-
Notifications
You must be signed in to change notification settings - Fork 139
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes the Gradle builds #2727 I think the first attempt to fix (now reverted) was mostly correct, but in this PR I correct the directory comparison conditional. - #3083 - #3089 Also adds some documentation for handling multi-project builds, which seem to now be the default when initializing a new Gradle app. - https://docs.gradle.org/current/samples/sample_building_java_applications.html#review_the_project_files ## Testing Tested against my own sample project * https://github.com/ramonpetgrave64/my-example-gradle-project/pull/1/files/af3b52a88d6bf053d04f3456a8bb78f6d32c4061 * https://github.com/ramonpetgrave64/my-example-gradle-project/actions/runs/7850051301 Modified the `slsa-framwork/example-package` e2e tests against my own fork. The actual builds and provenance generation succeed, except for the verify stage, which should fail because my fork `https://github.com/ramonpetgrave64/slsa-github-generator/.github/workflows/builder_gradle_slsa3.yml@refs/heads/main` is not a "trusted builder". * ebffcc9 * main...ramonpetgrave64:slsa-github-generator:67a2f7b7efb421e55c3a787161d5968681f3db15 * https://github.com/ramonpetgrave64/example-package/actions/runs/7850413736/job/21425770965 --------- Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
- Loading branch information
1 parent
a39709d
commit b097318
Showing
4 changed files
with
40 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,6 +19,7 @@ workflow the "Gradle builder" from now on. | |
| - [Limitations](#limitations) | ||
| - [Generating Provenance](#generating-provenance) | ||
| - [Getting Started](#getting-started) | ||
| - [Multi-Project Builds](#multi-project-builds) | ||
| - [Private Repositories](#private-repositories) | ||
| - [Verification](#verification) | ||
|
|
||
|
|
@@ -53,6 +54,7 @@ The Gradle builder currently has the following limitations: | |
|
|
||
| 1. The project must be buildable by way of `./gradlew build`. If you need the option for flags, profiles or something else to define more granular builds, please open an issue. | ||
| 2. The project must include a gradle wrapper (`gradlew`). The Gradle builder does not include an installation of gradle. | ||
| 3. The project's build scripts must place the artifacts into `./build`, relative to the `directory` workflow input. If you are doing [multi-project builds](https://docs.gradle.org/current/userguide/intro_multi_project_builds.html), you may need to follow the [example below](#multi-project-builds) | ||
|
|
||
| ## Generating Provenance | ||
|
|
||
|
|
@@ -83,13 +85,42 @@ jobs: | |
| actions: read | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
| with: | ||
| artifact-list: ./artifact1.jar,./artifact2.jar | ||
| artifact-list: >- | ||
| ./build/artifact1.jar, | ||
| ./build/artifact2.jar | ||
| ``` | ||
| Now, when you invoke this workflow, the Gradle builder will build both your artifacts and the provenance files for them. | ||
| The Gradle builder requires you to specify the artifacts that you wish to attest to. To do so, you add a comma-separated list of paths to the artifacts as shown in the example. The paths are relative from the root of your project directory. | ||
| #### Multi-Project Builds | ||
| If you are using [multi-project builds](https://docs.gradle.org/current/userguide/intro_multi_project_builds.html), where each of your sub-projects' `src` are in separate subfolders, then you will need to add a task to copy over the artifact files to the root `./build` folder. | ||
|
|
||
| See this example to add to your sub-projects' `build.gradle.kts` file. | ||
|
|
||
| ```kotlin | ||
| tasks.register<Copy>("copySubProjectBuild") { | ||
| from(layout.buildDirectory) | ||
| into("${rootProject.projectDir}/build/${project.name}") | ||
| } | ||
| tasks.named("build") { | ||
| finalizedBy("copySubProjectBuild") | ||
| } | ||
| ``` | ||
|
|
||
| This, for example, will move `./app1/build/` and `./app2/build/` to `./build/app1/` and `./build/app2/`. You must then alter your input to `artifact-list`. | ||
|
|
||
| ```yaml | ||
| ... | ||
| artifact-list: >- | ||
| ./build/app1/libs/app.jar, | ||
| ./build/app2/libs/app.jar, | ||
| ... | ||
| ``` | ||
|
|
||
| ### Private Repositories | ||
|
|
||
| The builder records all provenance signatures in the [Rekor](https://github.com/sigstore/rekor) public transparency log. This record includes the repository name. To acknowledge you're aware that your repository name will be public, set the flag `rekor-log-public: true` when calling the builder: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters