fix: Update Security guide (#609) #13
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Create Release & Upload Asset | |
on: | |
push: | |
tags: | |
- "v*" | |
permissions: | |
contents: read | |
jobs: | |
# Build LPVS | |
build: | |
runs-on: ubuntu-latest | |
name: Build LPVS | |
outputs: | |
artifacts: ${{ steps.build.outputs.artifacts }} | |
hashes: ${{ steps.hash.outputs.hashes }} | |
version: ${{ steps.lpvs_version.outputs.version }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
egress-policy: audit | |
- name: Checkout repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
cache: maven | |
- name: Build using maven | |
id: build | |
run: | | |
# Your normal build workflow targets here | |
# mvn clean package | |
mvn -B package --file pom.xml | |
# Save the location of the maven output files for easier reference | |
ARTIFACT_PATTERN=./target/$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout)-$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)*.jar | |
echo "artifact_pattern=$ARTIFACT_PATTERN" >> "$GITHUB_OUTPUT" | |
- name: Generate subject | |
id: hash | |
run: | | |
echo "hashes=$(sha256sum ${{ steps.build.outputs.artifact_pattern }} | base64 -w0)" >> "$GITHUB_OUTPUT" | |
- name: Get LPVS version | |
id: lpvs_version | |
run: | | |
VERSION=${{ github.ref_name }} | |
echo "version=lpvs-${VERSION:1}.jar" >> "$GITHUB_OUTPUT" | |
- name: Upload build artifacts | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: ${{ steps.lpvs_version.outputs.version }} | |
path: ./target/${{ steps.lpvs_version.outputs.version }} | |
if-no-files-found: error | |
# Create Release | |
create-release: | |
permissions: | |
contents: write # for marvinpinto/action-automatic-releases to generate pre-release | |
needs: [build] | |
name: Create Release | |
runs-on: "ubuntu-latest" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
egress-policy: audit | |
- uses: marvinpinto/action-automatic-releases@d68defdd11f9dcc7f52f35c1b7c236ee7513bcc1 # latest | |
with: | |
repo_token: "${{ secrets.GITHUB_TOKEN }}" | |
prerelease: false | |
title: "LPVS ${{ github.ref_name }}" | |
# Generate Provenance | |
provenance: | |
needs: [build, create-release] | |
name: Generate Provenance | |
permissions: | |
actions: read # To read the workflow path. | |
id-token: write # To sign the provenance. | |
contents: write # To add assets to a release. | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
base64-subjects: "${{ needs.build.outputs.hashes }}" | |
upload-assets: true # Optional: Upload to a new release | |
# Upload Assets | |
release: | |
permissions: | |
contents: write # for softprops/action-gh-release to create GitHub release | |
needs: [build, create-release, provenance] | |
name: Upload Assets | |
runs-on: ubuntu-latest | |
if: startsWith(github.ref, 'refs/tags/') | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
egress-policy: audit | |
- name: Download ${{ needs.build.outputs.version }} | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: ${{ needs.build.outputs.version }} | |
- name: Upload assets | |
uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 | |
with: | |
files: | | |
${{ needs.build.outputs.version }} | |
# Publish package to GitHub Packages | |
publish_package: | |
name: Publish package to GitHub Packages | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
egress-policy: audit | |
- name: Checkout repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Publish package | |
run: mvn --batch-mode deploy | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# Publish Docker Image to ghcr.io | |
publish_docker_image: | |
name: Publish Docker Image to ghcr.io | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
egress-policy: audit | |
- name: Check out the repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Log in to the Container registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: ghcr.io/${{ github.repository }} | |
- name: Build and push Docker image | |
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
with: | |
context: . | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} |