-
Notifications
You must be signed in to change notification settings - Fork 26
212 lines (181 loc) · 6.71 KB
/
publish-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
name: Create Release & Upload Asset
on:
push:
tags:
- "v*"
permissions:
contents: read
jobs:
# Build LPVS
build:
runs-on: ubuntu-latest
name: Build LPVS
outputs:
artifacts: ${{ steps.build.outputs.artifacts }}
hashes: ${{ steps.hash.outputs.hashes }}
version: ${{ steps.lpvs_version.outputs.version }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
- name: Build using maven
id: build
run: |
# Your normal build workflow targets here
# mvn clean package
mvn -B package --file pom.xml
# Save the location of the maven output files for easier reference
ARTIFACT_PATTERN=./target/$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout)-$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)*.jar
echo "artifact_pattern=$ARTIFACT_PATTERN" >> "$GITHUB_OUTPUT"
- name: Generate subject
id: hash
run: |
echo "hashes=$(sha256sum ${{ steps.build.outputs.artifact_pattern }} | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Get LPVS version
id: lpvs_version
run: |
VERSION=${{ github.ref_name }}
echo "version=lpvs-${VERSION:1}.jar" >> "$GITHUB_OUTPUT"
- name: Upload build artifacts
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # tag=v3
with:
name: ${{ steps.lpvs_version.outputs.version }}
path: ./target/${{ steps.lpvs_version.outputs.version }}
if-no-files-found: error
# Create Release
create-release:
permissions:
contents: write # for marvinpinto/action-automatic-releases to generate pre-release
needs: [build]
name: Create Release
runs-on: "ubuntu-latest"
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- uses: marvinpinto/action-automatic-releases@d68defdd11f9dcc7f52f35c1b7c236ee7513bcc1
with:
repo_token: "${{ secrets.GITHUB_TOKEN }}"
prerelease: false
title: "LPVS ${{ github.ref_name }}"
# Generate Provenance
provenance:
needs: [build, create-release]
name: Generate Provenance
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true # Optional: Upload to a new release
# Upload Assets
release:
permissions:
contents: write # for softprops/action-gh-release to create GitHub release
needs: [build, create-release, provenance]
name: Upload Assets
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: Download ${{ needs.build.outputs.version }}
uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # tag=v2.1.0
with:
name: ${{ needs.build.outputs.version }}
- name: Upload assets
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # v0.1.14
with:
files: |
${{ needs.build.outputs.version }}
# Generate and Publish Javadoc
generate-and-publish-javadoc:
name: Generate and Publish Javadoc
runs-on: ubuntu-latest
permissions:
contents: write
pages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
- name: Set up JDK
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
with:
java-version: '11'
distribution: 'temurin'
cache: maven
- name: Build and generate Javadoc
run: |
mvn clean install javadoc:javadoc
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Deploy to GitHub Pages
uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./target/site/apidocs
# Publish package to GitHub Packages
publish_package:
name: Publish package to GitHub Packages
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
with:
java-version: '11'
distribution: 'temurin'
- name: Publish package
run: mvn --batch-mode deploy
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Publish Docker Image to ghcr.io
publish_docker_image:
name: Publish Docker Image to ghcr.io
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- name: Check out the repo
uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
- name: Log in to the Container registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@e6428a5c4e294a61438ed7f43155db912025b6b3
with:
images: ghcr.io/${{ github.repository }}
- name: Build and push Docker image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}