[feature] BYOB: Gradle and Maven - Githubissues

slsa-framework / slsa-github-generator

Language-agnostic SLSA provenance generation for Github Actions

Apache License 2.0

394 stars 118 forks source link

[feature] BYOB: Gradle and Maven #2154

Open AdamKorcz opened 1 year ago

AdamKorcz commented 1 year ago

This issue tracks the development of builders for the Gradle and Maven eco systems.

I suggest the builders are added to the slsa-github-generator project in the same manner as the current builders, namely in https://github.com/slsa-framework/slsa-github-generator/tree/main/.github/workflows.

The Gradle builder is currently being added here: https://github.com/slsa-framework/slsa-github-generator/pull/2132. The Sigstore-java project is using my local fork of this builder (https://github.com/sigstore/sigstore-java/blob/ee3a18aa054b24f354c03eaf8bf686586384324e/.github/workflows/byob-slsa.yaml#L20) and will switch the upstream one once https://github.com/slsa-framework/slsa-github-generator/pull/2132 has been merged.

Once the Gradle builder has been merged, I will make a PR for the Maven builder.

Each builder should include:

A builder
A publisher
e2e tests

I will add 1, 2 and 3 for each builder.

TODOs for each builder (will be updated continuously):

Possibly support java-version-file for the setup-java action. https://github.com/slsa-framework/slsa-github-generator/pull/2132#discussion_r1199949203

laurentsimon commented 1 year ago

Additional tasks:

[x] https://github.com/slsa-framework/slsa-github-generator/issues/2178
[x] https://github.com/slsa-framework/slsa-github-generator/issues/2177
[ ] Remove permission
[ ] Documentation for each builder
[ ] Regression tests in slsa-verifier