chore: #103 Add SBOM generation in automated release process

Signed-off-by: Laurent Broudoux <[email protected]>

Signed-off-by: Laurent Broudoux <[email protected]>

Author: lbroudoux

.github/workflows/release.yml

@@ -0,0 +1,79 @@
+name: release
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Branch to release'
+        required: true
+      version:
+        description: 'Release version'
+        required: true
+      nextVersion:
+        description: 'Next version after release (-SNAPSHOT will be added automatically)'
+        required: true
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      contents: write
+      deployments: write
+      id-token: write
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ssh-key: ${{ secrets.RELEASE_DEPLOY_KEY }}
+          fetch-depth: 0
+          ref: ${{ github.event.inputs.branch }}
+
+      - name: Set up JDK 17 for x64
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+          architecture: x64
+          cache: maven
+
+      - name: Set release version
+        run: mvn -B -q versions:set -DnewVersion=${{ github.event.inputs.version }}
+
+      - name: Commit, push and tag changes
+        run: |
+          git config user.name "microcks-bot"
+          git config user.email "[email protected]"
+          git commit -m "Releasing version ${{ github.event.inputs.version }}" .
+          git tag ${{ github.event.inputs.version }}
+          git push origin ${{ github.event.inputs.version }}
+
+      - name: Stage release artifacts
+        run: mvn -B -Prelease clean deploy -DaltDeploymentRepository=local::default::file://`pwd`/target/staging-deploy
+
+      - name: Publish package with JReleaser
+        env:
+          JRELEASER_NEXUS2_USERNAME: ${{ secrets.JRELEASER_NEXUS2_USERNAME }}
+          JRELEASER_NEXUS2_PASSWORD: ${{ secrets.JRELEASER_NEXUS2_PASSWORD }}
+          JRELEASER_GPG_PASSPHRASE: ${{ secrets.JRELEASER_GPG_PASSPHRASE }}
+          JRELEASER_GPG_SECRET_KEY: ${{ secrets.JRELEASER_GPG_SECRET_KEY }}
+          JRELEASER_GPG_PUBLIC_KEY: ${{ secrets.JRELEASER_GPG_PUBLIC_KEY }}
+          JRELEASER_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: mvn -N -Prelease jreleaser:assemble jreleaser:full-release
+
+      # Persist logs
+      - name: JReleaser release output
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: jreleaser-release
+          path: |
+            target/jreleaser/trace.log
+            target/jreleaser/output.properties
+
+      - name: Set next iteration version
+        run: mvn -B -q versions:set -DnewVersion=${{ github.event.inputs.nextVersion }}-SNAPSHOT
+
+      - name: Commit, push and tag changes
+        run: |
+          git commit -m "Setting SNAPSHOT version ${{ github.event.inputs.nextVersion }}-SNAPSHOT" .
+          git push origin ${{ github.event.inputs.branch }}

jreleaser.yml

@@ -0,0 +1,60 @@
+project:
+  name: Microcks Jenkins Plugin
+  description: Microcks API mocking and Testing - Jenkins Plugin
+  longDescription: Microcks API mocking and Testing - Jenkins Plugin
+  copyright: The Microcks Authors
+  java:
+    version: 17
+
+signing:
+  active: ALWAYS
+  armored: true
+
+assemble:
+  archive:
+    microcks-jenkins-plugin:
+      active: ALWAYS
+      stereotype: NONE
+      options:
+        longFileMode: POSIX
+      formats:
+        - ZIP
+        - TGZ
+      fileSets:
+        - input: target/staging-deploy
+          includes:
+            - '**/*.*'
+
+files:
+  active: ALWAYS
+  artifacts:
+    - path: 'target/site/microcks-jenkins-plugin-{{projectVersion}}.spdx-sbom.json'
+
+deploy:
+  maven:
+    nexus2:
+      sonatype:
+        active: ALWAYS
+        snapshotSupported: false
+        url: https://oss.sonatype.org/service/local
+        snapshotUrl: https://oss.sonatype.org/content/repositories/snapshots
+        stagingProfileId: c3fae58a8dda9
+        closeRepository: false
+        releaseRepository: false
+        stagingRepositories:
+          - target/staging-deploy
+    pomchecker:
+      failOnWarning: false
+      failOnError: false
+      strict: false
+
+release:
+  github:
+    overwrite: true
+    releaseName: '{{tagName}}'
+    tagName: '{{projectVersion}}'
+    changelog:
+      formatted: ALWAYS
+      preset: conventional-commits
+      contributors:
+        format: '- {{contributorName}}{{#contributorUsernameAsLink}} ({{.}}){{/contributorUsernameAsLink}}'

pom.xml

@@ -156,21 +156,57 @@
         <plugins>
           <plugin>
             <groupId>org.apache.maven.plugins</groupId>
-            <artifactId>maven-gpg-plugin</artifactId>
-            <version>1.6</version>
-            <configuration>
-              <passphrase>${gpg.passphrase}</passphrase>
-            </configuration>
+            <artifactId>maven-javadoc-plugin</artifactId>
+            <version>3.11.2</version>
             <executions>
               <execution>
-                <id>sign-artifacts</id>
-                <phase>verify</phase>
+                <id>attach-javadoc</id>
                 <goals>
-                  <goal>sign</goal>
+                  <goal>jar</goal>
                 </goals>
               </execution>
             </executions>
           </plugin>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-source-plugin</artifactId>
+            <version>3.2.1</version>
+            <executions>
+              <execution>
+                <id>attach-source</id>
+                <goals>
+                  <goal>jar</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+          <plugin>
+            <groupId>org.spdx</groupId>
+            <artifactId>spdx-maven-plugin</artifactId>
+            <version>0.7.4</version>
+            <executions>
+              <execution>
+                <id>build-spdx</id>
+                <phase>package</phase>
+                <goals>
+                  <goal>createSPDX</goal>
+                </goals>
+              </execution>
+            </executions>
+            <configuration>
+              <spdxFile>${project.reporting.outputDirectory}/${project.artifactId}-${project.version}.spdx-sbom.json</spdxFile>
+              <spdxDocumentNamespace>http://spdx.org/spdxpackages/${project.artifactId}-${project.version}</spdxDocumentNamespace>
+            </configuration>
+          </plugin>
+          <plugin>
+            <groupId>org.jreleaser</groupId>
+            <artifactId>jreleaser-maven-plugin</artifactId>
+            <version>1.15.0</version>
+            <inherited>false</inherited>
+            <configuration>
+              <configFile>jreleaser.yml</configFile>
+            </configuration>
+          </plugin>
         </plugins>
       </build>
     </profile>