github-action: enable provenance for jar/aar files

.buildkite/release.yml

@@ -2,11 +2,16 @@ agents:
   provider: "gcp"
   image: "family/apm-agent-android-ubuntu-2204"
 
+env:
+  TARBALL_FILE: ${TARBALL_FILE:-dist.tar}
+
 steps:
   - label: "Run the release"
     key: "release"
     commands: .ci/release-wrapper.sh
-    artifact_paths: "release.out"
+    artifact_paths:
+      - "release.out"
+      - "${TARBALL_FILE}"
 
 notify:
   - slack:

.ci/release.sh

@@ -25,7 +25,7 @@ if [[ "$target_specifier" == "all" ||  "$target_specifier" == "mavenCentral" ]];
     ./gradlew publishElasticPublicationToSonatypeRepository closeAndReleaseSonatypeStagingRepository $COMMON_GRADLE_DEPLOY_PARAMS
   else
     echo "--- Release the binaries to Maven Central :package: (dry-run)"
-    ./gradlew tasks
+    ./gradlew assemble
   fi
 fi
 
@@ -35,7 +35,11 @@ if [[ "$target_specifier" == "all" ||  "$target_specifier" == "pluginPortal" ]];
     ./gradlew publishPlugins -Pgradle.publish.key=$PLUGIN_PORTAL_KEY -Pgradle.publish.secret=$PLUGIN_PORTAL_SECRET $COMMON_GRADLE_DEPLOY_PARAMS
   else
     echo "--- Release the binaries to Gradle Plugin portal :package: (dry-run)"
-    ./gradlew tasks
+    ./gradlew assemble
   fi
 fi
+
+echo "--- Archive the build folders with jar/aar files"
+find . -type d -name build -exec find {} \( -name '*.jar' -o -name '*.aar' \) -print0 \; | xargs -0 tar -cvf "${TARBALL_FILE:-dist.tar}"
+
 set -x

.github/workflows/ci.yml

@@ -62,6 +62,11 @@ jobs:
   test-release:
     runs-on: ubuntu-latest
     if: github.event_name != 'pull_request'
+    permissions:
+      contents: write
+      id-token: write
+    env:
+      TARBALL_FILE: dist.tar
     steps:
       - id: buildkite
         name: Run Release dry-run
@@ -71,9 +76,30 @@ jobs:
           vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
           vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
           pipeline: apm-agent-android-release
+          pipelineBranch: ${{ github.ref_name }}
           waitFor: true
           printBuildLogs: false
+          artifactName: signed-artifacts
+          artifactPath: ${{ env.TARBALL_FILE }}
           buildEnvVars: |
-            branch_specifier=main
+            branch_specifier=${{ github.ref_name }}
             target_specifier=all
             dry_run=true
+            TARBALL_FILE=${{ env.TARBALL_FILE }}
+
+      - uses: actions/download-artifact@v3
+        with:
+          name: signed-artifacts
+
+      - name: untar the buildkite tarball
+        run: tar xvf ${{ env.TARBALL_FILE }}
+
+      - name: generate build provenance (jar files)
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-path: "${{ github.workspace }}/**/build/libs/*.jar"
+
+      - name: generate build provenance (aar files)
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-path: "${{ github.workspace }}/**/build/outputs/aar/*.aar"

.github/workflows/release.yml

@@ -38,7 +38,11 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
-
+    env:
+      TARBALL_FILE: dist.tar
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - id: notification
         name: Notify that a release will start
@@ -60,13 +64,34 @@ jobs:
           vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
           vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
           pipeline: apm-agent-android-release
+          pipelineBranch: ${{ github.ref_name }}
           waitFor: true
           printBuildLogs: false
+          artifactName: signed-artifacts
+          artifactPath: ${{ env.TARBALL_FILE }}
           buildEnvVars: |
             branch_specifier=${{ inputs.branch_specifier || 'main' }}
             target_specifier=${{ inputs.target_specifier || 'all' }}
             version_override_specifier=${{ inputs.version_override_specifier || '' }}
             dry_run=${{ inputs.dry_run || 'false' }}
+            TARBALL_FILE=${{ env.TARBALL_FILE }}
+
+      - uses: actions/download-artifact@v3
+        with:
+          name: signed-artifacts
+
+      - name: untar the buildkite tarball
+        run: tar xvf ${{ env.TARBALL_FILE }}
+
+      - name: generate build provenance (jar files)
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-path: "${{ github.workspace }}/**/build/libs/*.jar"
+
+      - name: generate build provenance (aar files)
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-path: "${{ github.workspace }}/**/build/outputs/aar/*.aar"
 
       - if: ${{ success() }}
         uses: elastic/apm-pipeline-library/.github/actions/slack-message@current