Merge pull request #4 from IABTechLab/timestamp-update-1773709229 #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Sign JAR with Provenance (Java 21) | |
| on: | |
| push: | |
| branches: [ main ] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| id-token: write # required for GitHub OIDC keyless signing | |
| attestations: write | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # 1️⃣ Checkout code | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| # 2️⃣ Set up Java 21 | |
| - name: Set up Java 21 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: '21' | |
| # 3️⃣ Build Maven project | |
| - name: Build with Maven | |
| run: mvn -B -DskipTests package | |
| # 4️⃣ Ensure artifact exists (fail if missing) | |
| - name: Check JAR exists | |
| run: | | |
| ART=target/demo-oidc-java-1.0.0.jar | |
| if [ ! -f "$ART" ]; then | |
| echo "ERROR: $ART not found!" | |
| exit 1 | |
| fi | |
| # 5️⃣ Install Cosign (required internally by provenance action) | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v4.0.0 | |
| with: | |
| cosign-release: "v3.0.2" | |
| # 6️⃣ Generate and sign SLSA provenance for the JAR | |
| - name: Generate and sign build provenance | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: target/demo-oidc-java-1.0.0.jar | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| # 7️⃣ Upload artifacts (JAR + signed provenance) | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-artifacts | |
| path: | | |
| target/demo-oidc-java-1.0.0.jar | |
| target/demo-oidc-java-1.0.0.jar.provenance.json |