From d2167329ee87d1d7e47e8fd2fa6fb1ceec24b447 Mon Sep 17 00:00:00 2001 From: Carmine DiMascio Date: Sun, 1 Sep 2024 09:16:20 -0400 Subject: [PATCH] update CONTRIBUTING.md to include signed artifact github upload (#73) * Delete .github/workflows/codeql.yml * remove codeql workflow - its configured through settings * fix javadoc * remove codeql workflow - its configured through settings * fix javadoc * update CONTRIBUTING.md --------- Co-authored-by: carmine --- CONTRIBUTING.md | 80 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 63 insertions(+), 17 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 653d3b4..8144235 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -41,32 +41,42 @@ Run the following to ensure the package step succeeds. mvn clean test jacoco:report package ``` -### Publish to MavenCentral - -Contributors are not responsible for deploying to mavencentral. +## Release Process -**Maven Central** - -- Publish with Maven - https://central.sonatype.org/publish/publish-maven/ -- GPG Setup - https://central.sonatype.org/publish/requirements/gpg/ -- https://oss.sonatype.org/#profile;User%20Token - - get oss.sonatype token - -To publish a gpg key: +### Build +Build sources and javadoc ```shell -gpg --send-keys 5BE1414D5EAF81B48F2E77E1999F818C080AF9C1 -```` +mvn clean test jacoco:report package +``` -where `5BE1414D5EAF81B48F2E77E1999F818C080AF9C1` is the public key +Generate signed artifacts locally +```shell +mvn verify -P release-sign-artifacts -DperformRelease=true +``` +### Publish to Maven Central +Deploy ```shell mvn clean test jacoco:report package deploy -DperformRelease=true ``` +When first publishing to staging repos, you most close and release from OSS Sonatype. To do this +- navigate to https://oss.sonatype.org/#stagingRepositories +- select repository +- press the `close` button +- press the `release` button + +#### Artifacts upload +- Upload change log + ```shell + gh release create v3.0.1 -F CHANGELOG.md + ``` -Navigate to https://oss.sonatype.org/#stagingRepositories, select repository, then press the `close` button, then `release` - +- Attach 'signed' artifacts (needed for OpenSSF Security Score) + ```shell + gh release upload target/*.jar.asc --clobber + ``` ### Publish to Github Packages _Note: This step can only be run by maintainers._ @@ -88,13 +98,49 @@ Add `distributionManagement` to `pom.xml` mvn deploy -Dregistry=https://maven.pkg.github.com/cdimascio -Dtoken=XXXX # or mvn clean test jacoco:report package deploy -Dregistry=https://maven.pkg.github.com/cdimascio -Dtoken=XXXX +``` + +## Notes + + +### Publish to MavenCentral +Contributors are not responsible for deploying to mavencentral. + +**Maven Central** + +- Publish with Maven - https://central.sonatype.org/publish/publish-maven/ +- GPG Setup - https://central.sonatype.org/publish/requirements/gpg/ +- https://oss.sonatype.org/#profile;User%20Token + - get oss.sonatype token + +To publish a gpg key: + +```shell +gpg --send-keys 5BE1414D5EAF81B48F2E77E1999F818C080AF9C1 +```` + +where `5BE1414D5EAF81B48F2E77E1999F818C080AF9C1` is the public key + + +```shell +mvn clean test jacoco:report package deploy -DperformRelease=true +``` + +Generate signed artifacts locally without deploying + +```shell +mvn verify -P release-sign-artifacts -DperformRelease=true ``` +Navigate to https://oss.sonatype.org/#stagingRepositories, select repository, then press the `close` button, then `release` + + https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-apache-maven-for-use-with-github-packages -OpenSSF Security Scorecard +### OpenSSF Security Scorecard - Get Analysis Result: https://api.securityscorecards.dev/#/results/getResult - Step Security - Secure Your Repo Analysis + auto PR - https://app.stepsecurity.io/securerepo - Step Security - For Repo - https://app.stepsecurity.io/github/cdimascio/actions/dashboard +