From ca3a9f8c079f19c61e3ff217ce1ab80aa6c92bd4 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Thu, 17 Oct 2024 10:23:07 +0200 Subject: [PATCH 01/11] Add separate reproducibility check workflow Adds a reproducibility check workflow based on a Nexus repository and not the local Maven repo. We also deprecate the reproducibility check in `build-reusable.yaml`. --- .github/workflows/build-reusable.yaml | 3 +- .../verify-reproducibility-reusable.yaml | 87 +++++++++++++++++++ .../verify_reproducibility_reusable.xml | 11 +++ .../antora/modules/ROOT/pages/features.adoc | 4 +- 4 files changed, 103 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/verify-reproducibility-reusable.yaml create mode 100644 src/changelog/.11.x.x/verify_reproducibility_reusable.xml diff --git a/.github/workflows/build-reusable.yaml b/.github/workflows/build-reusable.yaml index 6b0b4883..8862bcc7 100644 --- a/.github/workflows/build-reusable.yaml +++ b/.github/workflows/build-reusable.yaml @@ -33,6 +33,7 @@ on: type: string reproducibility-check-enabled: description: Runs a reproducibility check on the build + deprecationMessage: Use `verify-reproducibility-reusable` instead default: true type: boolean site-enabled: @@ -115,7 +116,7 @@ jobs: --show-version --batch-mode --errors --no-transfer-progress \ -DtrimStackTrace=false \ -DinstallAtEnd=true \ - clean install + clean ${{ inputs.reproducibility-check-enabled && 'install' || 'verify' }} # We upload tests results. - name: Upload test reports diff --git a/.github/workflows/verify-reproducibility-reusable.yaml b/.github/workflows/verify-reproducibility-reusable.yaml new file mode 100644 index 00000000..e023161f --- /dev/null +++ b/.github/workflows/verify-reproducibility-reusable.yaml @@ -0,0 +1,87 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name: verify-reproducibility-reusable + +on: + workflow_call: + inputs: + java-version: + description: The Java compiler version + default: 17 + type: string + maven-args: + description: Additional Maven arguments + type: string + nexus-url: + description: The URL of the reference Nexus repository + type: string + ref: + description: The branch, tag or SHA to checkout + default: ${{ github.ref }} + type: string + runner: + description: The type of runner to use + default: ubuntu-latest + type: string + +env: + MAVEN_ARGS: ${{ inputs.maven-args }} + +jobs: + + build: + + runs-on: ${{ inputs.runner }} + + steps: + + - name: Checkout repository + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # 4.2.1 + with: + ref: ${{ inputs.ref }} + + - name: Set up Java + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # 4.4.0 + with: + distribution: zulu + java-version: ${{ inputs.java-version }} + cache: maven + + # `clean verify artifact:compare` is required to generate the build reproducibility report. + # For details, see: https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility + - name: Verify build reproducibility + shell: bash + run: | + ./mvnw \ + --show-version --batch-mode --errors --no-transfer-progress \ + -DskipTests=true \ + -Dreference.repo=${{ inputs.nexus-url }} \ + clean verify artifact:compare + + # Upload reproducibility results if the build fails. + - name: Upload reproducibility results + if: failure() + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # 4.4.3 + with: + name: reproducibility-${{matrix.os}}-${{github.run_number}}-${{github.run_attempt}} + path: | + **/target/bom.xml + **/target/*.buildcompare + **/target/*.jar + **/target/*.zip + **/target/reference/** diff --git a/src/changelog/.11.x.x/verify_reproducibility_reusable.xml b/src/changelog/.11.x.x/verify_reproducibility_reusable.xml new file mode 100644 index 00000000..e978f63e --- /dev/null +++ b/src/changelog/.11.x.x/verify_reproducibility_reusable.xml @@ -0,0 +1,11 @@ + + + + + Adds a `verify_reproducibility-reusable.yaml` workflow to check reproducibility of artifacts in a Maven repo. + Deprecates the reproducibility check in `build-reusable.yaml`. + + diff --git a/src/site/antora/modules/ROOT/pages/features.adoc b/src/site/antora/modules/ROOT/pages/features.adoc index 0d19572e..f421823f 100644 --- a/src/site/antora/modules/ROOT/pages/features.adoc +++ b/src/site/antora/modules/ROOT/pages/features.adoc @@ -53,7 +53,6 @@ The provided reusable GitHub Actions workflows feature the following convenience {project-github-url}/blob/main/.github/workflows/build-reusable.yaml[`build-reusable.yaml`]:: * Compiles using the specified Java compiler version -* Verifies reproducibility * Submits build scans to the Develocity server {project-github-url}/blob/main/.github/workflows/deploy-release-reusable.yaml[`deploy-release-reusable.yaml`]:: @@ -72,6 +71,9 @@ The provided reusable GitHub Actions workflows feature the following convenience {project-github-url}/blob/main/.github/workflows/merge-dependabot-reusable.yaml[`merge-dependabot-reusable.yaml`]:: * Merges `dependabot` PRs along with changelog entries +{project-github-url}/blob/main/.github/workflows/merge-dependabot-reusable.yaml[`verify-reproducibility-reusable.yaml`]:: +* Verifies reproducibility of a previous deployment workflow. + [#release-instructions] === Release instructions From ca342a81394c4d8cdda95b37f9c2ebb0cd513313 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Thu, 17 Oct 2024 11:53:55 +0200 Subject: [PATCH 02/11] Rename `runner` to `runs-on` --- .github/workflows/verify-reproducibility-reusable.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/verify-reproducibility-reusable.yaml b/.github/workflows/verify-reproducibility-reusable.yaml index e023161f..4568897c 100644 --- a/.github/workflows/verify-reproducibility-reusable.yaml +++ b/.github/workflows/verify-reproducibility-reusable.yaml @@ -34,8 +34,8 @@ on: description: The branch, tag or SHA to checkout default: ${{ github.ref }} type: string - runner: - description: The type of runner to use + runs-on: + description: The type of runners to use default: ubuntu-latest type: string @@ -46,7 +46,7 @@ jobs: build: - runs-on: ${{ inputs.runner }} + runs-on: ${{ inputs.runs-on }} steps: From b8e33ab343ffc0d181fb7f27a6a6b8c25e74fa27 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Thu, 17 Oct 2024 12:00:51 +0200 Subject: [PATCH 03/11] Encode matrix as JSON --- .github/workflows/verify-reproducibility-reusable.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/verify-reproducibility-reusable.yaml b/.github/workflows/verify-reproducibility-reusable.yaml index 4568897c..33cc551e 100644 --- a/.github/workflows/verify-reproducibility-reusable.yaml +++ b/.github/workflows/verify-reproducibility-reusable.yaml @@ -35,8 +35,8 @@ on: default: ${{ github.ref }} type: string runs-on: - description: The type of runners to use - default: ubuntu-latest + description: The type of runners to use as JSON array + default: '["ubuntu-latest"]' type: string env: @@ -46,7 +46,7 @@ jobs: build: - runs-on: ${{ inputs.runs-on }} + runs-on: ${{ fromJSON(inputs.runs-on) }} steps: From 06634677edb6fb6ee851d4156f7f6df7763e45b8 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Thu, 17 Oct 2024 12:32:04 +0200 Subject: [PATCH 04/11] Remove `deprecationMessage` --- .github/workflows/build-reusable.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build-reusable.yaml b/.github/workflows/build-reusable.yaml index 8862bcc7..93b713db 100644 --- a/.github/workflows/build-reusable.yaml +++ b/.github/workflows/build-reusable.yaml @@ -33,7 +33,6 @@ on: type: string reproducibility-check-enabled: description: Runs a reproducibility check on the build - deprecationMessage: Use `verify-reproducibility-reusable` instead default: true type: boolean site-enabled: From 338a43c7811eb6e73407bb5b1dc9d425e6290659 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Thu, 17 Oct 2024 12:39:53 +0200 Subject: [PATCH 05/11] Allow to checkout a different repo than your own --- .github/workflows/build-reusable.