Enable Maven reproducible builds

- configure Maven to run build reproducibly [1] - use UTC timestamp of checked out commit as build timestamp - add git-describe, git-commit-id, git-commit-id, git-tags, git-remote-origin-url to MANIFEST.MF files - configure cyclonedx-maven-plugin to also use UTC timestamp of checked out commit - for packaging build use tycho-buildtimestamp-jgit [2] to ensure version uses the timestamp of the last commit - SBOMs are not reproducible by design [3] they should have a build timestamp matching the time when the build was executed and a serial number which is a unique UUID per build run. Hence exclude them from comparison [4]. - Use gmavenplus-plugin to format build timestamps. Maven expects build timestamp in ISO-8601 format, to replace the qualifier in versions the timestamp format must be compatible with rules for OSGi version numbers. Didn't find a way to read the properties set by the git-commit-id-maven-plugin from another plugin. Hence use JGit in a groovy script to get the commit time of the current HEAD and provide it in these two formats. TODO: packaging build (features and p2 repository) is not yet binary reproducible since that's not yet supported by Tycho [5], artefacts have reproducible version numbers but file lastModified timestamps are not yet reproducible. Test plan for Maven build: - build using mvn clean install" - verify second build is reproducible: mvn -T1 clean verify artifact:compare verification seems not to be thread-safe, hence run it with a single thread using option -T1 For packaging build (still fails due to non-reproducible file timestamps): - build using mvn -f org.eclipse.jgit.packaging/pom.xml clean install - verify second build is reproducible: mvn -T1 -f org.eclipse.jgit.packaging/pom.xml clean verify artifact:compare [1] https://maven.apache.org/guides/mini/guide-reproducible-builds.html [2] https://wiki.eclipse.org/Tycho/Reproducible_Version_Qualifiers [3] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/84 [4] https://maven.apache.org/plugins/maven-artifact-plugin/compare-mojo.html [5] https://github.com/eclipse-tycho/tycho/issues/233 Change-Id: I0202f55a1b6ae0edd922cfef638beb39d2ce9417
author: Matthias Sohn <matthias.sohn@sap.com> 2023-10-06 01:10:40 +0200
committer: Matthias Sohn <matthias.sohn@sap.com> 2023-11-09 00:08:42 +0100
commit: 6007371e3a21970dd34ae91ac20460922a15488e (patch)
tree: f4c77f590e98032641d274a8714f5ead5d0e2f42 /org.eclipse.jgit.packaging
parent: 97afcb050b182beacd1c6913d8293d6ba0a9989e (diff)
download: jgit-6007371e3a21970dd34ae91ac20460922a15488e.tar.gz
jgit-6007371e3a21970dd34ae91ac20460922a15488e.zip
1 files changed, 70 insertions, 1 deletions
diff --git a/org.eclipse.jgit.packaging/pom.xml b/org.eclipse.jgit.packaging/pom.xml
index ba73e9204f..715491d472 100644
--- a/org.eclipse.jgit.packaging/pom.xml
+++ b/org.eclipse.jgit.packaging/pom.xml
@@ -32,6 +32,7 @@
     <java.version>11</java.version>
     <tycho-version>4.0.2</tycho-version>
     <target-platform>jgit-4.17</target-platform>
+    <project.build.outputTimestamp>${git.commit.time}</project.build.outputTimestamp>
   </properties>
 
   <pluginRepositories>
@@ -223,7 +224,6 @@
           <outputFormat>json</outputFormat>
           <outputName>cyclonedx</outputName>
           <outputDirectory>${project.build.directory}</outputDirectory>
-          <outputTimestamp>${project.build.outputTimestamp}</outputTimestamp>
           <verbose>false</verbose>
         </configuration>
         <executions>
@@ -235,6 +235,26 @@
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>io.github.git-commit-id</groupId>
+        <artifactId>git-commit-id-maven-plugin</artifactId>
+        <version>6.0.0</version>
+        <executions>
+          <execution>
+            <id>get-the-git-infos</id>
