stevedlawrence commented on code in PR #17:
URL:
https://github.com/apache/daffodil-infrastructure/pull/17#discussion_r2361039778
##########
containers/build-release/src/daffodil-build-release:
##########
@@ -83,12 +83,13 @@ case $PROJECT in
set_java_version 17
mkdir -p $DIST_DIR/bin
sbt \
- +compile \
- +publish \
- daffodil-cli/Rpm/packageBin \
- daffodil-cli/packageWindowsBin \
- daffodil-cli/Universal/packageBin \
- daffodil-cli/Universal/packageZipTarball
+ ";set every bomFormat := \"xml\"
+ ;+compile
+ ;+publish
+ ;daffodil-cli/Rpm/packageBin
+ ;daffodil-cli/packageWindowsBin
+ ;daffodil-cli/Universal/packageBin
+ ;daffodil-cli/Universal/packageZipTarball"
cp daffodil-cli/target/universal/apache-daffodil-*.tgz $DIST_DIR/bin/
Review Comment:
Did you test if this still creates reproducible builds? If we create a sbom
in a GitHub actions and then create a build using daffodil-build-release we
need to make sure they result in the same sbom. If that's not possible, we
maybe need to exclude sboms from the reproducible build part of the
check-release script.
Related I also wonder if sbt-sbom includes things like SBT plugins? For
example, the release-candidate action adds the sbt-pgp plugin, but the
daffodil-build-release container does not. So that's a potential difference if
sbt-sbom it includes that information. We may need to add that plugin in
daffodil-build-release--we won't use it because there is no reason to sign
things in this build-release container (it's purely for checking
reproducibility which signing breaks), but it might be needed for reproducible
sboms.
##########
containers/build-release/src/daffodil-build-release:
##########
@@ -83,12 +83,13 @@ case $PROJECT in
set_java_version 17
mkdir -p $DIST_DIR/bin
sbt \
Review Comment:
Does this container need to add sbt-bom to global plugin.sbt? Otherwise I
think setting bomFormat will fail?
##########
actions/release-candidate/src/main.js:
##########
@@ -114,7 +114,10 @@ async function run() {
fs.appendFileSync(`${ sbt_dir }/plugins/build.sbt`,
'addSbtPlugin("com.github.sbt" % "sbt-pgp" % "2.1.2")\n');
fs.appendFileSync(`${ sbt_dir }/build.sbt`, `pgpSigningKey :=
Some("${ gpg_signing_key_id }")\n`);
- if (publish) {
+ // enable SBT for publishing SBOM
+ fs.appendFileSync(`${ sbt_dir }/plugins/build.sbt`,
'addSbtPlugin("com.github.sbt" %% "sbt-sbom" % "0.4.0")\n');
Review Comment:
Do we also need to put `bomFormat := "xml"` in build.sbt like we do
pgpSigningKey? That way our release candidate actions will publish the XML
version?
##########
containers/build-release/src/daffodil-build-release:
##########
@@ -83,12 +83,13 @@ case $PROJECT in
set_java_version 17
mkdir -p $DIST_DIR/bin
sbt \
- +compile \
- +publish \
- daffodil-cli/Rpm/packageBin \
- daffodil-cli/packageWindowsBin \
- daffodil-cli/Universal/packageBin \
- daffodil-cli/Universal/packageZipTarball
+ ";set every bomFormat := \"xml\"
Review Comment:
Instead of putting this here, I woudl suggest putting this in the global sbt
build.sbt. This bom stuff is also needed for sbt-daffodil, so putting it in the
global config will enable that. It woudl also avoid the need for semicolons,
since which is a bit confusing since it's easily confused with bash semicolons.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
