This is an automated email from the ASF dual-hosted git repository. jdaugherty pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/grails-core.git
commit 92c53a855d086dd6809d9a2f5913e62f0d1f06bb Author: James Daugherty <[email protected]> AuthorDate: Fri May 30 19:52:09 2025 -0400 [skip ci] ensure DISCLAIMER exists & reproducible build verification --- etc/bin/generate-build-artifact-hashes.groovy | 6 +++--- etc/bin/verify-cli-distribution.sh | 2 +- etc/bin/verify-jar-artifacts.sh | 4 ++-- etc/bin/verify-reproducible.sh | 21 ++++++++++++++------- etc/bin/verify-source-distribution.sh | 2 +- etc/bin/verify-wrapper-distribution.sh | 2 +- etc/bin/verify.sh | 23 +++++++++++++++-------- 7 files changed, 37 insertions(+), 23 deletions(-) diff --git a/etc/bin/generate-build-artifact-hashes.groovy b/etc/bin/generate-build-artifact-hashes.groovy index f6eb032b70..d8d94e3fd3 100755 --- a/etc/bin/generate-build-artifact-hashes.groovy +++ b/etc/bin/generate-build-artifact-hashes.groovy @@ -21,8 +21,8 @@ import java.nio.file.* import java.security.MessageDigest // --------------------------------------------------------------------------- -String sha256(Path file) { - MessageDigest md = MessageDigest.getInstance('SHA-256') +String sha512(Path file) { + MessageDigest md = MessageDigest.getInstance('SHA-512') file.withInputStream { is -> byte[] buf = new byte[8192] for (int r = is.read(buf); r > 0; r = is.read(buf)) @@ -76,7 +76,7 @@ artifacts.findAll { !it.toString().contains("${File.separator}grails-test-examples${File.separator}" as String) // test examples aren't published }.sort { a, b -> a.toString() <=> b.toString() }.collect { Path jar -> - String hash = sha256(jar) + String hash = sha512(jar) String relative = root.relativize(jar).toString() "${relative} ${hash}" }.sort().each { diff --git a/etc/bin/verify-cli-distribution.sh b/etc/bin/verify-cli-distribution.sh index 3de880830c..6bad043d22 100755 --- a/etc/bin/verify-cli-distribution.sh +++ b/etc/bin/verify-cli-distribution.sh @@ -64,7 +64,7 @@ if [ ! -d "${SRC_DIR}" ]; then fi echo "Checking for required files existence..." -REQUIRED_FILES=("LICENSE" "NOTICE") +REQUIRED_FILES=("LICENSE" "NOTICE" "DISCLAIMER") for FILE in "${REQUIRED_FILES[@]}"; do if [ ! -f "${SRC_DIR}/$FILE" ]; then diff --git a/etc/bin/verify-jar-artifacts.sh b/etc/bin/verify-jar-artifacts.sh index 21e15ad01a..7d725073d6 100755 --- a/etc/bin/verify-jar-artifacts.sh +++ b/etc/bin/verify-jar-artifacts.sh @@ -59,12 +59,12 @@ REPO_BASE_URL="https://repository.apache.org/content/repositories/${STAGING_REPO cd grails # Create a temporary directory to work in -WORK_DIR='etc/bin/results/published_artifacts' +WORK_DIR='etc/bin/results/published' mkdir -p $WORK_DIR echo "Using temp dir: $WORK_DIR" cd "$WORK_DIR" -# Read each line from PUBLISHED_ARTIFACTS +# Read each line from ARTIFACTS_FILE while IFS= read -r line; do JAR_FILE=$(echo "${line}" | awk '{print $1}') [[ "${JAR_FILE}" != *.jar ]] && continue diff --git a/etc/bin/verify-reproducible.sh b/etc/bin/verify-reproducible.sh index 5a972a83c6..5d17676727 100755 --- a/etc/bin/verify-reproducible.sh +++ b/etc/bin/verify-reproducible.sh @@ -19,7 +19,7 @@ # This file assumes the gnu version of coreutils is installed, which is not installed by default on a mac set -e -DOWNLOAD_LOCATION="${3:-downloads}" +DOWNLOAD_LOCATION="${1:-downloads}" DOWNLOAD_LOCATION=$(realpath "${DOWNLOAD_LOCATION}") SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) @@ -28,10 +28,10 @@ CWD=$(pwd) cd "${DOWNLOAD_LOCATION}/grails" mkdir -p "${DOWNLOAD_LOCATION}/grails/etc/bin/results" -if [[ -f "${DOWNLOAD_LOCATION}/grails/PUBLISHED_ARTIFACTS" ]]; then - echo "✅ File 'PUBLISHED_ARTIFACTS' exists." +if [[ -f "${DOWNLOAD_LOCATION}/grails/CHECKSUMS" ]]; then + echo "✅ File 'CHECKSUMS' exists." else - echo "❌ File 'PUBLISHED_ARTIFACTS' not found. Grails Source Distributions should have a PUBLISHED_ARTIFACTS file at the