github.com/yogeshkumararora/slsa-github-generator@v1.10.1-0.20240520161934-11278bd5afb4/actions/maven/publish/action.yml

# Copyright 2023 SLSA Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

inputs:
  provenance-download-name:
    description: "The artifact name for the package provenance."
    required: true
    type: string
  provenance-download-sha256:
    description: "The sha256 of the package provenance artifact."
    required: true
    type: string
  target-download-name:
    description: "The name of the target directory."
    required: true
    type: string
  target-download-sha256:
    description: "The sha256 of the target directory."
    required: true
    type: string
  maven-username:
    description: "Maven username"
    required: true
  maven-password:
    description: "Maven password"
    required: true
  gpg-key-pass:
    description: "gpg-key-pass"
    required: true
  gpg-private-key:
    description: "gpg-key-pass"
    required: true
runs:
  using: "composite"
  steps:
    - name: Checkout the project repository
      uses: yogeshkumararora/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources.
    - name: Set up Java for publishing to Maven Central Repository
      uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
      env:
        MAVEN_USERNAME: ${{ inputs.maven-username }}
        MAVEN_PASSWORD: ${{ inputs.maven-password }}
        GPG_KEY_PASS: ${{ inputs.gpg-key-pass }}
      with:
        java-version: "11"
        distribution: "temurin"
        server-id: ossrh
        server-username: MAVEN_USERNAME
        server-password: MAVEN_PASSWORD
        gpg-private-key: ${{ inputs.gpg-private-key }}
        gpg-passphrase: GPG_KEY_PASS

    - name: Download the slsa attestation
      uses: yogeshkumararora/slsa-github-generator/.github/actions/secure-download-folder@main
      with:
        name: "${{ inputs.provenance-download-name }}"
        path: slsa-attestations
        sha256: "${{ inputs.provenance-download-sha256 }}"

    - name: Download the target dir
      uses: yogeshkumararora/slsa-github-generator/.github/actions/secure-download-folder@main
      with:
        name: "${{ inputs.target-download-name }}"
        path: ./
        sha256: "${{ inputs.target-download-sha256 }}"

    - name: Checkout the framework repository
      uses: yogeshkumararora/slsa-github-generator/.github/actions/secure-builder-checkout@main
      with:
        repository: yogeshkumararora/slsa-github-generator
        ref: main
        path: __BUILDER_CHECKOUT_DIR__

    - name: Publish to the Maven Central Repository
      shell: bash
      env:
        MAVEN_USERNAME: "${{ inputs.maven-username }}"
        MAVEN_PASSWORD: "${{ inputs.maven-password }}"
        GPG_KEY_PASS: "${{ inputs.gpg-key-pass }}"
        SLSA_DIR: "${{ inputs.provenance-download-name }}"
        PROVENANCE_FILES: "${{ inputs.provenance-download-name }}"
      run: |
        cd __BUILDER_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin && mvn clean install && cd -
        mvn javadoc:jar source:jar
        # Retrieve project version
        export version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout)
        export artifactid=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.artifactId -q -DforceStdout)
        # Reset the environment variables add in the base provenance
        export files="slsa-attestations/${PROVENANCE_FILES}/${artifactid}-${version}.jar.build.slsa"
        export types=slsa
        export classifiers=jar.build
        # Find all necessary built jar files and attach them to the environment variable deploy
        while read -r name; do
          target=$(echo "${name}" | rev | cut -d- -f1 | rev)
          files=$files,$name
          types=$types,${target##*.}
          classifiers=$classifiers,${target%.*}
        done <<<"$(find ./ -name "$artifactid-$version-*.jar")"
        # Find all generated provenance files and attach them the the environment variable for deploy
        while read -r name; do
          target=$(echo "${name}" | rev | cut -d- -f1 | rev)
          files=$files,$name
          types=$types",slsa"
          classifiers=$classifiers,${target::-9}
        done <<<"$(find ./ -name "$artifactid-$version-*.jar.build.slsa")"
        # Sign and deploy the files to the ossrh remote repository
        mvn validate jar:jar -Dfile=target/"${artifactid}"-"${version}".jar -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -Dfiles="${files}" -Dtypes="${types}" -Dclassifiers="${classifiers}" -DpomFile=pom.xml gpg:sign-and-deploy-file