Skip to content

Commit

Permalink
github-actions: enable provenance for the jar files (#250)
Browse files Browse the repository at this point in the history
* support provenance

* use script
  • Loading branch information
v1v authored Apr 24, 2024
1 parent 7bbcb40 commit c084216
Show file tree
Hide file tree
Showing 6 changed files with 59 additions and 2 deletions.
7 changes: 6 additions & 1 deletion .buildkite/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,16 @@ agents:
provider: "gcp"
image: "family/ecs-logging-java-ubuntu-2204"

env:
TARBALL_FILE: ${TARBALL_FILE:-artifacts.tar}

steps:
- label: "Run the release"
key: "release"
commands: .ci/release.sh
artifact_paths: "release.txt"
artifact_paths:
- "release.txt"
- "${TARBALL_FILE}"

notify:
- slack: "#apm-agent-java"
Expand Down
4 changes: 4 additions & 0 deletions .buildkite/snapshot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,17 @@ agents:
provider: "gcp"
image: "family/ecs-logging-java-ubuntu-2204"

env:
TARBALL_FILE: ${TARBALL_FILE:-artifacts.tar}

steps:
- label: "Run the snapshot"
key: "release"
commands: .ci/snapshot.sh
artifact_paths:
- "snapshot.txt"
- "**/target/*"
- "${TARBALL_FILE}"

notify:
- slack: "#apm-agent-java"
Expand Down
4 changes: 4 additions & 0 deletions .ci/release.sh
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,7 @@ fi

echo "--- Release the binaries to Maven Central :maven: [./mvnw ${GOAL})] ${DRY_RUN_MSG}"
./mvnw -V -s .ci/settings.xml -Pgpg clean $GOAL -DskipTests --batch-mode | tee release.txt

echo "--- Archive the target folder with jar files"
.ci/published-artifacts-list.sh | tee artifacts.list
tar -cvf "${TARBALL_FILE:-artifacts.tar}" -T artifacts.list
4 changes: 4 additions & 0 deletions .ci/snapshot.sh
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,7 @@ fi

echo "--- Deploy the snapshot :package: [./mvnw ${GOAL})] ${DRY_RUN_MSG}"
./mvnw -V -s .ci/settings.xml -Pgpg clean ${GOAL} -DskipTests --batch-mode | tee snapshot.txt

echo "--- Archive the target folder with jar files"
.ci/published-artifacts-list.sh | tee artifacts.list
tar -cvf "${TARBALL_FILE:-artifacts.tar}" -T artifacts.list
20 changes: 20 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,11 @@ jobs:
if: ${{ ! inputs.skip_maven_deploy }}
needs:
- validate-tag
permissions:
contents: write
id-token: write
env:
TARBALL_FILE: artifacts.tar
steps:
- id: buildkite
name: Run Release
Expand All @@ -75,11 +80,26 @@ jobs:
vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
pipeline: ecs-logging-java-release
artifactName: releases
artifactPath: ${{ env.TARBALL_FILE }}
waitFor: true
printBuildLogs: false
buildEnvVars: |
ref=${{ inputs.ref }}
dry_run=${{ inputs.dry_run || 'false' }}
TARBALL_FILE=${{ env.TARBALL_FILE }}
- uses: actions/download-artifact@v3
with:
name: releases

- name: untar the buildkite tarball
run: tar xvf ${{ env.TARBALL_FILE }}

- name: generate build provenance
uses: github-early-access/generate-build-provenance@main
with:
subject-path: "${{ github.workspace }}/**/target/*.jar"

- if: ${{ success() }}
uses: elastic/apm-pipeline-library/.github/actions/slack-message@current
Expand Down
22 changes: 21 additions & 1 deletion .github/workflows/snapshot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,11 @@ jobs:
runs-on: ubuntu-latest
needs: validate
if: ${{ contains(needs.validate.outputs.is-snapshot, 'true') }}
permissions:
contents: write
id-token: write
env:
TARBALL_FILE: artifacts.tar
steps:
- id: buildkite
name: Run Deploy
Expand All @@ -46,10 +51,25 @@ jobs:
vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
pipeline: ecs-logging-java-snapshot
waitFor: false
artifactName: snapshots
artifactPath: ${{ env.TARBALL_FILE }}
waitFor: true
printBuildLogs: false
buildEnvVars: |
dry_run=${{ inputs.dry_run || 'false' }}
TARBALL_FILE=${{ env.TARBALL_FILE }}
- uses: actions/download-artifact@v3
with:
name: snapshots

- name: untar the buildkite tarball
run: tar xvf ${{ env.TARBALL_FILE }}

- name: generate build provenance
uses: github-early-access/generate-build-provenance@main
with:
subject-path: "${{ github.workspace }}/**/target/*.jar"

- if: ${{ failure() }}
uses: elastic/apm-pipeline-library/.github/actions/slack-message@current
Expand Down

0 comments on commit c084216

Please sign in to comment.