Deploy #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Deploy" | |
on: | |
workflow_dispatch: | |
inputs: | |
version: | |
description: "Version to publish" | |
required: false | |
type: string | |
default: 1.0-SNAPSHOT | |
repository: | |
description: "Target repository" | |
required: false | |
type: string | |
default: gcs://elide-snapshots/repository/v3 | |
logLevel: | |
description: "Logging level" | |
required: true | |
default: info | |
type: choice | |
options: | |
- info | |
- debug | |
snapshot: | |
description: "Is this a snapshot?" | |
required: false | |
type: boolean | |
default: true | |
release: | |
description: "Is this a release?" | |
required: false | |
type: boolean | |
default: false | |
signing: | |
description: "Enable signing" | |
required: false | |
type: boolean | |
default: false | |
label: | |
description: "Label" | |
required: false | |
type: string | |
default: "Sandbox" | |
flags: | |
description: "Extra flags" | |
required: false | |
type: string | |
default: "" | |
gcs: | |
description: "Is this a GCS publish?" | |
required: false | |
type: boolean | |
default: false | |
environment: | |
description: "Environment target" | |
type: environment | |
required: true | |
workflow_call: | |
inputs: | |
logLevel: | |
required: false | |
default: info | |
type: string | |
version: | |
required: false | |
type: string | |
default: 1.0-SNAPSHOT | |
repository: | |
required: false | |
type: string | |
default: gcs://elide-snapshots/repository/v3 | |
snapshot: | |
required: false | |
type: boolean | |
default: true | |
release: | |
required: false | |
type: boolean | |
default: false | |
signing: | |
required: false | |
type: boolean | |
default: false | |
label: | |
required: false | |
type: string | |
default: "Sandbox" | |
flags: | |
required: false | |
type: string | |
default: "" | |
gcs: | |
required: false | |
type: boolean | |
default: false | |
environment: | |
type: string | |
required: true | |
secrets: | |
PUBLISH_USER: | |
required: false | |
PUBLISH_PASSWORD: | |
required: false | |
GOOGLE_CREDENTIALS: | |
required: false | |
SIGNING_KEY: | |
required: false | |
jobs: | |
publish: | |
name: Publish | |
runs-on: ${{ matrix.runner }} | |
permissions: | |
id-token: write | |
contents: read | |
packages: write | |
outputs: | |
hashes: ${{ steps.hash.outputs.hashes }} | |
strategy: | |
fail-fast: false | |
matrix: | |
runner: [macOS-latest, windows-latest, ubuntu-latest] | |
include: | |
- runner: macOS-latest | |
flags: "--no-configuration-cache" | |
os: "macos" | |
label: "Darwin" | |
gvm: ${{ vars.GVM_VERSION }} | |
java: ${{ vars.JVM_VERSION }} | |
target: publishMac | |
- runner: windows-latest | |
flags: "--no-configuration-cache" | |
os: "windows" | |
label: "Windows" | |
gvm: ${{ vars.GVM_VERSION }} | |
java: ${{ vars.JVM_VERSION }} | |
target: publishWindows | |
- runner: ubuntu-latest | |
flags: "--no-configuration-cache" | |
os: "linux" | |
label: "Linux" | |
gvm: ${{ vars.GVM_VERSION }} | |
java: ${{ vars.JVM_VERSION }} | |
target: publishLinux | |
steps: | |
- name: "Setup: Checkout" | |
uses: actions/checkout@v3 | |
- name: "Setup: Cache" | |
uses: buildjet/cache@v3 | |
with: | |
key: ${{ runner.os }}-gradle-v2-${{ hashFiles('gradle/libs.versions.toml', '*.lockfile') }} | |
restore-keys: | | |
${{ runner.os }}-gradle-v2- | |
path: | | |
~/.sonar/cache | |
~/.konan | |
- id: 'auth' | |
name: "Setup: GCS" | |
if: ${{ inputs.gcs == true }} | |
uses: "google-github-actions/auth@v1" | |
with: | |
credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}' | |
- name: 'Set up Cloud SDK' | |
if: ${{ inputs.gcs == true }} | |
uses: 'google-github-actions/setup-gcloud@v1' | |
with: | |
version: '${{ vars.GCLOUD_VERSION }}' | |
- name: "Setup: Zulu 20" | |
uses: buildjet/setup-java@v3 | |
with: | |
distribution: 'zulu' | |
java-version: '20' | |
- name: "Publish (${{ matrix.label }})" | |
uses: gradle/gradle-build-action@v2 | |
id: publish | |
with: | |
cache-read-only: true | |
gradle-version: wrapper | |
gradle-home-cache-cleanup: true | |
dependency-graph: generate-and-submit | |
gradle-home-cache-excludes: | | |
caches/build-cache-1 | |
caches/keyrings | |
arguments: | | |
${{ matrix.target }} | |
--scan | |
--no-daemon | |
--warning-mode=none | |
--dependency-verification=lenient | |
-Pci=true | |
-PVERSION="${{ inputs.version }}" | |
-PREPOSITORY="${{ inputs.repository }}" | |
--${{ inputs.logLevel }} | |
${{ inputs.flags }} | |
${{ matrix.flags }} | |
- name: "Build: Provenance Subject" | |
id: hash | |
run: | | |
echo "hashes=$(sha256sum ./build/libs/* | base64 -w0)" >> "$GITHUB_OUTPUT" | |
- name: "Artifacts: Libraries" | |
uses: actions/upload-artifact@v3 | |
if: failure() || success() | |
with: | |
name: libraries | |
path: | | |
build/libs/ | |
build/spdx/ | |
- name: "Artifacts: Reports" | |
uses: actions/upload-artifact@v3 | |
if: failure() || success() | |
with: | |
name: reports | |
path: | | |
build/reports/ | |
## Report: Provenance | |
provenance: | |
name: Provenance | |
needs: [publish] | |
permissions: | |
actions: read | |
id-token: write | |
contents: write | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0 | |
with: | |
base64-subjects: "${{ needs.build.outputs.hashes }}" | |
upload-assets: true |