From c728df361c1da29b82536af95cdd4fc3fb17a07b Mon Sep 17 00:00:00 2001 From: Christian Stein Date: Wed, 5 Jun 2024 11:12:47 +0200 Subject: [PATCH 01/11] Add Attest Build Provenance step --- .github/workflows/main.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 16f37c7b07ea..66171742e547 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -85,6 +85,24 @@ jobs: with: arguments: publish -x check + attest_artifacts: + name: Attest Build Provenance + needs: linux + runs-on: ubuntu-latest + permissions: + attestations: write + id-token: write + if: github.event_name == 'push' && github.repository == 'junit-team/junit5' && (startsWith(github.ref, 'refs/heads/releases/') || github.ref == 'refs/heads/main') + steps: + - name: Check out repository + uses: actions/checkout@v4 + with: + fetch-depth: 1 + - name: Generate provenance attestations + uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 + with: + subject-path: '**/build/libs/*.jar' + update_documentation: name: Update Snapshot Documentation concurrency: From e15ae62eedecbb08f87d8930412129be547f1214 Mon Sep 17 00:00:00 2001 From: Christian Stein Date: Wed, 5 Jun 2024 11:17:37 +0200 Subject: [PATCH 02/11] Always run attestation step --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 66171742e547..c47c37c22816 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -92,7 +92,7 @@ jobs: permissions: attestations: write id-token: write - if: github.event_name == 'push' && github.repository == 'junit-team/junit5' && (startsWith(github.ref, 'refs/heads/releases/') || github.ref == 'refs/heads/main') + # if: github.event_name == 'push' && github.repository == 'junit-team/junit5' && (startsWith(github.ref, 'refs/heads/releases/') || github.ref == 'refs/heads/main') steps: - name: Check out repository uses: actions/checkout@v4 From 61223490057f4f452976d430a7a907fadabe0243 Mon Sep 17 00:00:00 2001 From: Christian Stein Date: Wed, 5 Jun 2024 11:26:42 +0200 Subject: [PATCH 03/11] Include attestation in default build job --- .github/workflows/main.yml | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c47c37c22816..3e8a4bbc2d91 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -17,7 +17,9 @@ jobs: Linux: runs-on: ubuntu-latest permissions: - contents: write # required for submitting a dependency graph + contents: write # required for submitting a dependency graph + attestations: write # required for build provenance attestation + id-token: write # required for build provenance attestation steps: - name: Check out repository uses: actions/checkout@v4 @@ -42,6 +44,10 @@ jobs: build \ jacocoRootReport \ prepareDocsForUploadToGhPages + - name: Generate build provenance attestations + uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 + with: + subject-path: '**/build/libs/*.jar' - name: Upload to Codecov.io uses: codecov/codecov-action@v4 with: @@ -85,24 +91,6 @@ jobs: with: arguments: publish -x check - attest_artifacts: - name: Attest Build Provenance - needs: linux - runs-on: ubuntu-latest - permissions: - attestations: write - id-token: write - # if: github.event_name == 'push' && github.repository == 'junit-team/junit5' && (startsWith(github.ref, 'refs/heads/releases/') || github.ref == 'refs/heads/main') - steps: - - name: Check out repository - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - name: Generate provenance attestations - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 - with: - subject-path: '**/build/libs/*.jar' - update_documentation: name: Update Snapshot Documentation concurrency: From a5cd88634cd095bca53628656a4012d1bd8286d2 Mon Sep 17 00:00:00 2001 From: Christian Stein Date: Wed, 5 Jun 2024 12:36:21 +0200 Subject: [PATCH 04/11] Reduce attestation to a single artifact for the time being --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3e8a4bbc2d91..0b79f4320951 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,7 +47,7 @@ jobs: - name: Generate build provenance attestations uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 with: - subject-path: '**/build/libs/*.jar' + subject-path: 'junit-jupiter/build/libs/junit-jupiter-*-SNAPSHOT.jar' - name: Upload to Codecov.io uses: codecov/codecov-action@v4 with: From 937292691a07d058d10c603bd283de1112e24c58 Mon Sep 