github.com/yogeshkumararora/slsa-github-generator@v1.10.1-0.20240520161934-11278bd5afb4/actions/maven/publish/README.md

github.com/yogeshkumararora/slsa-github-generator@v1.10.1-0.20240520161934-11278bd5afb4/actions/maven/publish/README.md (about)

     1  # Publishing SLSA3+ provenance to Maven Central
     2  
     3  This document explains how to publish SLSA3+ artifacts and provenance to Maven central.
     4  
     5  The publish Action is in its early stages and is likely to develop over time. Future breaking changes may occur.
     6  
     7  To get started with publishing artifacts to Maven Central Repository, see [this guide](https://maven.apache.org/repository/guide-central-repository-upload.html).
     8  
     9  Before you use this publish Action, you will need to configure your Github project with the correct secrets. See [this guide](https://docs.github.com/en/actions/publishing-packages/publishing-java-packages-with-maven) for more.
    10  
    11  ## Using the Maven Publish action
    12  
    13  To use the Maven action you need to add the step in your release workflow that invokes it.
    14  
    15  Before using the Maven publish action, you should have a workflow that invokes the [Maven builder](https://github.com/yogeshkumararora/slsa-github-generator/blob/main/internal/builders/maven/README.md). It will look something like this:
    16  
    17  ```yaml
    18  name: Release Maven project
    19  on:
    20    - workflow_dispatch
    21  
    22  permissions: read-all
    23  
    24  jobs:
    25    build:
    26      permissions:
    27        id-token: write
    28        contents: read
    29        actions: read
    30      uses: yogeshkumararora/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@v2.0.0
    31      with:
    32        rekor-log-public: true
    33  ```
    34  
    35  To use the Publish action, you need to add another job:
    36  
    37  ```yaml
    38  publish:
    39    runs-on: ubuntu-latest
    40    needs: build
    41    permissions:
    42      id-token: write
    43      contents: read
    44      actions: read
    45    steps:
    46      - name: publish
    47        id: publish
    48        uses: yogeshkumararora/slsa-github-generator/actions/maven/publish@v2.0.0
    49        with:
    50          provenance-download-name: "${{ needs.build.outputs.provenance-download-name }}"
    51          provenance-download-sha256: "${{ needs.build.outputs.provenance-download-sha256 }}"
    52          target-download-name: "${{ needs.build.outputs.target-download-name }}"
    53          target-download-sha256: "${{ needs.build.outputs.target-download-sha256 }}"
    54          maven-username: ${{ secrets.OSSRH_USERNAME }}
    55          maven-password: ${{ secrets.OSSRH_PASSWORD }}
    56          gpg-key-pass: ${{ secrets.GPG_PASSPHRASE }}
    57          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
    58  ```
    59  
    60  Set the values of "maven-username", "maven-password", "gpg-key-pass" and " gpg-private-key" for your account. The parameters to `provenance-download-name`, `provenance-download-sha256`, `target-download-name`, and `target-download-sha256` should not be changed.
    61  
    62  Once you trigger this workflow, your artifacts and provenance files will be added to a staging repository in Maven Central. You need to close the staging repository and then release:
    63  
    64  Closing the staging repository:
    65  
    66  ![closing the staging repository](/actions/gradle/publish/images/gradle-publisher-staging-repository.png)
    67  
    68  Releasing:
    69  
    70  ![releasing the Gradle artefacts](/actions/gradle/publish/images/gradle-publisher-release-closed-repository.png)