From a737abb615c68affc7f58b7b8a7bd5ac3e97893e Mon Sep 17 00:00:00 2001
From: Appu Goundan <appu@google.com>
Date: Thu, 25 Jul 2024 13:11:42 -0400
Subject: [PATCH] Update maven helper plugin build

Fix breakages
Add e2e tests for maven

Signed-off-by: Appu Goundan <appu@google.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 .github/workflows/pre-submit.e2e.maven.yml    |  57 ++++++
 .gitignore                                    |   3 +
 .../maven/publish/slsa-hashing-plugin/pom.xml |  32 +++-
 e2e/README.md                                 |   3 +
 e2e/maven/workflow_dispatch/pom.xml           | 163 ++++++++++++++++++
 .../src/main/java/hello/Greeter.java          |   7 +
 .../src/main/java/hello/HelloWorld.java       |   8 +
 7 files changed, 271 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/pre-submit.e2e.maven.yml
 create mode 100644 e2e/README.md
 create mode 100644 e2e/maven/workflow_dispatch/pom.xml
 create mode 100644 e2e/maven/workflow_dispatch/src/main/java/hello/Greeter.java
 create mode 100644 e2e/maven/workflow_dispatch/src/main/java/hello/HelloWorld.java

diff --git a/.github/workflows/pre-submit.e2e.maven.yml b/.github/workflows/pre-submit.e2e.maven.yml
new file mode 100644
index 0000000000..92e23ccc48
--- /dev/null
+++ b/.github/workflows/pre-submit.e2e.maven.yml
@@ -0,0 +1,57 @@
+# Copyright 2023 SLSA Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: pre-submit e2e maven
+
+on:
+  # builder_maven_slsa3.yml relies on .github/actions/verify-token, which does not support merge_group and pull_request events.
+  push:
+  workflow_dispatch:
+
+permissions: read-all
+
+env:
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  build:
+    permissions:
+      id-token: write # For signing.
+      contents: read # For repo checkout of private repos.
+      actions: read # For getting workflow run on private repos.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@main
+    with:
+      directory: ./e2e/maven/workflow_dispatch
+
+  verify:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: slsa-framework/slsa-github-generator/actions/maven/secure-download-attestations@main
+        with:
+          name: "${{ needs.build.outputs.provenance-download-name }}"
+          sha256: "${{ needs.build.outputs.provenance-download-sha256 }}"
+          path: ./
+      - uses: slsa-framework/slsa-github-generator/actions/maven/secure-download-target@main
+        with:
+          name: "${{ needs.build.outputs.target-download-name }}"
+          sha256: "${{ needs.build.outputs.target-download-sha256 }}"
+          path: ./
+      - uses: slsa-framework/slsa-verifier/actions/installer@v2.6.0
+      - name: Verify artifact
+        env:
+          PROVENANCE_PATH: ${{ needs.build.outputs.provenance-download-name }}
+          TARGET_PATH: ${{ needs.build.outputs.target-download-name }}
+        run: slsa-verifier verify-artifact "$TARGET_PATH" --provenance-path "$PROVENANCE_PATH"
diff --git a/.gitignore b/.gitignore
index 77e055a35a..70655fbcc4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,6 +18,9 @@
 vendor/
 node_modules/
 
+# maven
+target/
+
 # Go workspace file
 go.work
 go.work.sum
diff --git a/actions/maven/publish/slsa-hashing-plugin/pom.xml b/actions/maven/publish/slsa-hashing-plugin/pom.xml
index bcb90123e2..d6c67a1aa6 100644
--- a/actions/maven/publish/slsa-hashing-plugin/pom.xml
+++ b/actions/maven/publish/slsa-hashing-plugin/pom.xml
@@ -10,6 +10,7 @@
  
     <name>Jarfile Hashing Maven Mojo</name>
     <url>http://maven.apache.org</url>
+    <description>A slsa maven helper plugin</description>
  
