Add release script (#43)

- Can download a release and sign with sigstore/pgp, generate hashes and bundle up for release
- Releaser can upload this bundle directly to maven central

Signed-off-by: Appu Goundan <[email protected]>

Signed-off-by: Appu Goundan <[email protected]>

Author: loosebazooka

java/README.md

@@ -12,10 +12,22 @@ A jar file will be created at `./build/libs/protobuf-specs-<version>.jar`
 
 ## Releasing
 
+### Generate Release artifacts
 1. On creation of a tag in the style `release/java/v1.2.3`, new artifacts will be built and
 uploaded to a github release `release/java/v1.2.3`
-2. TODO: Explain how a releaser can then complete the release process on their machine by signing
-with pgp and uploading to maven central.
+1. Once a release is created, check it and remove the draft label on the github release page.
+1. On a machine with your pgp key, `gpg`, `bash` and `cosign`, go to `protobuf-specs/java/scripts`
+1. Run `./sign_and_bundle_release.sh v1.2.3` to generate a release bundle for `release/java/v1.2.3`
+
+### Publish on Maven Central
+1. Log into https://s01.oss.sonatype.org with credentials that have permissions to upload to `dev.sigstore`
+1. Take the release bundle, `release_java_v1.2.3/protobuf-specs-1.2.3-bundle.jar` and upload via the `Staging Upload -> (Upload Mode) Artifact Bundle`
+1. Once the bundle is validated and checked, release it via `Staging Repositories`, if any issues occur, drop it and fix the issues before restarting the release process.
+
+## How do I get permissions to upload to Maven Central
+
+- Create an account: https://central.sonatype.org/publish/publish-guide/
+- Request permissions to publish to dev.sigstore on JIRA ([example](https://issues.sonatype.org/browse/OSSRH-83556)) and get [Bob](https://github.com/bobcallaway) (or [Appu](https://github.com/loosebazooka) to signoff on it.
 
 ## Why is the gradle wrapper jar checked in?
 

java/build.gradle.kts

@@ -7,6 +7,8 @@ plugins {
     id("com.diffplug.spotless") version "6.11.0"
 }
 
+description = "Code generated library for the Sigstore bundle format protobufs"
+
 sourceSets {
     main {
         proto {

java/scripts/.gitignore

@@ -0,0 +1 @@
+release_*/

java/scripts/sign_and_bundle_release.sh

@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+set -e
+
+REQUIRED_PROGRAMS=("gpg" "cosign" "jq" "curl" "wget" "md5sum" "sha1sum" "sha256sum" "sha512sum" "jar")
+
+usage() {
+  echo -e "Usage: $0 \e[4mVERSION\e[0m"
+  echo -e "\e[4mVERSION\e[0m is part of the tag release/java/<version>, ex v1.0.0"
+  echo -e "Requires" "${REQUIRED_PROGRAMS[@]}"
+}
+
+main() {
+  # accepts exactly one arg
+  if [ $# -ne 1 ];
+  then
+        usage "$@"
+        exit 1
+  fi
+
+  RELEASE_TAG=$1
+
+  # check is all required programs are available on system
+  for i in "${REQUIRED_PROGRAMS[@]}"
+  do
+    command -v "$i" >/dev/null 2>&1 || { 
+      echo -e "required program $i was not found" >&2
+      usage "$@"
+      exit 1
+    }
+  done
+
+  # download release from github
+  echo "Downloading release release/java/${1} from github"
+  RELEASE_REPO="sigstore/protobuf-specs"
+  RELEASE_URL="https://api.github.com/repos/${RELEASE_REPO}/releases/tags/release/java/${RELEASE_TAG}"
+  RELEASE_INFO=$(curl -s -H "Accept: application/vnd.github+json" "${RELEASE_URL}")
+  RELEASE_VERSION="$(echo "$RELEASE_INFO" | jq -r '.tag_name')"
+
+  if [ "null" == "$RELEASE_VERSION" ]; then
+    echo "ERROR: could not parse tag_name from release info"
+    echo "$RELEASE_INFO"
+    exit 1
+  fi
+
+  RELEASE_DIR="${RELEASE_VERSION//\//_}"
+
+  echo "Release version is: ${RELEASE_VERSION}"
+
+  if [ -d "$RELEASE_DIR" ]; then
+    echo "Directory '$RELEASE_DIR' already exists"
+    exit 1
+  fi
+
+  # query the json for all the release assets
+  readarray -t ASSET_URLS < <(echo "$RELEASE_INFO" | jq -r '.assets[].browser_download_url')
+
+  echo "Downloading release artifacts"
+  for i in "${ASSET_URLS[@]}"
+  do
+    echo "$i"
+    wget -q --directory-prefix "$RELEASE_DIR" "$i"
+  done
+  cd "$RELEASE_DIR"
+
+  # cosign sign all the files
+  echo "Signing with cosign"
+  for file in *; do
+      # skip intoto attestations, they are already signed
+     if [[ "$file" == *.intoto.jsonl ]] ; then
+       continue;
+     fi
+     COSIGN_EXPERIMENTAL=1 cosign sign-blob --yes "$file" --output-signature="$file.sig" --output-certificate="$file.pem" --bundle "$file.bundle"
+  done
+
+  # then gpg sign all the files (including sigstore files)
+  # this command uses gpgs default password acceptance mechansim accept a passcode
+  echo "Signing with gpg"
+  for file in *; do
+    gpg --batch --detach-sign --armor -o "$file.asc" "$file"
+  done
+
+  echo "Generating checksums"
+  for file in *; do
+    md5sum "$file" | cut -c -32 | tr -d '\n' > "$file.md5"
+    sha1sum "$file" | cut -c -40  | tr -d '\n' > "$file.sha1"
+    sha256sum "$file" | cut -c -64 | tr -d '\n' > "$file.sha256"
+    sha512sum "$file" | cut -c -128 | tr -d '\n' > "$file.sha512"
+  done
+
+  # create a maven central compatible bundle jar
+  echo "Creating maven bundle"
+  POM=$(ls ./*.pom)
+  BUNDLE_NAME=${POM%.pom}-bundle.jar
+  jar -cvf "${BUNDLE_NAME}" ./*
+
+  echo "Upload $(realpath "$BUNDLE_NAME") to maven central (https://s01.oss.sonatype.org)"
+}
+
+main "$@"