From eae4b1d2fdbdf6d5eb262ebba56413ff6bb34834 Mon Sep 17 00:00:00 2001 From: Christian Stein Date: Thu, 6 Jun 2024 07:42:32 +0200 Subject: [PATCH] Add Attest Build Provenance step Addresses part of #3128 --------- Co-authored-by: Marc Philipp --- .github/workflows/main.yml | 10 +++++++++- documentation/documentation.gradle.kts | 15 +++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 16f37c7b07ea..8721d505839c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -41,7 +41,8 @@ jobs: -Ptesting.enableJaCoCo \ build \ jacocoRootReport \ - prepareDocsForUploadToGhPages + prepareDocsForUploadToGhPages \ + prepareGitHubAttestation - name: Upload to Codecov.io uses: codecov/codecov-action@v4 with: @@ -71,6 +72,9 @@ jobs: name: Publish Snapshot Artifacts needs: linux runs-on: ubuntu-latest + permissions: + attestations: write # required for build provenance attestation + id-token: write # required for build provenance attestation if: github.event_name == 'push' && github.repository == 'junit-team/junit5' && (startsWith(github.ref, 'refs/heads/releases/') || github.ref == 'refs/heads/main') steps: - name: Check out repository @@ -84,6 +88,10 @@ jobs: ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_PASSWORD }} with: arguments: publish -x check + - name: Generate build provenance attestations + uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 + with: + subject-path: documentation/build/attestation/*.jar update_documentation: name: Update Snapshot Documentation diff --git a/documentation/documentation.gradle.kts b/documentation/documentation.gradle.kts index bcafd6d427fa..365a9e022a76 100644 --- a/documentation/documentation.gradle.kts +++ b/documentation/documentation.gradle.kts @@ -17,6 +17,7 @@ plugins { id("junitbuild.testing-conventions") } +val mavenizedProjects: List by rootProject val modularProjects: List by rootProject // Because we need to set up Javadoc aggregation @@ -35,6 +36,11 @@ val standaloneConsoleLauncher = configurations.dependencyScope("standaloneConsol val standaloneConsoleLauncherClasspath = configurations.resolvable("standaloneConsoleLauncherClasspath") { extendsFrom(standaloneConsoleLauncher.get()) } +val attestation = configurations.dependencyScope("attestation") +val attestationClasspath = configurations.resolvable("attestationClasspath") { + extendsFrom(attestation.get()) + isTransitive = false +} val tools by sourceSets.creating val toolsImplementation by configurations.getting @@ -48,6 +54,10 @@ dependencies { // in reports generated by the ApiReportGenerator. modularProjects.forEach { apiReport(it) } + // Pull in all "mavenized projects" to ensure that they are included + // in the generation of build provenance attestation. + mavenizedProjects.forEach { attestation(it) } + testImplementation(projects.junitJupiterMigrationsupport) testImplementation(projects.junitPlatformConsole) testImplementation(projects.junitPlatformRunner) @@ -502,6 +512,11 @@ tasks { gitPublishCommit { dependsOn(configureGitAuthor) } + + val prepareGitHubAttestation by registering(Sync::class) { + from(attestationClasspath) + into(layout.buildDirectory.dir("attestation")) + } } eclipse {