ci: enable SBOMs (#1748)

Author: triceo

.github/workflows/release.yml

@@ -34,6 +34,7 @@ jobs:
       contents: write  # IMPORTANT: required for action to create release branch
       pull-requests: write # IMPORTANT: so release PR can be created
       id-token: write  # IMPORTANT: mandatory for trusted publishing
+      attestations: write  # IMPORTANT: mandatory for attestations
     steps:
       - name: Checkout timefold-solver
         uses: actions/checkout@v5
@@ -57,12 +58,6 @@ jobs:
           distribution: 'temurin'
           cache: 'maven'
 
-      # Need Maven 3.9.0+ to recognize MAVEN_ARGS.
-      - name: Set up Maven
-        uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
-        with:
-          maven-version: 3.9.3
-
       # We skip tests in dry run, to make the process faster.
       # Technically, this goes against the main reason for doing a dry run; to eliminate potential problems.
       # But unless something catastrophic happened, PR checks on source branch already ensured that all tests pass.
@@ -96,3 +91,12 @@ jobs:
           path: |
             out/jreleaser/trace.log
             out/jreleaser/output.properties
+
+      - id: set-artifacts-output
+        run: echo "ARTIFACTS=$(cat out/jreleaser/catalogs/github/timefold-solver-${{ github.event.inputs.version }})" >> $GITHUB_OUTPUT
+
+      - name: Attestations
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: |
+            ${{ steps.set-artifacts-output.outputs.ARTIFACTS }}

jreleaser.yml

@@ -6,24 +6,30 @@ signing:
   active: ALWAYS
   armored: true
 
+catalog:
+  github:
+    active: ALWAYS
+    attestationName: 'timefold-solver-{{projectVersion}}'
+    excludes:
+      - '**/*.asc'
+
 release:
   github:
     commitAuthor:
       name: "Timefold Release Bot"
       email: "[email protected]"
-    releaseName: "Timefold Solver Community Edition {{projectVersion}}"
+    releaseName: "Timefold Solver {{projectVersion}}"
     draft: true
     overwrite: false
     sign: true
     milestone:
       close: true
-      name: "v{{projectVersion}}"
     changelog:
       formatted: ALWAYS
       preset: "conventional-commits"
       contentTemplate: ".github/workflows/release-changelog-template.md"
       contributors:
-        format: "- {{contributorName}}{{#contributorUsernameAsLink}} ({{.}}){{/contributorUsernameAsLink}}"
+        format: '- {{contributorName}} ({{contributorUsernameAsLink}})'
       hide:
         uncategorized: true
         categories:
@@ -35,7 +41,7 @@ release:
 deploy:
   maven:
     mavenCentral:
-      timefold:
+      timefold-solver:
         active: ALWAYS
         url: https://central.sonatype.com/api/v1/publisher
         authorization: BASIC
@@ -45,10 +51,6 @@ deploy:
         stagingRepositories:
           - "target/staging-deploy"
         artifactOverrides:
-          - groupId: ai.timefold.solver
-            artifactId: timefold-solver-core
-            sourceJar: false
-            javadocJar: false
           - groupId: ai.timefold.solver
             artifactId: timefold-solver-spring-boot-starter
             sourceJar: false
@@ -60,4 +62,4 @@ deploy:
           - groupId: ai.timefold.solver
             artifactId: timefold-solver-webui
             sourceJar: true
-            javadocJar: false
+            javadocJar: false

pom.xml

@@ -31,6 +31,7 @@
     <version.rewrite.plugin>6.16.0</version.rewrite.plugin>
     <version.source.plugin>3.3.1</version.source.plugin>
     <version.resources.plugin>3.3.1</version.resources.plugin>
+    <version.cyclonedx.plugin>2.9.1</version.cyclonedx.plugin>
     <sonar.moduleKey>${project.groupId}:${project.artifactId}</sonar.moduleKey>
     <sonar.sources>.</sonar.sources>
     <sonar.tests>.</sonar.tests>
@@ -95,6 +96,11 @@
             <legacyMode>true</legacyMode>
           </configuration>
         </plugin>
+        <plugin>
+          <groupId>org.cyclonedx</groupId>
+          <artifactId>cyclonedx-maven-plugin</artifactId>
+          <version>${version.cyclonedx.plugin}</version>
+        </plugin>
       </plugins>
     </pluginManagement>
   </build>
@@ -141,14 +147,29 @@
               </execution>
             </executions>
           </plugin>
+          <plugin>
+            <groupId>org.cyclonedx</groupId>
+            <artifactId>cyclonedx-maven-plugin</artifactId>
+            <executions>
+              <execution>
+                <phase>package</phase>
+                <goals>
+                  <goal>makeAggregateBom</goal>
+                </goals>
+                <configuration>
+                  <excludeTestProject>true</excludeTestProject>
+                </configuration>
+              </execution>
+            </executions>
+          </plugin>
         </plugins>
       </build>
     </profile>
     <profile>
       <!--
-        Migration to Timefold 9 involves upgrading to Quarkus 3, Spring Boot 3 and migrating to jakarta.* packages.
-        Timefold 8 remains compatible with Quarkus 2, Spring Boot 2 and javax.* packages.
-        Both Timefold 8 and 9 are functionally equal and will be released simultaneously.
+        Migration to Timefold 0.9 involves upgrading to Quarkus 3, Spring Boot 3 and migrating to jakarta.* packages.
+        Timefold 0.8 remains compatible with Quarkus 2, Spring Boot 2 and javax.* packages.
+        Both Timefold 0.8 and 0.9 are functionally equal.
       -->
       <id>8-to-9-migration</id>
       <activation>