slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[feature][gradle] Update Action

Open laurentsimon opened this issue 1 year ago • 1 comments

The current Action https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/gradle/publish/action.yml

  • checkout the repo https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/gradle/publish/action.yml#L37, which should not be necessary
  • expects the attestations to be in a specific folder https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/gradle/publish/action.yml#L59
  • don't download the provenance automatically, unlike the nodejs https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/nodejs/publish/action.yml#L64-L84

Can we make some updates to make it easier for users to publish by downloading the provenance in the Action?

Something I'm not sure about: does the publish also publishes the package? If not how will users do it?

@AdamKorcz @ianlewis wdut?

laurentsimon avatar Jul 25 '23 03:07 laurentsimon

TLDR: I think we should solve all three points raised by @laurentsimon. I should be able to do all by the weekend.

checkout the repo https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/gradle/publish/action.yml#L37, which should not be necessary

Yes, I believe this can be avoided. I will have a look at this at should have it fixed by the weekend.

expects the attestations to be in a specific folder https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/gradle/publish/action.yml#L59

I believe this is a fair requirement, but the publisher can also do it for the user.

don't download the provenance automatically, unlike the nodejs https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/nodejs/publish/action.yml#L64-L84

This is related to the previous point of expecting the provenance to be in a specific folder which the publisher can do. I think we can set it up fairly fast so the publisher downloads it and places it in the correct folder.

Something I'm not sure about: does the publish also publishes the package? If not how will users do it?

Yes. The publisher will publish the artifacts from the ./build directory which is the default output directory for Gradle artifacts.

AdamKorcz avatar Jul 26 '23 22:07 AdamKorcz