+            <goals>
+              <goal>revision</goal>
+            </goals>
+            <phase>initialize</phase>
+          </execution>
+        </executions>
+        <configuration>
+          <generateGitPropertiesFile>false</generateGitPropertiesFile>
+          <injectAllReactorProjects>true</injectAllReactorProjects>
+          <dateFormat>yyyy-MM-dd'T'HH:mm:ss'Z'</dateFormat>
+          <dateFormatTimeZone>UTC</dateFormatTimeZone>
+        </configuration>
+      </plugin>
     </plugins>
     <pluginManagement>
       <plugins>
@@ -256,6 +276,30 @@
           </configuration>
         </plugin>
         <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-jar-plugin</artifactId>
+          <version>3.3.0</version>
+          <configuration>
+            <archive>
+              <manifestEntries>
+                <Implementation-Title>JGit ${project.artifactId}</Implementation-Title>
+                <Implementation-Version>${project.version}</Implementation-Version>
+                <Implementation-Vendor>Eclipse.org - JGit</Implementation-Vendor>
+                <Implementation-Vendor-Id>org.eclipse.jgit</Implementation-Vendor-Id>
+                <Implementation-Vendor-URL>${jgit-url}</Implementation-Vendor-URL>
+                <git-describe>${git.commit.id.describe}</git-describe>
+                <git-commit-id>${git.commit.id}</git-commit-id>
+                <git-commit-time>${git.commit.time}</git-commit-time>
+                <git-tags>${git.tags}</git-tags>
+                <git-remote-origin-url>${git.remote.origin.url}</git-remote-origin-url>
+              </manifestEntries>
+            </archive>
+            <!-- TODO: uncomment this in order to skip empty artifact of test modules as soon as bug 416299 is fixed
+            <skipIfEmpty>true</skipIfEmpty>
+            -->
+          </configuration>
+        </plugin>
+        <plugin>
           <groupId>org.eclipse.tycho</groupId>
           <artifactId>target-platform-configuration</artifactId>
           <version>${tycho-version}</version>
@@ -318,6 +362,22 @@
           <groupId>org.eclipse.tycho</groupId>
           <artifactId>tycho-packaging-plugin</artifactId>
           <version>${tycho-version}</version>
+          <dependencies>
+            <dependency>
+              <groupId>org.eclipse.tycho</groupId>
+              <artifactId>tycho-buildtimestamp-jgit</artifactId>
+              <version>${tycho-version}</version>
+            </dependency>
+          </dependencies>
+          <configuration>
+            <timestampProvider>jgit</timestampProvider>
+            <jgit.ignore>
+              pom.xml
+              .polyglot.build.properties
+              target/
+            </jgit.ignore>
+            <format>yyyyMMddHHmm</format>
+          </configuration>
         </plugin>
         <plugin>
           <groupId>org.eclipse.tycho</groupId>
@@ -353,6 +413,15 @@
           <artifactId>maven-site-plugin</artifactId>
           <version>3.12.1</version>
         </plugin>
+        <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-artifact-plugin</artifactId>
+          <version>3.5.0</version>
+          <configuration>
+            <ignore>**/*cyclonedx.json</ignore>
+            <reproducible>true</reproducible>
+          </configuration>
+        </plugin>
       </plugins>
     </pluginManagement>
   </build>
author	Matthias Sohn <matthias.sohn@sap.com>	2023-10-06 01:10:40 +0200
committer	Matthias Sohn <matthias.sohn@sap.com>	2023-11-09 00:08:42 +0100
commit	6007371e3a21970dd34ae91ac20460922a15488e (patch)
tree	f4c77f590e98032641d274a8714f5ead5d0e2f42 /org.eclipse.jgit.packaging
parent	97afcb050b182beacd1c6913d8293d6ba0a9989e (diff)
download	jgit-6007371e3a21970dd34ae91ac20460922a15488e.tar.gz jgit-6007371e3a21970dd34ae91ac20460922a15488e.zip