This is an automated email from the ASF dual-hosted git repository.
olabusayo pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/daffodil-infrastructure.git
The following commit(s) were added to refs/heads/main by this push:
new ce252f5 Enable SBOM generation during release
ce252f5 is described below
commit ce252f5e2fe92cf5378a20613ad0051ed6471608
Author: olabusayoT <[email protected]>
AuthorDate: Thu Sep 18 15:53:28 2025 -0400
Enable SBOM generation during release
- add sbom plugin to main.js
- Add SBOM-related configurations to container's build.sbt and plugins.sbt
- Wrap release file downloads in a conditional check for pre-existing
release directory
- update check-release/README.md with detailed workflow setup instructions.
- Add SBOM-related configurations to enable XML format publishing during
the release process.
- verify reproducibility of sbom artifacts
- Add detailed testing instructions for the release-candidate action in its
README.
DAFFODIL-2993
---
actions/release-candidate/README.md | 36 ++++++++++++++++
actions/release-candidate/dist/main/index.js | 4 ++
actions/release-candidate/src/main.js | 4 ++
.../build-release/src/daffodil-build-release | 3 ++
containers/check-release/README.md | 6 +--
containers/check-release/src/check-release.sh | 48 ++++++++++++----------
6 files changed, 77 insertions(+), 24 deletions(-)
diff --git a/actions/release-candidate/README.md
b/actions/release-candidate/README.md
index e968754..8dff629 100644
--- a/actions/release-candidate/README.md
+++ b/actions/release-candidate/README.md
@@ -158,3 +158,39 @@ npm run build
The changes this makes to `dist/` must be committed along with the changes to
`src/`.
+
+# Testing
+
+Perform the following steps to test changes to the daffodil-infrastructure
repo on a GitHub fork:
+
+1. Update the `uses` action of the `ASF Release Candidate` step in the
+ `.github/workflows/release-candidate.yml` file of the repository to be
tested on. Then,
+ push your changes to your fork of the test repository.
+2. Add the secrets required by the `ASF Release Candidate` step to your
+ test repository. The following secrets are required:
+
+ - DAFFODIL_GPG_SECRET_KEY (any private key without a passphrase)
+ - DAFFODIL_SVN_DEV_USERNAME
+ - DAFFODIL_SVN_DEV_PASSWORD,
+ - NEXUS_STAGE_DEPLOYER_USER
+ - NEXUS_STAGE_DEPLOYER_PW
+
+ The other secrets should be set to non-empty dummy values and not actual
+ usernames/passwords. They will not be used.
+3. Now you can generate a release by going to the Actions tab of your test
fork,
+ and selecting the workflow that uses the release-candidate action.
+ Click the `Run workflow` button, and select the branch you just pushed to.
+4. Once the run is complete, you can download the release from the
`Artifacts`
+ tab under `Summary`. After downloading the release, extract it.
+
+If you want to validate things with the check-release container, follow its
steps
+as defined in its README.md. The only modification you need to make is to set
the
+release label to `rc0`. Then run the checks using the container using the
+following command:
+
+```bash
+podman run -it --rm \
+--volume <DOWNLOADED-RELEASE-DIR>:/release-download \
+--volume <ARTIFACT-DIR>:/release \
+daffodil-check-release "NA" "NA" /release
+```
diff --git a/actions/release-candidate/dist/main/index.js
b/actions/release-candidate/dist/main/index.js
index c82ccf0..c9ce528 100644
--- a/actions/release-candidate/dist/main/index.js
+++ b/actions/release-candidate/dist/main/index.js
@@ -31950,6 +31950,10 @@ async function run() {
fs.appendFileSync(`${ sbt_dir }/plugins/build.sbt`,
'addSbtPlugin("com.github.sbt" % "sbt-pgp" % "2.1.2")\n');
fs.appendFileSync(`${ sbt_dir }/build.sbt`, `pgpSigningKey :=
Some("${ gpg_signing_key_id }")\n`);
+ // enable SBT for publishing SBOM
+ fs.appendFileSync(`${ sbt_dir }/plugins/build.sbt`,
'addSbtPlugin("com.github.sbt" %% "sbt-sbom" % "0.4.0")\n');
+ fs.appendFileSync(`${ sbt_dir }/build.sbt`, 'bomFormat :=
"xml"\n');
+
if (publish) {
// if publishing is enabled, publishing to the apache
staging repository
// with the provided credentials. We must diable
gigahorse since that fails
diff --git a/actions/release-candidate/src/main.js
b/actions/release-candidate/src/main.js
index a7223ae..274dea8 100644
--- a/actions/release-candidate/src/main.js
+++ b/actions/release-candidate/src/main.js
@@ -121,6 +121,10 @@ async function run() {
fs.appendFileSync(`${ sbt_dir }/plugins/build.sbt`,
'addSbtPlugin("com.github.sbt" % "sbt-pgp" % "2.1.2")\n');
fs.appendFileSync(`${ sbt_dir }/build.sbt`, `pgpSigningKey :=
