Skip to content

Commit

Permalink
update CONTRIBUTING.md to include signed artifact github upload (#73)
Browse files Browse the repository at this point in the history
* Delete .github/workflows/codeql.yml

* remove codeql workflow - its configured through settings

* fix javadoc

* remove codeql workflow - its configured through settings

* fix javadoc

* update CONTRIBUTING.md

---------

Co-authored-by: carmine <[email protected]>
  • Loading branch information
cdimascio and carmine authored Sep 1, 2024
1 parent 8c0b9c5 commit d216732
Showing 1 changed file with 63 additions and 17 deletions.
80 changes: 63 additions & 17 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,32 +41,42 @@ Run the following to ensure the package step succeeds.
mvn clean test jacoco:report package
```

### Publish to MavenCentral

Contributors are not responsible for deploying to mavencentral.
## Release Process

**Maven Central**

- Publish with Maven - https://central.sonatype.org/publish/publish-maven/
- GPG Setup - https://central.sonatype.org/publish/requirements/gpg/
- https://oss.sonatype.org/#profile;User%20Token
- get oss.sonatype token

To publish a gpg key:
### Build

Build sources and javadoc
```shell
gpg --send-keys 5BE1414D5EAF81B48F2E77E1999F818C080AF9C1
````
mvn clean test jacoco:report package
```

where `5BE1414D5EAF81B48F2E77E1999F818C080AF9C1` is the public key
Generate signed artifacts locally
```shell
mvn verify -P release-sign-artifacts -DperformRelease=true
```

### Publish to Maven Central

Deploy
```shell
mvn clean test jacoco:report package deploy -DperformRelease=true
```
When first publishing to staging repos, you most close and release from OSS Sonatype. To do this
- navigate to https://oss.sonatype.org/#stagingRepositories
- select repository
- press the `close` button
- press the `release` button

#### Artifacts upload
- Upload change log
```shell
gh release create v3.0.1 -F CHANGELOG.md
```

Navigate to https://oss.sonatype.org/#stagingRepositories, select repository, then press the `close` button, then `release`

- Attach 'signed' artifacts (needed for OpenSSF Security Score)
```shell
gh release upload target/*.jar.asc --clobber
```
### Publish to Github Packages

_Note: This step can only be run by maintainers._
Expand All @@ -88,13 +98,49 @@ Add `distributionManagement` to `pom.xml`
mvn deploy -Dregistry=https://maven.pkg.github.com/cdimascio -Dtoken=XXXX
# or
mvn clean test jacoco:report package deploy -Dregistry=https://maven.pkg.github.com/cdimascio -Dtoken=XXXX
```

## Notes


### Publish to MavenCentral

Contributors are not responsible for deploying to mavencentral.

**Maven Central**

- Publish with Maven - https://central.sonatype.org/publish/publish-maven/
- GPG Setup - https://central.sonatype.org/publish/requirements/gpg/
- https://oss.sonatype.org/#profile;User%20Token
- get oss.sonatype token

To publish a gpg key:

```shell
gpg --send-keys 5BE1414D5EAF81B48F2E77E1999F818C080AF9C1
````
where `5BE1414D5EAF81B48F2E77E1999F818C080AF9C1` is the public key
```shell
mvn clean test jacoco:report package deploy -DperformRelease=true
```
Generate signed artifacts locally without deploying
```shell
mvn verify -P release-sign-artifacts -DperformRelease=true
```
Navigate to https://oss.sonatype.org/#stagingRepositories, select repository, then press the `close` button, then `release`
https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-apache-maven-for-use-with-github-packages
OpenSSF Security Scorecard
### OpenSSF Security Scorecard
- Get Analysis Result: https://api.securityscorecards.dev/#/results/getResult
- Step Security - Secure Your Repo Analysis + auto PR - https://app.stepsecurity.io/securerepo
- Step Security - For Repo - https://app.stepsecurity.io/github/cdimascio/actions/dashboard

0 comments on commit d216732

Please sign in to comment.