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-reusable.yaml b/.github/workflows/build-reusable.yaml index 93b713db..800f41e3 100644 --- a/.github/workflows/build-reusable.yaml +++ b/.github/workflows/build-reusable.yaml @@ -31,6 +31,15 @@ on: maven-args: description: Additional Maven arguments type: string + ref: + description: The branch, tag or SHA to checkout + # When running on `pull_request_target` use the PR branch, not the target branch + default: ${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }} + type: string + repository: + description: GitHub repository name with owner + default: ${{ github.repository }} + type: string reproducibility-check-enabled: description: Runs a reproducibility check on the build default: true @@ -64,8 +73,8 @@ jobs: - name: Checkout repository uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # 4.2.1 with: - # When running on `pull_request` use the PR branch, not the target branch - ref: ${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }} + repository: ${{ inputs.repository }} + ref: ${{ inputs.ref }} - name: Set up Java uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # 4.4.0 From 0705c03eeb1e76ef31e81a1a6ad9013697cc6dd5 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Thu, 17 Oct 2024 13:46:26 +0200 Subject: [PATCH 06/11] Replace `verify` with `install` --- .github/workflows/build-reusable.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-reusable.yaml b/.github/workflows/build-reusable.yaml index 800f41e3..fb6083a4 100644 --- a/.github/workflows/build-reusable.yaml +++ b/.github/workflows/build-reusable.yaml @@ -114,8 +114,7 @@ jobs: with: develocity-access-key: ${{ secrets.DV_ACCESS_TOKEN }} - # We could have used `verify`, but `clean install` is required while generating the build reproducibility report, which is performed in the next step. - # For details, see: https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility + # We use `install` instead of `verify`, otherwise the build website step below fails - name: Build id: build shell: bash @@ -124,7 +123,7 @@ jobs: --show-version --batch-mode --errors --no-transfer-progress \ -DtrimStackTrace=false \ -DinstallAtEnd=true \ - clean ${{ inputs.reproducibility-check-enabled && 'install' || 'verify' }} + clean install # We upload tests results. - name: Upload test reports From 140874a7e8cd0063ecd18549ce9bbdafab1f040d Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Thu, 17 Oct 2024 14:55:06 +0200 Subject: [PATCH 07/11] Fix `nexus-url` output --- .github/workflows/deploy-snapshot-reusable.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy-snapshot-reusable.yaml b/.github/workflows/deploy-snapshot-reusable.yaml index 2c1b5b0e..736f6d63 100644 --- a/.github/workflows/deploy-snapshot-reusable.yaml +++ b/.github/workflows/deploy-snapshot-reusable.yaml @@ -28,9 +28,10 @@ on: project-version: description: The version of the project value: ${{ jobs.deploy.outputs.project-version }} + # Constant output for similarity with `deploy-release-reusable` nexus-url: description: The URL of the Nexus repository used - value: ${{ jobs.deploy.outputs.nexus-url }} + value: https://repository.apache.org/content/repositories/snapshots secrets: NEXUS_USERNAME: description: Nexus snapshot repository username for deploying artifacts @@ -44,7 +45,6 @@ jobs: runs-on: ubuntu-latest outputs: project-version: ${{ steps.version.outputs.project-version }} - nexus-url: ${{ steps.nexus.outputs.nexus-url }} steps: - name: Checkout repository @@ -74,7 +74,6 @@ jobs: echo "project-version=$PROJECT_VERSION" >> $GITHUB_OUTPUT - name: Upload to Nexus - id: nexus shell: bash env: # `NEXUS_USERNAME` and `NEXUS_PASSWORD` are used in `~/.m2/settings.xml` created by `setup-java` action @@ -85,5 +84,3 @@ jobs: --show-version --batch-mode --errors --no-transfer-progress \ -P deploy export NEXUS_URL=$(awk '/^(stagingRepository.url)/ { gsub(/(^.