Some("${ gpg_signing_key_id }")\n`);
+ // enable SBT for publishing SBOM
+ fs.appendFileSync(`${ sbt_dir }/plugins/build.sbt`,
'addSbtPlugin("com.github.sbt" %% "sbt-sbom" % "0.4.0")\n');
+ fs.appendFileSync(`${ sbt_dir }/build.sbt`, 'bomFormat :=
"xml"\n');
+
if (publish) {
// if publishing is enabled, publishing to the apache
staging repository
// with the provided credentials. We must diable
gigahorse since that fails
diff --git a/containers/build-release/src/daffodil-build-release
b/containers/build-release/src/daffodil-build-release
index 9eb1b8e..b547aa6 100755
--- a/containers/build-release/src/daffodil-build-release
+++ b/containers/build-release/src/daffodil-build-release
@@ -70,7 +70,10 @@ DIST_DIR=$RELEASE_DIR/asf-dist/$RELEASE_VERSION
MAVEN_DIR=$RELEASE_DIR/maven-local
mkdir -p ~/.sbt/1.0
+mkdir -p ~/.sbt/1.0/plugins
echo "ThisBuild / publishTo := Some(MavenCache(\"maven-local\",
file(\"$MAVEN_DIR\")))" >> ~/.sbt/1.0/build.sbt
+echo "addSbtPlugin(\"com.github.sbt\" %% \"sbt-sbom\" % \"0.4.0\")" >>
~/.sbt/1.0/plugins/plugins.sbt
+echo "ThisBuild / bomFormat := \"xml\"" >> ~/.sbt/1.0/build.sbt
echo "==== Building source artifact ===="
mkdir -p $DIST_DIR/src/
diff --git a/containers/check-release/README.md
b/containers/check-release/README.md
index 6abb09d..92cf7fa 100644
--- a/containers/check-release/README.md
+++ b/containers/check-release/README.md
@@ -21,7 +21,7 @@ This container can be used to verify the signatures,
checksums, signatures, and
optionally reproducibility.
Note that it is possible to run the src/check-release.sh script standalone
-without the container, but the container proviedes an environment that has all
+without the container, but the container provides an environment that has all
the necessary dependencies and keys already installed, so it may make release
verification easier.
@@ -36,8 +36,8 @@ To use the container image to check a release, run the
following:
Alternatively, if you would like to do the same checks but also check for
reproducibility, use the Release Candidate Container to build a release
-directory directory, then run the following:
+directory, then run the following:
podman run -it --rm \
- --volume <RELEASE_DIR>:/release
+ --volume <RELEASE_DIR>:/release \
daffodil-check-release "<DIST_URL>" "<MAVEN_URL>" /release
diff --git a/containers/check-release/src/check-release.sh
b/containers/check-release/src/check-release.sh
index c3c7a5f..bdcf4aa 100755
--- a/containers/check-release/src/check-release.sh
+++ b/containers/check-release/src/check-release.sh
@@ -52,7 +52,7 @@ download_dir() {
find "$(basename "$URL")" -name '*.tmp' -delete
}
-# URL of release candidate directory in dev/dist/, e.g.
https://dist.apache.org/repos/dist/dev/daffodil/1.0.0-rc1
+# URL of release candidate directory in dist/dev, e.g.
https://dist.apache.org/repos/dist/dev/daffodil/1.0.0-rc1
DIST_URL=$1
# URL of maven staging repository, e.g.
https://repository.apache.org/content/repositories/orgapachedaffodil-1234
@@ -80,30 +80,36 @@ RELEASE_DIR=release-download
DIST_DIR=$RELEASE_DIR/asf-dist
MAVEN_DIR=$RELEASE_DIR/maven-local
-printf "\n==== Downloading Release Files ====\n"
-# download dist/dev/ files
-mkdir -p $DIST_DIR
-pushd $DIST_DIR &>/dev/null
-download_dir $DIST_URL
-popd &>/dev/null
-
-# download maven repository, delete nexus generated files, and remove the
-# orgapachedaffodil-1234 dir since the build-release container does not have
-# this directory
-if [ -n "$MAVEN_URL" ]
+if [ ! -d "$RELEASE_DIR" ]
then
- mkdir -p $MAVEN_DIR
- pushd $MAVEN_DIR &>/dev/null
- download_dir $MAVEN_URL
- find . -type f \( -name 'archetype-catalog.xml' -o -name
'maven-metadata.xml*' \) -delete
- REPO_DIR=(*/)
- mv $REPO_DIR/* .
- rmdir $REPO_DIR
+ printf "\n==== Downloading Release Files ====\n"
+
+ # download dist/dev/ files
+ mkdir -p $DIST_DIR
+ pushd $DIST_DIR &>/dev/null
+ download_dir $DIST_URL
popd &>/dev/null
-fi
-printf "\n==== Download Complete ====\n"
+ # download maven repository, delete nexus generated files, and remove
the
+ # orgapachedaffodil-1234 dir since the build-release container does not
have
+ # this directory
+ if [ -n "$MAVEN_URL" ]
+ then
+ mkdir -p $MAVEN_DIR
+ pushd $MAVEN_DIR &>/dev/null
+ download_dir $MAVEN_URL
+ find . -type f \( -name 'archetype-catalog.xml' -o -name
'maven-metadata.xml*' \) -delete
+ REPO_DIR=(*/)
+ mv $REPO_DIR/* .
+ rmdir $REPO_DIR
+ popd &>/dev/null
+ fi
+
+ printf "\n==== Download Complete ====\n"
+else
+ printf "\n==== Skipping Download, release-download/ directory already
exists ====\n"
+fi
RED="\x1b[31m"
GREEN="\033[32m"