     <properties>
         <maven.compiler.target>1.8</maven.compiler.target>
@@ -21,6 +22,7 @@
             <groupId>org.apache.maven</groupId>
             <artifactId>maven-plugin-api</artifactId>
             <version>3.9.8</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.apache.maven.plugin-tools</groupId>
@@ -30,8 +32,9 @@
         </dependency>
         <dependency>
             <groupId>org.apache.maven</groupId>
-            <artifactId>maven-project</artifactId>
-            <version>2.2.1</version>
+            <artifactId>maven-core</artifactId>
+            <version>3.9.8</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.json</groupId>
@@ -39,4 +42,29 @@
             <version>20231013</version>
         </dependency>
     </dependencies>
+
+    <build>
+      <plugins>
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-plugin-plugin</artifactId>
+            <version>3.6.0</version>
+            <configuration>
+              <skipErrorNoDescriptorsFound>true</skipErrorNoDescriptorsFound>
+            </configuration>
+            <executions>
+              <execution>
+                <id>default-descriptor</id>
+                <phase>process-classes</phase>
+              </execution>
+              <execution>
+                <id>help-goal</id>
+                <goals>
+                  <goal>helpmojo</goal>
+                </goals>
+              </execution>
+            </executions>
+         </plugin>
+      </plugins>
+    </build>
 </project>
diff --git a/e2e/README.md b/e2e/README.md
new file mode 100644
index 0000000000..99f7cbb53a
--- /dev/null
+++ b/e2e/README.md
@@ -0,0 +1,3 @@
+# E2E Tests
+
+This folder contains test data for some end-to-end (E2E) tests.
diff --git a/e2e/maven/workflow_dispatch/pom.xml b/e2e/maven/workflow_dispatch/pom.xml
new file mode 100644
index 0000000000..601bd71e49
--- /dev/null
+++ b/e2e/maven/workflow_dispatch/pom.xml
@@ -0,0 +1,163 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+   <modelVersion>4.0.0</modelVersion>
+   <groupId>io.github.adamkorcz</groupId>
+   <artifactId>test-java-project</artifactId>
+   <version>1.21.97</version>
+   <packaging>jar</packaging>
+   <name>Adams test java project</name>
+   <description>A test java project.</description>
+   <url>https://github.com/AdamKorcz/test-java-project</url>
+   <properties>
+      <maven.compiler.source>1.8</maven.compiler.source>
+      <maven.compiler.target>1.8</maven.compiler.target>
+   </properties>
+   <distributionManagement>
+      <snapshotRepository>
+         <id>ossrh</id>
+         <url>https://s01.oss.sonatype.org/content/repositories/snapshots</url>
+      </snapshotRepository>
+      <repository>
+         <id>ossrh</id>
+         <url>https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/</url>
+      </repository>
+   </distributionManagement>
+   <licenses>
+      <license>
+         <name>MIT License</name>
+         <url>http://www.opensource.org/licenses/mit-license.php</url>
+      </license>
+   </licenses>
+   <developers>
+      <developer>
+         <name>Adam K</name>
+         <email>Adam@adalogics.com</email>
+         <organization>Ada Logics</organization>
+         <organizationUrl>http://www.adalogics.com</organizationUrl>
+      </developer>
+   </developers>
+   <scm>
+      <connection>scm:git:git://github.com/adamkorcz/test-java-project.git</connection>
+      <developerConnection>scm:git:ssh://github.com:simpligility/test-java-project.git</developerConnection>
+      <url>http://github.com/adamkorcz/test-java-project/tree/main</url>
+   </scm>
+   <build>
+      <plugins>
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-source-plugin</artifactId>
+            <version>3.3.1</version>
+            <executions>
+               <execution>
+                  <id>attach-sources</id>
+                  <phase>package</phase>
+                  <goals>
+                     <goal>jar-no-fork</goal>
+                  </goals>
+               </execution>
+            </executions>
+         </plugin>
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-javadoc-plugin</artifactId>
+            <version>3.6.3</version>
+            <configuration>
+               <javadocExecutable>${java.home}/bin/javadoc</javadocExecutable>
+            </configuration>
