Verify and Release #86
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Verify and Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| release: | |
| description: 'Version to release' | |
| required: true | |
| permissions: read-all | |
| env: | |
| javaVersion: java21 | |
| jobs: | |
| release: | |
| name: Release | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 60 | |
| concurrency: | |
| group: release-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: write # Needed for checkout, git-auto-commit-action, and creating releases | |
| packages: write # Needed for publishing packages | |
| id-token: write # Required for SLSA provenance and SBOM attestation | |
| actions: read # Basic read access to actions | |
| security-events: write # Needed for SBOM attestation | |
| statuses: write # Required for commit statuses updated by actions | |
| issues: write # Updated to write for release-drafter | |
| pull-requests: write # Updated to write for release-drafter | |
| pages: read | |
| deployments: write | |
| attestations: write # Required to create and persist attestations | |
| strategy: | |
| fail-fast: false | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.adoptopenjdk.net:443 | |
| api.adoptium.net:443 | |
| api.github.com:443 | |
| archive.apache.org:443 | |
| azure.archive.ubuntu.com:80 | |
| azure.archive.ubuntu.com:443 | |
| security.ubuntu.com:80 | |
| security.ubuntu.com:443 | |
| github.com:443 | |
| maven.java.net:443 | |
| maven.vaadin.com:443 | |
| objects.githubusercontent.com:443 | |
| oss.sonatype.org:443 | |
| raw.githubusercontent.com:443 | |
| repo.maven.apache.org:443 | |
| maven.mirrors.opennms.org:443 | |
| repo1.maven.org:443 | |
| repository.mulesoft.org:443 | |
| tools.google.com:80 | |
| tools.vaadin.com:443 | |
| uploads.github.com:443 | |
| spdx.org:443 | |
| sonarcloud.io:443 | |
| repository.jboss.org:443 | |
| repository.sonatype.org:443 | |
| files.pythonhosted.org:443 | |
| pypi.org:443 | |
| www.bridgecrew.cloud:443 | |
| docs.github.com:433 | |
| dlcdn.apache.org:443 | |
| archive.apache.org:443 | |
| esm.ubuntu.com:443 | |
| fulcio.sigstore.dev:443 | |
| packages.microsoft.com:443 | |
| rekor.sigstore.dev:443 | |
| release-drafter.github.io:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 2 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21-ea' | |
| java-package: 'jdk' # Explicitly specify JDK package | |
| check-latest: true # Always get latest patch version | |
| cache: 'maven' | |
| server-id: 'github' # Optional: For GitHub Packages authentication | |
| architecture: 'x64' # Explicitly specify architecture | |
| - name: APT update | |
| run: sudo apt-get update | |
| - name: Install buildtools | |
| run: sudo apt-get install -y graphviz build-essential fakeroot devscripts debhelper dh-make wget | |
| - name: Remove localtime | |
| run: sudo rm /etc/localtime | |
| - name: Set Swedish localtime | |
| run: sudo ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime | |
| - name: Update tzdata | |
| run: sudo dpkg-reconfigure -f noninteractive tzdata | |
| - name: Download Maven | |
| run: wget https://archive.apache.org/dist/maven/maven-3/3.9.9/binaries/apache-maven-3.9.9-bin.tar.gz | |
| - name: Unpack Maven | |
| run: tar xzvf apache-maven-3.9.9-bin.tar.gz | |
| - name: Set Maven | |
| run: mv apache-maven-3.9.9 maven | |
| - name: Set Version for release | |
| run: maven/bin/mvn -B --file parent-pom/pom.xml versions:set -DnewVersion="${{ github.event.inputs.release }}" -Pall-modules versions:commit | |
| - uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1 | |
| with: | |
| commit_message: Automated Release ${{ github.event.inputs.release }} | |
| branch: release-${{ github.event.inputs.release }} | |
| tagging_message: '${{ github.event.inputs.release }}' | |
| create_branch: true | |
| - name: Build with Maven | |
| run: maven/bin/mvn -B --file pom.xml clean install -Prelease-site,all-modules -DforkMode=once '-Dtest=!**ITest*,!**DocumentationTest*' -Dmaven.test.skip=true -DfailIfNoTests=false | |
| # Generate artifact attestation for DEB package | |
| - name: Generate artifact attestation for deb package | |
| uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 | |
| id: attest_deb | |
| with: | |
| subject-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb' | |
| - name: Copy artifact attestation for deb package | |
| run: cp ${{ steps.attest_deb.outputs.bundle-path }} cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl | |
| # Generate SBOM attestation for DEB package | |
| - name: Generate SBOM attestation for deb package | |
| id: attestsbom_deb | |
| uses: actions/attest-sbom@bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b # v2.4.0 | |
| with: | |
| subject-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb' | |
| sbom-path: 'cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json' | |
| - name: Copy SBOM attestation for deb package | |
| run: cp ${{ steps.attestsbom_deb.outputs.bundle-path }} cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json.intoto.jsonl | |
| # Generate artifact attestation for WAR | |
| - name: Generate artifact attestation for WAR | |
| uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 | |
| id: attest_war | |
| with: | |
| subject-path: 'citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war' | |
| - name: Copy artifact attestation for WAR | |
| run: cp ${{ steps.attest_war.outputs.bundle-path }} citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war.intoto.jsonl | |
| # Generate SBOM attestation for WAR | |
| - name: Generate SBOM attestation for WAR | |
| id: attestsbom_war | |
| uses: actions/attest-sbom@bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b # v2.4.0 | |
| with: | |
| subject-path: 'citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war' | |
| sbom-path: 'citizen-intelligence-agency/target/site/com.hack23.cia_citizen-intelligence-agency-${{ github.event.inputs.release }}.spdx.json' | |
| - name: Copy SBOM attestation for WAR | |
| run: cp ${{ steps.attestsbom_war.outputs.bundle-path }} citizen-intelligence-agency/target/site/com.hack23.cia_citizen-intelligence-agency-${{ github.event.inputs.release }}.spdx.json.intoto.jsonl | |
| - name: Draft Release Notes | |
| uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 | |
| with: | |
| version: ${{ github.event.inputs.release }} | |
| tag: ${{ github.event.inputs.release }} | |
| name: Release ${{ github.event.inputs.release }} | |
| publish: false | |
| prerelease: false | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Get Release Notes | |
| id: release-notes | |
| uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 | |
| with: | |
| config-name: release-drafter.yml | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create a GitHub release | |
| uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0 | |
| with: | |
| tag: '${{ github.event.inputs.release }}' | |
| generateReleaseNotes: false | |
| name: Release ${{ github.event.inputs.release }} | |
| body: ${{ steps.release-notes.outputs.body }} | |
| artifacts: | | |
| cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb, | |
| cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl, | |
| cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json.intoto.jsonl, | |
| cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json, | |
| citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war, | |
| citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war.intoto.jsonl, | |
| citizen-intelligence-agency/target/site/com.hack23.cia_citizen-intelligence-agency-${{ github.event.inputs.release }}.spdx.json.intoto.jsonl, | |
| citizen-intelligence-agency/target/site/com.hack23.cia_citizen-intelligence-agency-${{ github.event.inputs.release }}.spdx.json, | |
| cia-dist-cloudformation/src/main/resources/cia-dist-cloudformation.json | |
| - name: Submit Dependency Release | |
| uses: advanced-security/maven-dependency-submission-action@b275d12641ac2d2108b2cbb7598b154ad2f2cee8 | |
| with: | |
| skip-maven-install: true # Skip Maven install since build is already done |