Verify and Release #114
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Verify and Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| release: | |
| description: 'Version to release' | |
| required: true | |
| permissions: read-all | |
| env: | |
| javaVersion: java25 | |
| jobs: | |
| release: | |
| name: Release | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 60 | |
| concurrency: | |
| group: release-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: write # Needed for checkout, git-auto-commit-action, and creating releases | |
| packages: write # Needed for publishing packages | |
| id-token: write # Required for SLSA provenance and SBOM attestation | |
| actions: read # Basic read access to actions | |
| security-events: write # Needed for SBOM attestation | |
| statuses: write # Required for commit statuses updated by actions | |
| issues: write # Updated to write for release-drafter | |
| pull-requests: write # Updated to write for release-drafter | |
| pages: read | |
| deployments: write | |
| attestations: write # Required to create and persist attestations | |
| strategy: | |
| fail-fast: false | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.adoptopenjdk.net:443 | |
| api.adoptium.net:443 | |
| api.github.com:443 | |
| archive.apache.org:443 | |
| azure.archive.ubuntu.com:80 | |
| azure.archive.ubuntu.com:443 | |
| security.ubuntu.com:80 | |
| security.ubuntu.com:443 | |
| github.com:443 | |
| maven.java.net:443 | |
| maven.vaadin.com:443 | |
| objects.githubusercontent.com:443 | |
| oss.sonatype.org:443 | |
| raw.githubusercontent.com:443 | |
| repo.maven.apache.org:443 | |
| maven.mirrors.opennms.org:443 | |
| repo1.maven.org:443 | |
| repository.mulesoft.org:443 | |
| tools.google.com:80 | |
| tools.vaadin.com:443 | |
| uploads.github.com:443 | |
| spdx.org:443 | |
| sonarcloud.io:443 | |
| repository.jboss.org:443 | |
| repository.sonatype.org:443 | |
| files.pythonhosted.org:443 | |
| pypi.org:443 | |
| www.bridgecrew.cloud:443 | |
| docs.github.com:433 | |
| dlcdn.apache.org:443 | |
| archive.apache.org:443 | |
| esm.ubuntu.com:443 | |
| fulcio.sigstore.dev:443 | |
| packages.microsoft.com:443 | |
| rekor.sigstore.dev:443 | |
| release-drafter.github.io:443 | |
| release-assets.githubusercontent.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| with: | |
| fetch-depth: 2 | |
| - name: Set up JDK 25 | |
| uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '25' | |
| java-package: 'jdk' # Explicitly specify JDK package | |
| check-latest: true # Always get latest patch version | |
| cache: 'maven' | |
| server-id: 'github' # Optional: For GitHub Packages authentication | |
| architecture: 'x64' # Explicitly specify architecture | |
| - name: APT update | |
| run: sudo apt-get update | |
| - name: Install buildtools | |
| run: sudo apt-get install -y graphviz build-essential fakeroot devscripts debhelper dh-make wget | |
| - name: Install PostgreSQL | |
| run: sudo apt-get install -y postgresql-16 postgresql-contrib-16 postgresql-16-pgaudit | |
| - name: Configure PostgreSQL | |
| run: | | |
| # Enable prepared transactions and required extensions | |
| sudo sed -i "s/#max_prepared_transactions = 0/max_prepared_transactions = 100/" /etc/postgresql/16/main/postgresql.conf | |
| sudo sed -i "s/#shared_preload_libraries = ''/shared_preload_libraries = 'pg_stat_statements, pgaudit, pgcrypto'/" /etc/postgresql/16/main/postgresql.conf | |
| echo "pgaudit.log = ddl" | sudo tee -a /etc/postgresql/16/main/postgresql.conf | |
| echo "pg_stat_statements.track = all" | sudo tee -a /etc/postgresql/16/main/postgresql.conf | |
| echo "pg_stat_statements.max = 10000" | sudo tee -a /etc/postgresql/16/main/postgresql.conf | |
| # Add IPv6 loopback access | |
| echo "host all all ::1/128 md5" | sudo tee -a /etc/postgresql/16/main/pg_hba.conf | |
| - name: Generate SSL certificates for PostgreSQL | |
| run: | | |