+            <executions>
+               <execution>
+                  <id>attach-javadocs</id>
+                  <goals>
+                     <goal>jar</goal>
+                  </goals>
+               </execution>
+            </executions>
+         </plugin>
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-shade-plugin</artifactId>
+            <version>3.5.1</version>
+            <executions>
+               <execution>
+                  <phase>package</phase>
+                  <goals>
+                     <goal>shade</goal>
+                  </goals>
+                  <configuration>
+                     <transformers>
+                        <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                           <mainClass>hello.HelloWorld</mainClass>
+                        </transformer>
+                     </transformers>
+                  </configuration>
+               </execution>
+            </executions>
+         </plugin>
+         <plugin>
+            <groupId>org.sonatype.plugins</groupId>
+            <artifactId>nexus-staging-maven-plugin</artifactId>
+            <version>1.6.13</version>
+            <extensions>true</extensions>
+            <configuration>
+               <serverId>ossrh</serverId>
+               <nexusUrl>https://s01.oss.sonatype.org/</nexusUrl>
+               <autoReleaseAfterClose>false</autoReleaseAfterClose>
+            </configuration>
+         </plugin>
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-gpg-plugin</artifactId>
+            <version>3.1.0</version>
+            <executions>
+               <execution>
+                  <id>sign-artifacts</id>
+                  <phase>verify</phase>
+                  <goals>
+                     <goal>sign</goal>
+                  </goals>
+               </execution>
+            </executions>
+            <configuration>
+               <gpgArguments>
+                  <argument>--pinentry-mode</argument>
+                  <argument>loopback</argument>
+               </gpgArguments>
+            </configuration>
+         </plugin>
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-deploy-plugin</artifactId>
+            <version>3.1.2</version>
+            <executions>
+              <execution>
+                  <id>deploy-file</id>
+                  <phase>deploy</phase>
+                  <goals>
+                      <goal>deploy-file</goal>
+                  </goals>
+                  <configuration>
+                      <file>textfile.txt</file>
+                      <url>https://s01.oss.sonatype.org/</url>
+                      <repositoryId>io.github.adamkorcz</repositoryId>
+                  </configuration>
+              </execution>
+          </executions>
+         </plugin>         
+         <plugin>
+             <groupId>io.github.slsa-framework.slsa-github-generator</groupId>
+             <artifactId>hash-maven-plugin</artifactId>
+             <version>0.0.1</version>
+             <executions>
+                 <execution>
+                     <goals>
+                         <goal>hash-jarfile</goal>
+                     </goals>
+                 </execution>
+             </executions>
+             <configuration>
+                 <outputJsonPath>${SLSA_OUTPUTS_ARTIFACTS_FILE}</outputJsonPath>
+             </configuration>
+         </plugin>
+      </plugins>
+   </build>
+</project>
diff --git a/e2e/maven/workflow_dispatch/src/main/java/hello/Greeter.java b/e2e/maven/workflow_dispatch/src/main/java/hello/Greeter.java
new file mode 100644
index 0000000000..f92a442354
--- /dev/null
+++ b/e2e/maven/workflow_dispatch/src/main/java/hello/Greeter.java
@@ -0,0 +1,7 @@
+package hello;
+
+public class Greeter {
+  public String sayHello() {
+    return "Hello world!";
+  }
+}
diff --git a/e2e/maven/workflow_dispatch/src/main/java/hello/HelloWorld.java b/e2e/maven/workflow_dispatch/src/main/java/hello/HelloWorld.java
new file mode 100644
index 0000000000..1626b45cbd
--- /dev/null
+++ b/e2e/maven/workflow_dispatch/src/main/java/hello/HelloWorld.java
@@ -0,0 +1,8 @@
+package hello;
+
+public class HelloWorld {
+  public static void main(String[] args) {
+    Greeter greeter = new Greeter();
+    System.out.println(greeter.sayHello());
+  }
+}