+=|\\)/, ""); print $1 }' target/nexus-staging/staging/*.properties) - # Export repository URL to calling workflow - echo "nexus-url=$NEXUS_URL" >> $GITHUB_OUTPUT From 7d910807d142a602a8505dc5851c3617007f6623 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Thu, 17 Oct 2024 15:00:28 +0200 Subject: [PATCH 08/11] Fix matrix run --- .github/workflows/verify-reproducibility-reusable.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/verify-reproducibility-reusable.yaml b/.github/workflows/verify-reproducibility-reusable.yaml index 33cc551e..55bdee7e 100644 --- a/.github/workflows/verify-reproducibility-reusable.yaml +++ b/.github/workflows/verify-reproducibility-reusable.yaml @@ -46,7 +46,11 @@ jobs: build: - runs-on: ${{ fromJSON(inputs.runs-on) }} + runs-on: ${{ matrix.os }} + + strategy: + matrix: + os: ${{ fromJSON(inputs.runs-on) }} steps: From d6de7a2d20a640e557d8049187dfa4ce656684cb Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Thu, 17 Oct 2024 16:02:52 +0200 Subject: [PATCH 09/11] Make test result names unique --- .github/workflows/build-reusable.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-reusable.yaml b/.github/workflows/build-reusable.yaml index fb6083a4..d3779346 100644 --- a/.github/workflows/build-reusable.yaml +++ b/.github/workflows/build-reusable.yaml @@ -127,10 +127,11 @@ jobs: # We upload tests results. - name: Upload test reports + id: surefire if: always() uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # 4.4.3 with: - name: surefire-${{matrix.os}}-${{github.run_number}}-${{github.run_attempt}} + name: "${{github.action}}-${{matrix.os}}-${{github.run_number}}-${{github.run_attempt}}" path: | **/target/surefire-reports **/target/logs From a75761436184d88d92b28ea5c6bdabbccb80db89 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Thu, 17 Oct 2024 16:08:22 +0200 Subject: [PATCH 10/11] Remove `ref` input --- .github/workflows/verify-reproducibility-reusable.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/verify-reproducibility-reusable.yaml b/.github/workflows/verify-reproducibility-reusable.yaml index 55bdee7e..dbcaef38 100644 --- a/.github/workflows/verify-reproducibility-reusable.yaml +++ b/.github/workflows/verify-reproducibility-reusable.yaml @@ -30,10 +30,6 @@ on: nexus-url: description: The URL of the reference Nexus repository type: string - ref: - description: The branch, tag or SHA to checkout - default: ${{ github.ref }} - type: string runs-on: description: The type of runners to use as JSON array default: '["ubuntu-latest"]' @@ -57,7 +53,7 @@ jobs: - name: Checkout repository uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # 4.2.1 with: - ref: ${{ inputs.ref }} + ref: ${{ github.ref }} - name: Set up Java uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # 4.4.0 From 7c984020be92a4f64c7bff67143de7b2db851a5e Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Thu, 17 Oct 2024 17:08:00 +0200 Subject: [PATCH 11/11] Add test report suffixes to `build-reusable` This prevents name collisions if `build-reusable` is called multiple times. --- .github/workflows/build-reusable.yaml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-reusable.yaml b/.github/workflows/build-reusable.yaml index d3779346..a0b6dc5d 100644 --- a/.github/workflows/build-reusable.yaml +++ b/.github/workflows/build-reusable.yaml @@ -48,6 +48,14 @@ on: description: Flag indicating if Maven `site` goal should be run default: false type: boolean + test-report-enabled: + description: Enables the upload of test reports + default: true + type: boolean + test-report-suffix: + description: Suffix to add to the uploaded artifacts + default: '' + type: string secrets: DV_ACCESS_TOKEN: @@ -127,11 +135,10 @@ jobs: # We upload tests results. - name: Upload test reports - id: surefire - if: always() + if: ${{ always() && inputs.test-report-enabled }} uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # 4.4.3 with: - name: "${{github.action}}-${{matrix.os}}-${{github.run_number}}-${{github.run_attempt}}" + name: "test-report-${{matrix.os}}-${{github.run_number}}-${{github.run_attempt}}${{inputs.test-report-suffix}}" path: | **/target/surefire-reports **/target/logs