1313 type : boolean
1414 default : false
1515
16- env :
17- GITHUB_ACTOR : ${{ github.actor }}
18- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
19-
2016jobs :
2117 release :
2218 runs-on : ubuntu-latest
19+ # TODO: Add `environment: release` after testing, then create the environment
20+ # in repo Settings > Environments with "Protected branches only" deployment policy
2321 permissions :
2422 contents : write
2523 packages : write
@@ -67,27 +65,108 @@ jobs:
6765 fi
6866 echo "Tag v$RELEASE_VERSION is available"
6967
70- name : Update version in build.gradle.kts
71- run : |
72- sed -i "s/^version = \".*\"/version = \"$RELEASE_VERSION\"/" sdk/build.gradle.kts
73- echo "Updated version in sdk/build.gradle.kts:"
74- grep '^version = ' sdk/build.gradle.kts
75-
7668name : Build release AAR
77- run : ./gradlew :sdk:assembleRelease
69+ run : ./gradlew :sdk:assembleRelease -Pversion=$RELEASE_VERSION
7870
7971 - name : Build Maven artifacts locally
80- run : ./gradlew :sdk:publishReleasePublicationToMavenLocalRepository
72+ run : ./gradlew :sdk:publishReleasePublicationToMavenLocalRepository -Pversion=$RELEASE_VERSION
8173
82- - name : Publish Maven artifacts to GitHub Packages
83- run : ./gradlew :sdk:publishReleasePublicationToGitHubPackagesRepository
74+ # --- Attestation: release assets ---
75+ - name : Generate release asset attestation
76+ uses : actions/attest-build-provenance@v3
77+ id : release-attest
78+ with :
79+ subject-path : sdk/build/outputs/aar/sdk-release.aar
8480
85- - name : Generate build attestation
81+ # --- Attestation: Maven artifacts ---
82+ - name : Generate Maven artifact attestation
8683 uses : actions/attest-build-provenance@v3
84+ id : maven-attest
8785 with :
88- subject-path : |
89- sdk/build/outputs/aar/sdk-release.aar
90- ~/.m2/repository/me/id/auth/idme-auth-sample/${{ env.RELEASE_VERSION }}/*
86+ subject-path : ~/.m2/repository/me/id/auth/idme-auth-sample/${{ env.RELEASE_VERSION }}/*
87+
88+ - name : Save attestation bundle alongside Maven artifacts
89+ run : |
90+ ATTESTATION_BUNDLE_PATH="${{ steps.maven-attest.outputs.bundle-path }}"
91+ MAVEN_DIR=~/.m2/repository/me/id/auth/idme-auth-sample/$RELEASE_VERSION
92+ if [[ -f "$ATTESTATION_BUNDLE_PATH" ]]; then
93+ cp "$ATTESTATION_BUNDLE_PATH" "$MAVEN_DIR/idme-auth-sample-${RELEASE_VERSION}.intoto.jsonl"
94+ echo "Saved attestation bundle as idme-auth-sample-${RELEASE_VERSION}.intoto.jsonl"
95+ fi
96+
97+ # --- Publish Maven artifacts + attestation to GitHub Packages ---
98+ - name : Publish Maven artifacts to GitHub Packages
99+ env :
100+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
101+ run : |
102+ GROUP_ID="me.id.auth"
103+ ARTIFACT_ID="idme-auth-sample"
104+ VERSION="$RELEASE_VERSION"
105+ GROUP_PATH=$(echo "$GROUP_ID" | tr '.' '/')
106+ GITHUB_URL="https://maven.pkg.github.com/IDme/android-auth-sample-code"
107+
108+ echo "========================================"
109+ echo "Deploying Maven Package"
110+ echo "========================================"
111+ echo "Coordinates: ${GROUP_ID}:${ARTIFACT_ID}:${VERSION}"
112+ echo "URL: ${GITHUB_URL}"
113+ echo "========================================"
114+
115+ MAVEN_DIR=~/.m2/repository/${GROUP_PATH}/${ARTIFACT_ID}/${VERSION}
116+ cd "$MAVEN_DIR"
117+
118+ upload_file() {
119+ local file="$1"
120+ local remote_path="$2"
121+ local url="${GITHUB_URL}/${GROUP_PATH}/${ARTIFACT_ID}/${VERSION}/${remote_path}"
122+
123+ echo "Uploading: $file -> $remote_path"
124+ response=$(curl -s -w "\n%{http_code}" \
125+ -X PUT \
126+ -H "Authorization: Bearer ${GITHUB_TOKEN}" \
127+ -H "Content-Type: application/octet-stream" \
128+ --data-binary "@${file}" \
129+ "$url")
130+
131+ http_code=$(echo "$response" | tail -n1)
