Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update CONTRIBUTING.md to include signed artifact github upload #73

Merged
merged 10 commits into from
Sep 1, 2024
Merged

update CONTRIBUTING.md to include signed artifact github upload #73

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
11b37d1
Delete .github/workflows/codeql.yml
cdimascio Sep 1, 2024
83862cf
Merge branch 'cdimascio-patch-6' of https://github.com/cdimascio/dote…
Sep 1, 2024
d71f7d4
remove codeql workflow - its configured through settings
Sep 1, 2024
e83255d
fix javadoc
Sep 1, 2024
fa3d2f1
Merge branch 'master' into cdimascio-patch-6
cdimascio Sep 1, 2024
5a12f46
remove codeql workflow - its configured through settings
Sep 1, 2024
a4da71c
fix javadoc
Sep 1, 2024
6871219
update CONTRIBUTING.md
Sep 1, 2024
8f54524
Merge branch 'cdimascio-patch-6' of https://github.com/cdimascio/dote…
Sep 1, 2024
dda356c
Merge branch 'master' into cdimascio-patch-6
cdimascio Sep 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 63 additions & 17 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,32 +41,42 @@ Run the following to ensure the package step succeeds.
mvn clean test jacoco:report package
```

### Publish to MavenCentral

Contributors are not responsible for deploying to mavencentral.
## Release Process

**Maven Central**

- Publish with Maven - https://central.sonatype.org/publish/publish-maven/
- GPG Setup - https://central.sonatype.org/publish/requirements/gpg/
- https://oss.sonatype.org/#profile;User%20Token
- get oss.sonatype token

To publish a gpg key:
### Build

Build sources and javadoc
```shell
gpg --send-keys 5BE1414D5EAF81B48F2E77E1999F818C080AF9C1
````
mvn clean test jacoco:report package
```

where `5BE1414D5EAF81B48F2E77E1999F818C080AF9C1` is the public key
Generate signed artifacts locally
```shell
mvn verify -P release-sign-artifacts -DperformRelease=true
```

### Publish to Maven Central

Deploy
```shell
mvn clean test jacoco:report package deploy -DperformRelease=true
```
When first publishing to staging repos, you most close and release from OSS Sonatype. To do this
- navigate to https://oss.sonatype.org/#stagingRepositories
- select repository
- press the `close` button
- press the `release` button

#### Artifacts upload
- Upload change log
```shell
gh release create v3.0.1 -F CHANGELOG.md
```

Navigate to https://oss.sonatype.org/#stagingRepositories, select repository, then press the `close` button, then `release`

- Attach 'signed' artifacts (needed for OpenSSF Security Score)
```shell
gh release upload target/*.jar.asc --clobber
```
### Publish to Github Packages

_Note: This step can only be run by maintainers._
Expand All @@ -88,13 +98,49 @@ Add `distributionManagement` to `pom.xml`
mvn deploy -Dregistry=https://maven.pkg.github.com/cdimascio -Dtoken=XXXX
# or
mvn clean test jacoco:report package deploy -Dregistry=https://maven.pkg.github.com/cdimascio -Dtoken=XXXX
```

## Notes


### Publish to MavenCentral

Contributors are not responsible for deploying to mavencentral.

**Maven Central**

- Publish with Maven - https://central.sonatype.org/publish/publish-maven/
- GPG Setup - https://central.sonatype.org/publish/requirements/gpg/
- https://oss.sonatype.org/#profile;User%20Token
- get oss.sonatype token

To publish a gpg key:

```shell
gpg --send-keys 5BE1414D5EAF81B48F2E77E1999F818C080AF9C1
````

where `5BE1414D5EAF81B48F2E77E1999F818C080AF9C1` is the public key


```shell
mvn clean test jacoco:report package deploy -DperformRelease=true
```

Generate signed artifacts locally without deploying

```shell
mvn verify -P release-sign-artifacts -DperformRelease=true
```

Navigate to https://oss.sonatype.org/#stagingRepositories, select repository, then press the `close` button, then `release`


https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-apache-maven-for-use-with-github-packages


OpenSSF Security Scorecard
### OpenSSF Security Scorecard
- Get Analysis Result: https://api.securityscorecards.dev/#/results/getResult
- Step Security - Secure Your Repo Analysis + auto PR - https://app.stepsecurity.io/securerepo
- Step Security - For Repo - https://app.stepsecurity.io/github/cdimascio/actions/dashboard

Loading