From 6007371e3a21970dd34ae91ac20460922a15488e Mon Sep 17 00:00:00 2001
From: Matthias Sohn <matthias.sohn@sap.com>
Date: Fri, 6 Oct 2023 01:10:40 +0200
Subject: Enable Maven reproducible builds

- configure Maven to run build reproducibly [1]
- use UTC timestamp of checked out commit as build timestamp
- add git-describe, git-commit-id, git-commit-id, git-tags,
  git-remote-origin-url to MANIFEST.MF files
- configure cyclonedx-maven-plugin to also use UTC timestamp of
  checked out commit
- for packaging build use tycho-buildtimestamp-jgit [2] to ensure
  version uses the timestamp of the last commit
- SBOMs are not reproducible by design [3] they should have a build
  timestamp matching the time when the build was executed and a serial
  number which is a unique UUID per build run. Hence exclude them from
  comparison [4].
- Use gmavenplus-plugin to format build timestamps. Maven expects
  build timestamp in ISO-8601 format, to replace the qualifier in
  versions the timestamp format must be compatible with rules for OSGi
  version numbers. Didn't find a way to read the properties set by the
  git-commit-id-maven-plugin from another plugin. Hence use JGit in a
  groovy script to get the commit time of the current HEAD and provide
  it in these two formats.

TODO: packaging build (features and p2 repository) is not yet binary
reproducible since that's not yet supported by Tycho [5], artefacts have
reproducible version numbers but file lastModified timestamps are not
yet reproducible.

Test plan for Maven build:
- build using
  mvn clean install"
- verify second build is reproducible:
  mvn -T1 clean verify artifact:compare
  verification seems not to be thread-safe, hence run it with a single
  thread using option -T1

For packaging build (still fails due to non-reproducible file
timestamps):
- build using
  mvn -f org.eclipse.jgit.packaging/pom.xml clean install
- verify second build is reproducible:
  mvn -T1 -f org.eclipse.jgit.packaging/pom.xml clean verify artifact:compare

[1] https://maven.apache.org/guides/mini/guide-reproducible-builds.html
[2] https://wiki.eclipse.org/Tycho/Reproducible_Version_Qualifiers
[3] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/84
[4] https://maven.apache.org/plugins/maven-artifact-plugin/compare-mojo.html
[5] https://github.com/eclipse-tycho/tycho/issues/233

Change-Id: I0202f55a1b6ae0edd922cfef638beb39d2ce9417
---
 org.eclipse.jgit.pgm/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'org.eclipse.jgit.pgm')

diff --git a/org.eclipse.jgit.pgm/pom.xml b/org.eclipse.jgit.pgm/pom.xml
index de0548d5c8..776207f866 100644
--- a/org.eclipse.jgit.pgm/pom.xml
+++ b/org.eclipse.jgit.pgm/pom.xml
@@ -205,7 +205,7 @@
               <target>
                 <copy file="META-INF/SOURCE-MANIFEST.MF" tofile="${source-bundle-manifest}" overwrite="true"/>
                 <replace file="${source-bundle-manifest}">
-                  <replacefilter token=".qualifier" value=".${maven.build.timestamp}"/>
+                  <replacefilter token=".qualifier" value=".${commit.time.version}"/>
                 </replace>
               </target>
             </configuration>
-- 
cgit v1.2.3