root..." + echo "❌ File 'CHECKSUMS' not found. Grails Source Distributions should have a CHECKSUMS file at the root..." exit 1 fi @@ -56,13 +56,20 @@ cd grails-gradle cd .. ./gradlew build --rerun-tasks -PskipTests --no-build-cache "${SCRIPT_DIR}/generate-build-artifact-hashes.groovy" > "${DOWNLOAD_LOCATION}/grails/etc/bin/results/second.txt" + +## Flatten the jar files since our published artifacts are flat +tmpfile=$(mktemp) +while read -r filepath checksum; do + echo "$(basename "$filepath") $checksum" +done < "${DOWNLOAD_LOCATION}/grails/etc/bin/results/second.txt" > "$tmpfile" && mv "$tmpfile" "${DOWNLOAD_LOCATION}/grails/etc/bin/results/second.txt" + mkdir -p "${DOWNLOAD_LOCATION}/grails/etc/bin/results/second" -find . -path ./etc -prune -o -type f -path '*/build/libs/*.jar' -exec cp -t "${DOWNLOAD_LOCATION}/grails/etc/bin/results/second/" -- {} + +find . -path ./etc -prune -o -type f -path '*/build/libs/*.jar' ! -name "buildSrc.jar" -exec cp -t "${DOWNLOAD_LOCATION}/grails/etc/bin/results/second/" -- {} + cd "${DOWNLOAD_LOCATION}/grails/etc/bin/results" -# diff -u PUBLISHED_ARTIFACTS second.txt -DIFF_RESULTS=$(comm -3 <(cut -d' ' -f1 ../../../PUBLISHED_ARTIFACTS | sort) <(sort second.txt) | cut -d' ' -f1 | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' | uniq | sort) +# diff -u CHECKSUMS second.txt +DIFF_RESULTS=$(comm -3 <(sort ../../../CHECKSUMS) <(sort second.txt) | cut -d' ' -f1 | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' | uniq | sort) echo "Differing artifacts:" echo "$DIFF_RESULTS" > diff.txt cat diff.txt diff --git a/etc/bin/verify-source-distribution.sh b/etc/bin/verify-source-distribution.sh index 461e54dcce..d33bc702db 100755 --- a/etc/bin/verify-source-distribution.sh +++ b/etc/bin/verify-source-distribution.sh @@ -64,7 +64,7 @@ if [ ! -d "${SRC_DIR}" ]; then fi echo "Checking for required files existence..." -REQUIRED_FILES=("LICENSE" "NOTICE" "README.md" "CONTRIBUTING.md" "PUBLISHED_ARTIFACTS" "CHECKSUMS" "BUILD_DATE") +REQUIRED_FILES=("LICENSE" "NOTICE" "README.md" "CONTRIBUTING.md" "PUBLISHED_ARTIFACTS" "CHECKSUMS" "BUILD_DATE" "DISCLAIMER") for FILE in "${REQUIRED_FILES[@]}"; do if [ ! -f "${SRC_DIR}/$FILE" ]; then diff --git a/etc/bin/verify-wrapper-distribution.sh b/etc/bin/verify-wrapper-distribution.sh index 064228c92f..616b06154d 100755 --- a/etc/bin/verify-wrapper-distribution.sh +++ b/etc/bin/verify-wrapper-distribution.sh @@ -64,7 +64,7 @@ if [ ! -d "${SRC_DIR}" ]; then fi echo "Checking for required files existence..." -REQUIRED_FILES=("LICENSE" "NOTICE") +REQUIRED_FILES=("LICENSE" "NOTICE" "DISCLAIMER") for FILE in "${REQUIRED_FILES[@]}"; do if [ ! -f "${SRC_DIR}/$FILE" ]; then diff --git a/etc/bin/verify.sh b/etc/bin/verify.sh index 9ca25eaa14..d0a4ce3678 100755 --- a/etc/bin/verify.sh +++ b/etc/bin/verify.sh @@ -57,12 +57,19 @@ echo "Verifying JAR Artifacts ..." "${SCRIPT_DIR}/verify-jar-artifacts.sh" "${STAGING_REPO_ID}" "${RELEASE_TAG}" "${DOWNLOAD_LOCATION}" echo "✅ JAR Artifacts Verified" -echo "Bootstrapping Gradle..." -cd "${DOWNLOAD_LOCATION}/grails" -gradle wrapper -cd grails-gradle -gradle wrapper -cd "${CWD}" +# I have no idea why this needs done manually, but if it's run from this script gradle happily ignores the settings.gradle and tries to build (so it fails) +echo "Unable to bootstrap gradle manually. Please bootstrap by running 'gradle wrapper' in grails & grails/grails-gradle." +echo "After bootstrapping, call verify-reproducible.sh '${DOWNLOAD_LOCATION}'" -echo "Testing for Reproducible Build ..." -echo " ... Manually" +#echo "Using Java at ..." +#which java +#java -version +# +#echo "Using Gradle version to bootstrap ..." +#which gradle +#gradle --version + +#echo "Running Reproducible Build Verification ..." +#"${SCRIPT_DIR}/verify-reproducible.sh" "${DOWNLOAD_LOCATION}" + +echo "✅ Verification finished, see above instructions for reproducible build testing" \ No newline at end of file