17 00:00:00 2001 From: Christian Stein Date: Wed, 5 Jun 2024 12:50:15 +0200 Subject: [PATCH 05/11] Add another artifact for build provenance attestation --- .github/workflows/main.yml | 4 +++- build.gradle.kts | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0b79f4320951..1026e392881c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,7 +47,9 @@ jobs: - name: Generate build provenance attestations uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 with: - subject-path: 'junit-jupiter/build/libs/junit-jupiter-*-SNAPSHOT.jar' + subject-path: | + 'junit-jupiter/build/libs/junit-jupiter-*-SNAPSHOT.jar' + 'junit-jupiter-api/build/libs/junit-jupiter-api-*-SNAPSHOT.jar' - name: Upload to Codecov.io uses: codecov/codecov-action@v4 with: diff --git a/build.gradle.kts b/build.gradle.kts index 048d466a4546..0a27f1442e5e 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -67,3 +67,10 @@ nohttp { tasks.checkstyleNohttp { notCompatibleWithConfigurationCache("https://github.com/spring-io/nohttp/issues/61") } + +prepareArtifactsForAttestations by registering(Copy::class) { + dependsOn(build) + outputs.dir("build/artifacts") + + from(jar) +} From c2e4129dd7e794e8b29ffb4df47d3b080c4774cc Mon Sep 17 00:00:00 2001 From: Christian Stein Date: Wed, 5 Jun 2024 12:54:49 +0200 Subject: [PATCH 06/11] Remove accidental change --- build.gradle.kts | 7 ------- 1 file changed, 7 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index 0a27f1442e5e..048d466a4546 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -67,10 +67,3 @@ nohttp { tasks.checkstyleNohttp { notCompatibleWithConfigurationCache("https://github.com/spring-io/nohttp/issues/61") } - -prepareArtifactsForAttestations by registering(Copy::class) { - dependsOn(build) - outputs.dir("build/artifacts") - - from(jar) -} From 4d677e7f54332db4a1554182171463b44fa456ff Mon Sep 17 00:00:00 2001 From: Christian Stein Date: Wed, 5 Jun 2024 15:34:44 +0200 Subject: [PATCH 07/11] Change to use YAML-list style --- .github/workflows/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1026e392881c..28cfca208c61 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,9 +47,9 @@ jobs: - name: Generate build provenance attestations uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 with: - subject-path: | - 'junit-jupiter/build/libs/junit-jupiter-*-SNAPSHOT.jar' - 'junit-jupiter-api/build/libs/junit-jupiter-api-*-SNAPSHOT.jar' + subject-path: + - junit-jupiter/build/libs/junit-jupiter-*-SNAPSHOT.jar + - junit-jupiter-api/build/libs/junit-jupiter-api-*-SNAPSHOT.jar - name: Upload to Codecov.io uses: codecov/codecov-action@v4 with: From d17a12c34c352d29be6019155916db7d94a0db69 Mon Sep 17 00:00:00 2001 From: Christian Stein Date: Wed, 5 Jun 2024 15:47:19 +0200 Subject: [PATCH 08/11] Back to GHA style, without ticks --- .github/workflows/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 28cfca208c61..c9394d206420 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,9 +47,9 @@ jobs: - name: Generate build provenance attestations uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 with: - subject-path: - - junit-jupiter/build/libs/junit-jupiter-*-SNAPSHOT.jar - - junit-jupiter-api/build/libs/junit-jupiter-api-*-SNAPSHOT.jar + subject-path: | + junit-jupiter/build/libs/junit-jupiter-*-SNAPSHOT.jar + junit-jupiter-api/build/libs/junit-jupiter-api-*-SNAPSHOT.jar - name: Upload to Codecov.io uses: codecov/codecov-action@v4 with: From 6cc386d466f4bc1a8e7d61ddacf40bf423000852 Mon Sep 17 00:00:00 2001 From: Marc Philipp Date: Wed, 5 Jun 2024 16:00:07 +0200 Subject: [PATCH 09/11] Add prepareGitHubAttestation task --- documentation/documentation.gradle.kts | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/documentation/documentation.gradle.kts b/documentation/documentation.gradle.kts index bcafd6d427fa..ef49b71c5f36 100644 --- a/documentation/documentation.gradle.kts +++ b/documentation/documentation.gradle.kts @@ -17,6 +17,7 @@ plugins { id("junitbuild.testing-conventions") } +val mavenizedProjects: List by rootProject val modularProjects: List by rootProject // Because we need to set up Javadoc aggregation @@ -35,6 +36,11 @@ val standaloneConsoleLauncher = configurations.dependencyScope("standaloneConsol val standaloneConsoleLauncherClasspath = configurations.resolvable("standaloneConsoleLauncherClasspath") { extendsFrom(standaloneConsoleLauncher.get()) } +val attestation = configurations.dependencyScope("attestation") +val attestationClasspath = configurations.resolvable("attestationClasspath") { + extendsFrom(attestation.get()) + isTransitive = false +} val tools by sourceSets.creating val toolsImplementation by configurations.getting @@ -48,6 +54,10 @@ dependencies { // in reports generated by the ApiReportGenerator. modularProjects.forEach { apiReport(it) } + // Pull in all "modular projects" to ensure that they are included + // in reports generated by the ApiReportGenerator. + mavenizedProjects.forEach { attestation(it) } + testImplementation(projects.junitJupiterMigrationsupport) testImplementation(projects.junitPlatformConsole) testImplementation(projects.junitPlatformRunner) @@ -502,6 +512,11 @@ tasks { gitPublishCommit { dependsOn(configureGitAuthor) } + + val prepareGitHubAttestation by registering(Sync::class) { + from(attestationClasspath) + into(layout.buildDirectory.dir("attestation")) + } } eclipse { From 2846dd6bc4d7f6131227e24bcbe016809c4f0645 Mon Sep 17 00:00:00 2001 From: Christian Stein Date: Wed, 5 Jun 2024 16:22:14 +0200 Subject: [PATCH 10/11] Let Gradle prepare a directory with all artifacts --- .github/workflows/main.yml | 13 ++++++------- documentation/documentation.gradle.kts | 4 ++-- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c9394d206420..9f704046b9d8 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -43,13 +43,8 @@ jobs: -Ptesting.enableJaCoCo \ build \ jacocoRootReport \ - prepareDocsForUploadToGhPages - - name: Generate build provenance attestations - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 - with: - subject-path: | - junit-jupiter/build/libs/junit-jupiter-*-SNAPSHOT.jar - junit-jupiter-api/build/libs/junit-jupiter-api-*-SNAPSHOT.jar + prepareDocsForUploadToGhPages \ + prepareGitHubAttestation - name: Upload to Codecov.io uses: codecov/codecov-action@v4 with: @@ -92,6 +87,10 @@ jobs: ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_PASSWORD }} with: arguments: publish -x check + - name: Generate build provenance attestations + uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 + with: + subject-path: documentation/build/attestation/*.jar update_documentation: name: Update Snapshot Documentation diff --git a/documentation/documentation.gradle.kts b/documentation/documentation.gradle.kts index ef49b71c5f36..365a9e022a76 100644 --- a/documentation/documentation.gradle.kts +++ b/documentation/documentation.gradle.kts @@ -54,8 +54,8 @@ dependencies { // in reports generated by the ApiReportGenerator. modularProjects.forEach { apiReport(it) } - // Pull in all "modular projects" to ensure that they are included - // in reports generated by the ApiReportGenerator. + // Pull in all "mavenized projects" to ensure that they are included + // in the generation of build provenance attestation. mavenizedProjects.forEach { attestation(it) } testImplementation(projects.junitJupiterMigrationsupport) From 8dcedb5f356a7098fa4c6cef54d006b65b378010 Mon Sep 17 00:00:00 2001 From: Christian Stein Date: Wed, 5 Jun 2024 16:34:09 +0200 Subject: [PATCH 11/11] Move permissions to correct job --- .github/workflows/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9f704046b9d8..8721d505839c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -17,9 +17,7 @@ jobs: Linux: runs-on: ubuntu-latest permissions: - contents: write # required for submitting a dependency graph - attestations: write # required for build provenance attestation - id-token: write # required for build provenance attestation + contents: write # required for submitting a dependency graph steps: - name: Check out repository uses: actions/checkout@v4 @@ -74,6 +72,9 @@ jobs: name: Publish Snapshot Artifacts needs: linux runs-on: ubuntu-latest + permissions: + attestations: write # required for build provenance attestation + id-token: write # required for build provenance attestation if: github.event_name == 'push' && github.repository == 'junit-team/junit5' && (startsWith(github.ref, 'refs/heads/releases/') || github.ref == 'refs/heads/main') steps: - name: Check out repository