132+ if [ "$http_code" -ge 200 ] && [ "$http_code" -lt 300 ]; then
133+ echo " Success (HTTP $http_code)"
134+ return 0
135+ else
136+ echo " Failed (HTTP $http_code)"
137+ body=$(echo "$response" | sed '$d')
138+ echo " Response: $body"
139+ return 1
140+ fi
141+ }
142+
143+ # Deploy POM
144+ if ! upload_file "${ARTIFACT_ID}-${VERSION}.pom" "${ARTIFACT_ID}-${VERSION}.pom"; then
145+ echo "Error: Failed to deploy POM"
146+ exit 1
147+ fi
148+
149+ # Deploy AAR
150+ if ! upload_file "${ARTIFACT_ID}-${VERSION}.aar" "${ARTIFACT_ID}-${VERSION}.aar"; then
151+ echo "Error: Failed to deploy AAR"
152+ exit 1
153+ fi
154+
155+ # Deploy module metadata if exists
156+ if [[ -f "${ARTIFACT_ID}-${VERSION}.module" ]]; then
157+ upload_file "${ARTIFACT_ID}-${VERSION}.module" "${ARTIFACT_ID}-${VERSION}.module" || \
158+ echo "Warning: Failed to deploy module metadata (non-critical)"
159+ fi
160+
161+ # Deploy attestation bundle if exists
162+ if [[ -f "${ARTIFACT_ID}-${VERSION}.intoto.jsonl" ]]; then
163+ upload_file "${ARTIFACT_ID}-${VERSION}.intoto.jsonl" "${ARTIFACT_ID}-${VERSION}.intoto.jsonl" || \
164+ echo "Warning: Failed to deploy attestation bundle (non-critical)"
165+ fi
166+
167+ echo "========================================"
168+ echo "Maven package deployed successfully!"
169+ echo "========================================"
91170
92171name : Display Maven artifacts
93172 continue-on-error : true
@@ -102,21 +181,19 @@ jobs:
102181 run : |
103182 git config user.name "github-actions[bot]"
104183 git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
105-
106- if ! git diff --quiet HEAD -- sdk/build.gradle.kts; then
107- git add sdk/build.gradle.kts
108- git commit -m "Release v$RELEASE_VERSION"
109- fi
110-
111184 git tag -a "v$RELEASE_VERSION" -m "Auth Sample Code v$RELEASE_VERSION"
112185 git push origin "v$RELEASE_VERSION"
113186
114187name : Create GitHub Release
188+ env :
189+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
115190 uses : softprops/action-gh-release@v2
116191 with :
117192 tag_name : v${{ env.RELEASE_VERSION }}
118193 name : Auth Sample Code v${{ env.RELEASE_VERSION }}
119- files : sdk/build/outputs/aar/sdk-release.aar
194+ files : |
195+ sdk/build/outputs/aar/sdk-release.aar
196+ ${{ steps.release-attest.outputs.bundle-path }}
120197draft : ${{ inputs.draft }}
121198 make_latest : ${{ !inputs.draft }}
122199
@@ -132,19 +209,7 @@ jobs:
132209 echo "### Maven Coordinates" >> $GITHUB_STEP_SUMMARY
133210 echo "\`me.id.auth:idme-auth-sample:$RELEASE_VERSION\`" >> $GITHUB_STEP_SUMMARY
134211 echo "" >> $GITHUB_STEP_SUMMARY
135- echo "### Consumer Usage" >> $GITHUB_STEP_SUMMARY
136- echo "\`\`\`kotlin" >> $GITHUB_STEP_SUMMARY
137- echo "repositories {" >> $GITHUB_STEP_SUMMARY
138- echo " maven {" >> $GITHUB_STEP_SUMMARY
139- echo " url = uri(\"https://maven.pkg.github.com/IDme/android-auth-sample-code\")" >> $GITHUB_STEP_SUMMARY
140- echo " credentials {" >> $GITHUB_STEP_SUMMARY
141- echo " username = \"GITHUB_USERNAME\"" >> $GITHUB_STEP_SUMMARY
142- echo " password = \"GITHUB_TOKEN\"" >> $GITHUB_STEP_SUMMARY
143- echo " }" >> $GITHUB_STEP_SUMMARY
144- echo " }" >> $GITHUB_STEP_SUMMARY
145- echo "}" >> $GITHUB_STEP_SUMMARY
146- echo "" >> $GITHUB_STEP_SUMMARY
147- echo "dependencies {" >> $GITHUB_STEP_SUMMARY
148- echo " implementation(\"me.id.auth:idme-auth-sample:$RELEASE_VERSION\")" >> $GITHUB_STEP_SUMMARY
149- echo "}" >> $GITHUB_STEP_SUMMARY
212+ echo "### Verification" >> $GITHUB_STEP_SUMMARY
213+ echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
214+ echo "gh attestation verify idme-auth-sample-$RELEASE_VERSION.aar --repo IDme/android-auth-sample-code" >> $GITHUB_STEP_SUMMARY
150215 echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
0 commit comments