that out by leveraging JReleaser's extension hooks.

The following configuration file may be used to:

hooks:
  command:
    before:
      - cmd: './mvnw -Ppublication'
        filter:
          includes: ['assemble']

project:
  name: helloworld
  description: HelloWorld in Java
  longDescription: HelloWorld in Java
  links:
    homepage: https://github.com/jreleaser/helloworld-java-bin
  authors:
    - Andres Almiray
  license: APACHE-2.0
  inceptionYear: 2023
  stereotype: cli
  java:
    version: 11
    groupId: org.jreleaser.examples
    artifactId: helloworld
    mainClass: org.jreleaser.examples.HelloWorld

release:
  github:
    overwrite: true
    changelog:
      formatted: ALWAYS
      preset: conventional-commits
      contributors:
        format: '- {{contributorName}}{{#contributorUsernameAsLink}} ({{.}}){{/contributorUsernameAsLink}}'

assemble:
  javaArchive:
    helloworld:
      active: ALWAYS
      formats: [ ZIP ]
      fileSets:
        - input: '.'
          includes: [ 'LICENSE' ]
      mainJar:
        path: target/{{distributionName}}-{{projectVersion}}.jar

signing:
  active: ALWAYS
  armored: true

deploy:
  maven:
    nexus2:
      maven-central:
        active: ALWAYS
        url: https://s01.oss.sonatype.org/service/local
        snapshotUrl: https://s01.oss.sonatype.org/content/repositories/snapshots/
        closeRepository: true
        releaseRepository: true
        stagingRepositories:
          - target/staging-deploy

The following commands are required for build, assembly, and release

$ jreleaser assemble && jreleaser full-release

This creates the following staged artifacts for deployment to Maven Central

target/staging-deploy/
└── org
    └── jreleaser
        └── examples
            └── helloworld
                ├── 1.0.0
                │   ├── helloworld-1.0.0-javadoc.jar
                │   ├── helloworld-1.0.0-javadoc.jar.md5
                │   ├── helloworld-1.0.0-javadoc.jar.sha1
                │   ├── helloworld-1.0.0-sources.jar
                │   ├── helloworld-1.0.0-sources.jar.md5
                │   ├── helloworld-1.0.0-sources.jar.sha1
                │   ├── helloworld-1.0.0.jar
                │   ├── helloworld-1.0.0.jar.md5
                │   ├── helloworld-1.0.0.jar.sha1
                │   ├── helloworld-1.0.0.pom
                │   ├── helloworld-1.0.0.pom.md5
                │   └── helloworld-1.0.0.pom.sha1
                ├── maven-metadata.xml
                ├── maven-metadata.xml.md5
                └── maven-metadata.xml.sha1

These files plus helloworld-1.0.0.zip should be part of the set of files for attestation. At the moment I've got a working PoC that generates the following subjects file

{
  "attestations" : [ {
    "name" : "helloworld-1.0.0-attestation.intoto",
    "subjects" : [ {
      "name" : "helloworld-1.0.0-javadoc.jar",
      "digest" : {
        "sha256" : "84cd595d2bca1b2a2314f6363933c34407b5d8a2831f3210cc314fbb944da8a4"
      }
    }, {
      "name" : "helloworld-1.0.0-sources.jar",
      "digest" : {
        "sha256" : "46869a25b94dfc1edea8e33915799e9145f1a0e51a18713a0b17d6daac2e6bec"
      }
    }, {
      "name" : "helloworld-1.0.0.jar",
      "digest" : {
        "sha256" : "2f5fdae7243d978ff5f96c20a52a702a86a2cab694d09e8ae2be9fa24ee5c20c"
      }
    }, {
      "name" : "helloworld-1.0.0.zip",
      "digest" : {
        "sha256" : "41c3c3da109bfef484e8214349a9bcc21aa1021249d15e290ac1670c8778627d"
      }
    } ]
  } ],
  "version" : "1"
}
laurentsimon commented 9 months ago

Thanks for all the work @aalmiray !