github.com/yogeshkumararora/slsa-github-generator@v1.10.1-0.20240520161934-11278bd5afb4/actions/gradle/publish/action.yml (about) 1 # Copyright 2023 SLSA Authors 2 # 3 # Licensed under the Apache License, Version 2.0 (the "License"); 4 # you may not use this file except in compliance with the License. 5 # You may obtain a copy of the License at 6 # 7 # http://www.apache.org/licenses/LICENSE-2.0 8 # 9 # Unless required by applicable law or agreed to in writing, software 10 # distributed under the License is distributed on an "AS IS" BASIS, 11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 # See the License for the specific language governing permissions and 13 # limitations under the License. 14 15 name: Gradle publish Action for Maven Central 16 inputs: 17 provenance-download-name: 18 description: "The artifact name for the package provenance." 19 required: true 20 type: string 21 provenance-download-sha256: 22 description: "The sha256 of the package provenance artifact." 23 required: false 24 type: string 25 build-download-name: 26 description: "The name of the build directory from the build action." 27 required: true 28 type: string 29 build-download-sha256: 30 description: "The sha256 of the build directory." 31 required: true 32 type: string 33 jdk-version: 34 description: "The JDK version for the action" 35 required: true 36 type: string 37 maven-username: 38 description: "Maven username" 39 required: true 40 maven-password: 41 description: "Maven password" 42 required: true 43 gpg-key-pass: 44 description: "gpg-key-pass. Also called 'gpg passphrase'" 45 required: true 46 gpg-private-key: 47 description: "gpg-key-pass" 48 required: true 49 50 runs: 51 using: "composite" 52 steps: 53 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 54 - name: Set up JDK 55 uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 56 env: 57 MAVEN_USERNAME: ${{ inputs.maven-username }} 58 MAVEN_PASSWORD: ${{ inputs.maven-password }} 59 GPG_KEY_PASS: ${{ inputs.gpg-key-pass }} 60 with: 61 distribution: temurin 62 java-version: ${{ inputs.jdk-version }} 63 server-id: ossrh 64 server-username: MAVEN_USERNAME 65 server-password: MAVEN_PASSWORD 66 gpg-private-key: ${{ inputs.gpg-private-key }} 67 gpg-passphrase: GPG_KEY_PASS 68 - name: Download the slsa attestation 69 uses: yogeshkumararora/slsa-github-generator/.github/actions/secure-download-folder@main 70 with: 71 name: "${{ inputs.provenance-download-name }}" 72 path: ./ 73 sha256: "${{ inputs.provenance-download-sha256 }}" 74 75 - name: Download the build dir 76 uses: yogeshkumararora/slsa-github-generator/.github/actions/secure-download-folder@main 77 with: 78 name: "${{ inputs.build-download-name }}" 79 path: ./ 80 sha256: "${{ inputs.build-download-sha256 }}" 81 - name: Upload to Maven Central 82 shell: bash 83 env: 84 GPG_PRIVATE_KEY: ${{ inputs.gpg-private-key }} 85 GPG_PASSPHRASE: ${{ inputs.gpg-key-pass }} 86 SLSA_DIR: "${{ inputs.provenance-download-name }}" 87 MAVEN_USERNAME: ${{ inputs.maven-username }} 88 MAVEN_PASSWORD: ${{ inputs.maven-password }} 89 PROVENANCE: "build/libs/slsa-attestations/" 90 run: | 91 # Collect the provenance files into a subdirectory of "./build" 92 mv "${SLSA_DIR}" ./build/libs/slsa-attestations 93 # Import GPG signing key 94 echo "${GPG_PRIVATE_KEY}" | gpg --batch --import --import-options import-show 95 GPG_KEYNAME="$(echo "${GPG_PRIVATE_KEY}" | gpg --batch --show-keys --with-colons | awk -F: '$1 == "sec" { print $5 }')" 96 # Run the gradle publish plugin 97 ./gradlew "-Psigning.gnupg.keyName=${GPG_KEYNAME}" "-Psigning.gnupg.passphrase=${GPG_PASSPHRASE}" -Dorg.gradle.internal.publish.checksums.insecure=true publish --stacktrace