qbicsoftware · KochTobi · Sep 24, 2025 · Sep 24, 2025 · Sep 25, 2025 · Sep 25, 2025
@@ -6,7 +6,10 @@ on:
       versionTag:
         description: 'Version Tag (semantic version)'
         required: true
-
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
+  attestations: write   # required for provenance
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -28,6 +31,14 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-maven-
 
+      - name: Debug OIDC (get a token)
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const token = await core.getIDToken('sigstore'); // audience example
+            core.setSecret(token);
+            console.log('OIDC token acquired. Length:', token.length);
+
       - name: Set up git
         run: |
           git config --global user.email "[email protected]"
@@ -68,8 +79,14 @@ jobs:
               prerelease: true
             });
 
+      # Generate provenance (SLSA attestation) for all JARs
+      - name: Generate SLSA build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "**/target/*.jar"
+
       - name: Publish artefact to QBiC Nexus Repository
-        run: VAADIN_OFFLINE_KEY=${{ secrets.VAADIN_SERVER_23_2 }} mvn --quiet --settings $GITHUB_WORKSPACE/.github.settings.xml -Pproduction -Dvaadin.force.production.build=true deploy
+        run: VAADIN_OFFLINE_KEY=${{ secrets.VAADIN_SERVER_23_2 }} mvn --quiet --settings $GITHUB_WORKSPACE/.github.settings.xml -Pproduction -DskipTests -Dvaadin.force.production.build=true deploy
         env:
           MAVEN_REPO_USERNAME: ${{ secrets.NEXUS_USERNAME }}
           MAVEN_REPO_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}

@@ -8,7 +8,10 @@ on:
   push:
     branches:
       - development
-
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
+  attestations: write   # required for provenance
 jobs:
   publish_snapshot:
 
@@ -17,6 +20,13 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+      - name: Debug OIDC (get a token)
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const token = await core.getIDToken('sigstore'); // audience example
+            core.setSecret(token);
+            console.log('OIDC token acquired. Length:', token.length);
       - name: Set up JDK 21
         uses: actions/setup-java@v5
         with:
@@ -41,8 +51,14 @@ jobs:
       - name: Build with Maven
         run: VAADIN_OFFLINE_KEY=${{ secrets.VAADIN_SERVER_23_2 }} mvn -B package -Pproduction -Dvaadin.force.production.build=true --file pom.xml
 
+      # Generate provenance (SLSA attestation) for all JARs
+      - name: Generate SLSA build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "**/target/*.jar"
+
       - name: Publish artefact to QBiC Nexus Repository
-        run: VAADIN_OFFLINE_KEY=${{ secrets.VAADIN_SERVER_23_2 }} mvn --quiet --settings $GITHUB_WORKSPACE/.github.settings.xml -Pproduction -Dvaadin.force.production.build=true deploy
+        run: VAADIN_OFFLINE_KEY=${{ secrets.VAADIN_SERVER_23_2 }} mvn --quiet --settings $GITHUB_WORKSPACE/.github.settings.xml -Pproduction -Dvaadin.force.production.build=true -DskipTests deploy
         env:
           MAVEN_REPO_USERNAME: ${{ secrets.NEXUS_USERNAME }}
           MAVEN_REPO_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
@@ -7,14 +7,23 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ main, master ]
-
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
 jobs:
   test:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+      - name: Debug OIDC (get a token)
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const token = await core.getIDToken('sigstore'); // audience example
+            core.setSecret(token);
+            console.log('OIDC token acquired. Length:', token.length);
       - name: Set up JDK 21
         uses: actions/setup-java@v5
         with: