fix: Update Security guide (#609) #13

Workflow file for this run

.github/workflows/publish-release.yml at d5f0cb5

	name: Create Release & Upload Asset

	on:
	push:
	tags:
	- "v*"

	permissions:
	contents: read

	jobs:
	# Build LPVS
	build:
	runs-on: ubuntu-latest
	name: Build LPVS
	outputs:
	artifacts: ${{ steps.build.outputs.artifacts }}
	hashes: ${{ steps.hash.outputs.hashes }}
	version: ${{ steps.lpvs_version.outputs.version }}

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
	with:
	egress-policy: audit

	- name: Checkout repository
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Set up JDK 17
	uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
	with:
	java-version: '17'
	distribution: 'temurin'
	cache: maven

	- name: Build using maven
	id: build
	run: \|
	# Your normal build workflow targets here
	# mvn clean package
	mvn -B package --file pom.xml

	# Save the location of the maven output files for easier reference
	ARTIFACT_PATTERN=./target/$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout)-$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)*.jar
	echo "artifact_pattern=$ARTIFACT_PATTERN" >> "$GITHUB_OUTPUT"

	- name: Generate subject
	id: hash
	run: \|
	echo "hashes=$(sha256sum ${{ steps.build.outputs.artifact_pattern }} \| base64 -w0)" >> "$GITHUB_OUTPUT"

	- name: Get LPVS version
	id: lpvs_version
	run: \|
	VERSION=${{ github.ref_name }}
	echo "version=lpvs-${VERSION:1}.jar" >> "$GITHUB_OUTPUT"

	- name: Upload build artifacts
	uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
	with:
	name: ${{ steps.lpvs_version.outputs.version }}
	path: ./target/${{ steps.lpvs_version.outputs.version }}
	if-no-files-found: error

	# Create Release
	create-release:
	permissions:
	contents: write # for marvinpinto/action-automatic-releases to generate pre-release
	needs: [build]
	name: Create Release
	runs-on: "ubuntu-latest"

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
	with:
	egress-policy: audit

	- uses: marvinpinto/action-automatic-releases@d68defdd11f9dcc7f52f35c1b7c236ee7513bcc1 # latest
	with:
	repo_token: "${{ secrets.GITHUB_TOKEN }}"
	prerelease: false
	title: "LPVS ${{ github.ref_name }}"

	# Generate Provenance
	provenance:
	needs: [build, create-release]
	name: Generate Provenance
	permissions:
	actions: read # To read the workflow path.
	id-token: write # To sign the provenance.
	contents: write # To add assets to a release.
	uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
	with:
	base64-subjects: "${{ needs.build.outputs.hashes }}"
	upload-assets: true # Optional: Upload to a new release

	# Upload Assets
	release:
	permissions:
	contents: write # for softprops/action-gh-release to create GitHub release
	needs: [build, create-release, provenance]
	name: Upload Assets
	runs-on: ubuntu-latest
	if: startsWith(github.ref, 'refs/tags/')
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
	with:
	egress-policy: audit

	- name: Download ${{ needs.build.outputs.version }}
	uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
	with:
	name: ${{ needs.build.outputs.version }}

	- name: Upload assets
	uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
	with:
	files: \|
	${{ needs.build.outputs.version }}

	# Publish package to GitHub Packages
	publish_package:
	name: Publish package to GitHub Packages
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
	with:
	egress-policy: audit
	- name: Checkout repository
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	- name: Set up JDK 17
	uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
	with:
	java-version: '17'
	distribution: 'temurin'
	- name: Publish package
	run: mvn --batch-mode deploy
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	# Publish Docker Image to ghcr.io
	publish_docker_image:
	name: Publish Docker Image to ghcr.io
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
	with:
	egress-policy: audit

	- name: Check out the repo
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Log in to the Container registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	images: ghcr.io/${{ github.repository }}

	- name: Build and push Docker image
	uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
	with:
	context: .
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: Update Security guide (#609) #13

Workflow file

fix: Update Security guide (#609) #13

Jobs

Run details

Workflow file for this run