Add build recipe generation to build.sh and integrate new workflows CLI into sbom.sh #4289
Conversation
- Call new flags from TemurinGenSBOM.java from sbom.sh functions - Call these functions in build.sh to generate the workflows snippet
|
Thank you for creating a pull request! |
sbin/build.sh
Outdated
| # Add CycloneDX versions | ||
| addCycloneDXVersions | ||
|
|
||
| local formulaName="formula_temurin_build_script_1.0_jdk21u" |
There was a problem hiding this comment.
We will need to construct these names based on the given builds VERSION etc...
I suggest something like:
local formulaName="formula_temurin_build_script_${fullVer}"
sbin/build.sh
Outdated
| addSBOMWorkflowStep "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "makejdk" "execute makejdk-anyplatform.sh" | ||
|
|
||
| # Commands | ||
| addSBOMWorkflowStepCmd "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "clone repo" "git clone [email protected]:adoptium/temurin-build" |
There was a problem hiding this comment.
The clone needs to be for the exact temurin-build "commit" that is used for this build, so that in running this recipe it will exactly reproduce this build.
Use ${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/buildSource.txt from
Line 1128 in f4bcbeb
sbin/build.sh
Outdated
| # Commands | ||
| addSBOMWorkflowStepCmd "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "clone repo" "git clone [email protected]:adoptium/temurin-build" | ||
| addSBOMWorkflowStepCmd "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "cd into repository" "cd temurin-build" | ||
| addSBOMWorkflowStepCmd "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "makejdk" "bash ./makejdk-any-platform.sh jdk21u --with-version-string=21.0.2+13-202312052047 --with-vendor-version-string=202312052047" |
There was a problem hiding this comment.
Need this builds full exact makejdk-any-platform.sh params...
Line 1145 in f4bcbeb
|
I would suggest in trying to test this, is you do a local build on your laptop, save the built JDK1 tar.gz, then try and rebuild it using just the SBOM formulation recipe in a completely fresh woerkspace, then see if it is identical to JDK1 tar.gz ? |
Lukisorisch
changed the title
Add function addTemurinBuildRecipeToSBOM, which handles everything that has to do with the workflows/build recipe generation This function: -Reads makejdk-any-platform.args and buildSource.txt to build the new makejdk command -Gets the clone url and commit hash from buildSource.txt -Adds --build-reproducible-date only if not already specified -Adds --use-adoptium-devkit only if already specified
2 participants
Changes
build.sh
New code that generates the the build recipe for the workflows section of the SBOM.
Add function addTemurinBuildRecipeToSBOM, which is responsible for generating the workflow/recipe section in the SBOM. In detail, it:
Reads
makejdk-any-platform.argsfromworkspace/config/to get the original makejdk-any-platform.sh flags.Reads
metadata/buildSource.txtfrom the target directory to recover the GitHub repository URL and the exact commit hash used by the build.Uses the reproducible build timestamp from
BUILD_REPRODUCIBLE_DATE(orBUILD_TIMESTAMPif the first does not exist) for the--build-reproducible-date '<timestamp>'flag. (Only add if not present already)Reads
metadata/BUILD_ARGSand if it finds a--use-adoptium-devkitflag, extracts the devkit tag and adds-C --use-adoptium-devkit <tag>to the makejdk-any-platform command.See below for an example and general recipe output.
sbom.sh
Add wrappers around the TemurinGenSBOM CLI so shell code can author formulation.workflows:
workflows
workflows.steps
workflows.steps.commands
Each wrapper calls the respective methods in TemurinGenSBOM.java with the right flags.
Example: