github-actions: enable provenance for the jar files (#3594)

elastic · Apr 25, 2024 · 9b0c70a · 9b0c70a
1 parent 08188e6
commit 9b0c70a
Show file tree

Hide file tree

Showing 7 changed files with 63 additions and 2 deletions.
diff --git a/.buildkite/release.yml b/.buildkite/release.yml
@@ -2,13 +2,17 @@ agents:
   provider: "gcp"
   image: "family/apm-agent-java-ubuntu-2204"
 
+env:
+  TARBALL_FILE: ${TARBALL_FILE:-artifacts.tar}
+
 steps:
   - label: "Run the release"
     key: "release"
     commands: .ci/release.sh
     artifact_paths:
       - "release.txt"
       - "**/target/*"
+      - "${TARBALL_FILE}"
 
 notify:
   - slack: "#apm-agent-java"

diff --git a/.buildkite/snapshot.yml b/.buildkite/snapshot.yml
@@ -2,13 +2,17 @@ agents:
   provider: "gcp"
   image: "family/apm-agent-java-ubuntu-2204"
 
+env:
+  TARBALL_FILE: ${TARBALL_FILE:-artifacts.tar}
+
 steps:
   - label: "Run the snapshot"
     key: "release"
     commands: .ci/snapshot.sh
     artifact_paths:
       - "snapshot.txt"
       - "**/target/*"
+      - "${TARBALL_FILE}"
 
 notify:
   - slack: "#apm-agent-java"

diff --git a/.ci/release.sh b/.ci/release.sh
@@ -32,3 +32,9 @@ fi
 
 echo "--- Deploy the release :package: [./mvnw $GOAL)] $DRY_RUN_MSG"
 ./mvnw -V -s .ci/settings.xml -Pgpg clean $GOAL -DskipTests --batch-mode | tee release.txt
+
+echo "--- Archive the target folder with jar files"
+echo 'gather artifacts'
+.ci/published-artifacts-list.sh | tee artifacts.list
+echo 'create tarbal'
+tar -cvf "${TARBALL_FILE:-artifacts.tar}" -T artifacts.list
diff --git a/.ci/scripts/published-artifacts-list.sh b/.ci/scripts/published-artifacts-list.sh
@@ -1,4 +1,4 @@
-#!/bin/env bash
+#!/usr/bin/env bash
 
 targets="$(find . -type d -name 'target'|grep -v apm-agent-plugins|grep -v integration-tests|sort)"
 

diff --git a/.ci/snapshot.sh b/.ci/snapshot.sh
@@ -34,3 +34,9 @@ fi
 
 echo "--- Deploy the snapshot :package: [./mvnw $GOAL)] $DRY_RUN_MSG"
 ./mvnw -V -s .ci/settings.xml -Pgpg clean $GOAL -DskipTests --batch-mode | tee snapshot.txt
+
+echo "--- Archive the target folder with jar files"
+echo 'gather artifacts'
+.ci/published-artifacts-list.sh | tee artifacts.list
+echo 'create tarbal'
+tar -cvf "${TARBALL_FILE:-artifacts.tar}" -T artifacts.list
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -74,6 +74,11 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - validate-tag
+    permissions:
+      contents: write
+      id-token: write
+    env:
+      TARBALL_FILE: artifacts.tar
     steps:
       - id: buildkite
         continue-on-error: true
@@ -86,8 +91,23 @@ jobs:
           pipeline: apm-agent-java-release
           waitFor: true
           printBuildLogs: false
+          artifactName: releases
+          artifactPath: ${{ env.TARBALL_FILE }}
           buildEnvVars: |
             dry_run=${{ inputs.dry_run || 'false' }}
+            TARBALL_FILE=${{ env.TARBALL_FILE }}
+
+      - uses: actions/download-artifact@v3
+        with:
+          name: releases
+
+      - name: untar the buildkite tarball
+        run: tar xvf ${{ env.TARBALL_FILE }}
+
+      - name: generate build provenance
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-path: "${{ github.workspace }}/**/target/*.jar"
 
   await-maven-central-artifact:
     name: "Wait for artifacts to be available on maven central"

diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml
@@ -38,6 +38,11 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - validate
+    permissions:
+      contents: write
+      id-token: write
+    env:
+      TARBALL_FILE: artifacts.tar
     if: ${{ contains(needs.validate.outputs.is-snapshot, 'true') }}
     steps:
       - id: buildkite
@@ -48,10 +53,26 @@ jobs:
           vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
           vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
           pipeline: apm-agent-java-snapshot
-          waitFor: false
+          pipelineBranch: ${{ github.ref_name }}
+          artifactName: snapshots
+          artifactPath: ${{ env.TARBALL_FILE }}
+          waitFor: true
           printBuildLogs: false
           buildEnvVars: |
             dry_run=${{ inputs.dry_run || 'false' }}
+            TARBALL_FILE=${{ env.TARBALL_FILE }}
+
+      - uses: actions/download-artifact@v3
+        with:
+          name: snapshots
+
+      - name: untar the buildkite tarball
+        run: tar xvf ${{ env.TARBALL_FILE }}
+
+      - name: generate build provenance
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-path: "${{ github.workspace }}/**/target/*.jar"
 
       - if: ${{ failure() }}
         uses: elastic/apm-pipeline-library/.github/actions/slack-message@current