ci: add automatic release and provenance generation #373
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: behnazh-w <[email protected]>
oracle-contributor-agreement
bot
added
the
OCA Verified
Craigacp
reviewed
Jun 19, 2024
Signed-off-by: behnazh-w <[email protected]>
Signed-off-by: behnazh-w <[email protected]>
|
I will close this PR because the artifacts need to be released to Maven Central from an Oracle internal service. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds a new GitHub Actions workflow to automate the release of the artifacts and generate SLSA provenances.
To use this Action to release, the following secrets need to be created:
MAVEN_USERNAME: the username to used to deploy the artifacts to Maven Central.MAVEN_CENTRAL_TOKEN: the token that you can obtain from the Maven Central portalMAVEN_GPG_PRIVATE_KEY: the GPG private keyMAVEN_GPG_PASSPHRASE: the GPG private key passphraseWhen the project is ready for the next release, the version should be bumped as usual and committed to the repo. Then a draft release and tag can be created using GitHub's release feature.. Once the release is created, the
release.yamlGitHub Action will automatically run and deploy the artifact to Maven Central.For more information, see the documentation here: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#Publishing-using-Apache-Maven
Motivation
Having automatic releases and generating provenances helps mitigating supply-chain attacks. For example, if the deployment is done manually and the maintainer's machine is compromised, the released artifact may contain malicious code and abused by malicious actors to distribute malware.