| # Generate secure random passphrase | |
| openssl rand -base64 48 > passphrase.txt | |
| # Create passphrase-protected private key | |
| openssl genrsa -des3 -passout file:passphrase.txt -out server.pass.key 2048 | |
| # Remove passphrase protection from private key | |
| openssl rsa -passin file:passphrase.txt -in server.pass.key -out server.key | |
| rm server.pass.key | |
| # Create Certificate Signing Request | |
| openssl req -new -key server.key -out server.csr \ | |
| -subj "/C=UK/ST=PostgreSQL/L=Docker/O=Hack23/OU=demo/CN=127.0.0.1" | |
| # Self-sign the certificate (valid for 10 years) | |
| openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt | |
| # Clean up temporary files | |
| rm passphrase.txt server.csr | |
| - name: Deploy SSL certificate and key for PostgreSQL | |
| run: | | |
| # Copy certificate and key to PostgreSQL data directory | |
| sudo cp server.crt /var/lib/postgresql/16/main/server.crt | |
| sudo cp server.key /var/lib/postgresql/16/main/server.key | |
| # Secure the certificate and key | |
| sudo chmod 600 /var/lib/postgresql/16/main/server.key | |
| sudo chmod 644 /var/lib/postgresql/16/main/server.crt | |
| sudo chown postgres:postgres /var/lib/postgresql/16/main/server.key | |
| sudo chown postgres:postgres /var/lib/postgresql/16/main/server.crt | |
| # Enable SSL in PostgreSQL | |
| echo "ssl = on" | sudo tee -a /etc/postgresql/16/main/postgresql.conf | |
| echo "ssl_cert_file = '/var/lib/postgresql/16/main/server.crt'" | sudo tee -a /etc/postgresql/16/main/postgresql.conf | |
| echo "ssl_key_file = '/var/lib/postgresql/16/main/server.key'" | sudo tee -a /etc/postgresql/16/main/postgresql.conf | |
| # Provide SSL certificate to the runner user | |
| mkdir -p $HOME/.postgresql | |
| cp server.crt $HOME/.postgresql/root.crt | |
| chmod 600 $HOME/.postgresql/root.crt | |
| # Clean up | |
| rm server.key server.crt | |
| # Restart PostgreSQL to apply all changes | |
| sudo systemctl restart postgresql | |
| - name: Create CIA database and user | |
| run: | | |
| sudo -u postgres psql -c "CREATE USER eris WITH PASSWORD 'discord';" | |
| sudo -u postgres psql -c "CREATE DATABASE cia_dev;" | |
| sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE cia_dev TO eris;" | |
| sudo -u postgres psql -d cia_dev -c "CREATE EXTENSION IF NOT EXISTS pg_stat_statements;" | |
| sudo -u postgres psql -d cia_dev -c "CREATE EXTENSION IF NOT EXISTS pgaudit;" | |
| sudo -u postgres psql -d cia_dev -c "CREATE EXTENSION IF NOT EXISTS pgcrypto;" | |
| sudo -u postgres psql -d cia_dev -c "GRANT ALL ON SCHEMA public TO eris;" | |
| - name: Load database schema | |
| run: | | |
| # Load the full schema into the database | |
| sudo -u postgres psql -d cia_dev -f service.data.impl/src/main/resources/full_schema.sql || echo "Schema load completed with warnings (expected for first-time setup)" | |
| - name: Remove localtime | |
| run: sudo rm /etc/localtime | |
| - name: Set Swedish localtime | |
| run: sudo ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime | |
| - name: Update tzdata | |
| run: sudo dpkg-reconfigure -f noninteractive tzdata | |
| - name: Set up Maven | |
| uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 | |
| with: | |
| maven-version: 3.9.9 | |
| - name: Set Version for release | |
| run: mvn -B --file parent-pom/pom.xml versions:set -DnewVersion="${{ github.event.inputs.release }}" -Pall-modules versions:commit | |
| - uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0 | |
| with: | |
| commit_message: Automated Release ${{ github.event.inputs.release }} | |
| branch: release-${{ github.event.inputs.release }} | |
| tagging_message: '${{ github.event.inputs.release }}' | |
| create_branch: true | |
| - name: Build with Maven | |
| run: mvn -B --file pom.xml clean install -Prelease-site,all-modules -DforkMode=once '-Dtest=!**ITest*,!**DocumentationTest*' -Dmaven.test.skip=true -DfailIfNoTests=false | |
| # Generate artifact attestation for DEB package | |
| - name: Generate artifact attestation for deb package | |
| uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 | |
| id: attest_deb | |
| with: | |
| subject-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb' | |
| - name: Copy artifact attestation for deb package | |
| run: cp ${{ steps.attest_deb.outputs.bundle-path }} cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl | |
| # Generate SBOM attestation for DEB package | |
| - name: Generate SBOM attestation for deb package | |
| id: attestsbom_deb | |
| uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0 | |
| with: | |
| subject-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb' | |
| sbom-path: 'cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json' | |
| - name: Copy SBOM attestation for deb package | |
| run: cp ${{ steps.attestsbom_deb.outputs.bundle-path }} cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json.intoto.jsonl | |
| # Generate artifact attestation for WAR | |
| - name: Generate artifact attestation for WAR | |
| uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 | |
| id: attest_war | |
| with: | |
| subject-path: 'citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war' | |
| - name: Copy artifact attestation for WAR | |
| run: cp ${{ steps.attest_war.outputs.bundle-path }} citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war.intoto.jsonl | |
| # Generate SBOM attestation for WAR | |
| - name: Generate SBOM attestation for WAR | |
| id: attestsbom_war | |
| uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0 | |
| with: | |
| subject-path: 'citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war' | |
| sbom-path: 'citizen-intelligence-agency/target/site/com.hack23.cia_citizen-intelligence-agency-${{ github.event.inputs.release }}.spdx.json' | |
| - name: Copy SBOM attestation for WAR | |
| run: cp ${{ steps.attestsbom_war.outputs.bundle-path }} citizen-intelligence-agency/target/site/com.hack23.cia_citizen-intelligence-agency-${{ github.event.inputs.release }}.spdx.json.intoto.jsonl | |
| - name: Draft Release Notes | |
| uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 | |
| with: | |
| version: ${{ github.event.inputs.release }} | |
| tag: ${{ github.event.inputs.release }} | |
| name: Release ${{ github.event.inputs.release }} | |
| publish: false | |
| prerelease: false | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Get Release Notes | |
| id: release-notes | |
| uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 | |
| with: | |
| config-name: release-drafter.yml | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create a GitHub release | |
| uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0 | |
| with: | |
| tag: '${{ github.event.inputs.release }}' | |
| generateReleaseNotes: false | |
| immutableCreate: true | |
| name: Release ${{ github.event.inputs.release }} | |
| body: ${{ steps.release-notes.outputs.body }} | |
| artifacts: | | |
| cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb, | |
| cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl, | |
| cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json.intoto.jsonl, | |
| cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json, | |
| citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war, | |
| citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war.intoto.jsonl, | |
| citizen-intelligence-agency/target/site/com.hack23.cia_citizen-intelligence-agency-${{ github.event.inputs.release }}.spdx.json.intoto.jsonl, | |
| citizen-intelligence-agency/target/site/com.hack23.cia_citizen-intelligence-agency-${{ github.event.inputs.release }}.spdx.json, | |
| cia-dist-cloudformation/src/main/resources/cia-dist-cloudformation.json | |
| # - name: Submit Dependency Release | |
| # uses: advanced-security/maven-dependency-submission-action@b275d12641ac2d2508b2cbb7598b154ad2f2cee8 |