From 8aed0fb0edb201168a478b6fe130eb48aed813ac Mon Sep 17 00:00:00 2001 From: Lukas Bergholz Date: Tue, 28 Oct 2025 15:41:05 +0100 Subject: [PATCH 1/2] Add workflows CLI commands to build.sh and sbom.sh - Call new flags from TemurinGenSBOM.java from sbom.sh functions - Call these functions in build.sh to generate the workflows snippet --- sbin/build.sh | 19 +++++++++++++++++++ sbin/common/sbom.sh | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+) diff --git a/sbin/build.sh b/sbin/build.sh index 3d658d5a5..8941315b4 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -1067,6 +1067,25 @@ generateSBoM() { # Add CycloneDX versions addCycloneDXVersions + local formulaName="formula_temurin_build_script_1.0_jdk21u" + local workflowRef="workflow_temurin_build_script_1.0_jdk21u" + local workflowUid="workflow_temurin_build_script_1.0_jdk21u" + local workflowName="temurin build script 1.0 for jdk21u" + local taskTypes="clone,build" + + # Create workflow under the formula (formula/workflow are created if missing) + addSBOMWorkflow "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "${workflowUid}" "${workflowName}" "${taskTypes}" + + # Steps + addSBOMWorkflowStep "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "clone repo" "clone repository" + addSBOMWorkflowStep "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "cd into repository" "cd into temurin-build" + addSBOMWorkflowStep "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "makejdk" "execute makejdk-anyplatform.sh" + + # Commands + addSBOMWorkflowStepCmd "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "clone repo" "git clone git@github.com:adoptium/temurin-build" + addSBOMWorkflowStepCmd "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "cd into repository" "cd temurin-build" + addSBOMWorkflowStepCmd "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "makejdk" "bash ./makejdk-any-platform.sh jdk21u --with-version-string=21.0.2+13-202312052047 --with-vendor-version-string=202312052047" + # Add Build Docker image SHA1 local buildimagesha=$(cat ${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/docker.txt) # ${BUILD_CONFIG[CONTAINER_COMMAND]^} always set to false cannot rely on it. diff --git a/sbin/common/sbom.sh b/sbin/common/sbom.sh index 7fd7869aa..8210bf03e 100755 --- a/sbin/common/sbom.sh +++ b/sbin/common/sbom.sh @@ -205,3 +205,42 @@ addSBOMComponentPropertyFromFile() { fi } +# Ref: https://cyclonedx.org/docs/1.6/json/#formulation_items_workflows +# Create or update a workflow entry under a given formula +addSBOMWorkflow() { + local javaHome="${1}" + local classpath="${2}" + local jsonFile="${3}" + local formulaName="${4}" + local workflowRef="${5}" + local workflowUid="${6}" + local workflowName="${7}" + local taskTypes="${8}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addWorkflow --jsonFile "${jsonFile}" --formulaName "${formulaName}" --workflowRef "${workflowRef}" --workflowUid "${workflowUid}" --workflowName "${workflowName}" --taskTypes "${taskTypes}" +} + +# Ref: https://cyclonedx.org/docs/1.6/json/#formulation_items_workflows_items_steps +# Create a step inside of a workflow +addSBOMWorkflowStep() { + local javaHome="${1}" + local classpath="${2}" + local jsonFile="${3}" + local formulaName="${4}" + local workflowRef="${5}" + local workflowStepName="${6}" + local description="${7}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addWorkflowStep --jsonFile "${jsonFile}" --formulaName "${formulaName}" --workflowRef "${workflowRef}" --workflowStepName "${workflowStepName}" --description "${description}" +} + +# Ref: https://cyclonedx.org/docs/1.6/json/#formulation_items_workflows_items_steps_items_commands +# Add a executed command to a specific workflow step +addSBOMWorkflowStepCmd() { + local javaHome="${1}" + local classpath="${2}" + local jsonFile="${3}" + local formulaName="${4}" + local workflowRef="${5}" + local workflowStepName="${6}" + local executed="${7}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addWorkflowStepCmd --jsonFile "${jsonFile}" --formulaName "${formulaName}" --workflowRef "${workflowRef}" --workflowStepName "${workflowStepName}" --executed "${executed}" +} \ No newline at end of file From 2d3e557d66550ec56cdd38fd3355bc535ba44c49 Mon Sep 17 00:00:00 2001 From: Lukas Bergholz Date: Wed, 3 Dec 2025 21:10:15 +0000 Subject: [PATCH 2/2] Change build recipe workflow in sbom.sh to use actual build (meta)data Add function addTemurinBuildRecipeToSBOM, which handles everything that has to do with the workflows/build recipe generation This function: -Reads makejdk-any-platform.args and buildSource.txt to build the new makejdk command -Gets the clone url and commit hash from buildSource.txt -Adds --build-reproducible-date only if not already specified -Adds --use-adoptium-devkit only if already specified --- sbin/build.sh | 118 ++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 100 insertions(+), 18 deletions(-) diff --git a/sbin/build.sh b/sbin/build.sh index 8941315b4..ee8721323 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -1067,24 +1067,106 @@ generateSBoM() { # Add CycloneDX versions addCycloneDXVersions - local formulaName="formula_temurin_build_script_1.0_jdk21u" - local workflowRef="workflow_temurin_build_script_1.0_jdk21u" - local workflowUid="workflow_temurin_build_script_1.0_jdk21u" - local workflowName="temurin build script 1.0 for jdk21u" - local taskTypes="clone,build" - - # Create workflow under the formula (formula/workflow are created if missing) - addSBOMWorkflow "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "${workflowUid}" "${workflowName}" "${taskTypes}" - - # Steps - addSBOMWorkflowStep "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "clone repo" "clone repository" - addSBOMWorkflowStep "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "cd into repository" "cd into temurin-build" - addSBOMWorkflowStep "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "makejdk" "execute makejdk-anyplatform.sh" - - # Commands - addSBOMWorkflowStepCmd "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "clone repo" "git clone git@github.com:adoptium/temurin-build" - addSBOMWorkflowStepCmd "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "cd into repository" "cd temurin-build" - addSBOMWorkflowStepCmd "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "makejdk" "bash ./makejdk-any-platform.sh jdk21u --with-version-string=21.0.2+13-202312052047 --with-vendor-version-string=202312052047" + # Generate the Workflow part containing the Build Recipe + addTemurinBuildRecipeToSBOM() { + local formulaName="formula_temurin_build_script_${fullVer}" + local workflowRef="workflow_temurin_build_script_${fullVer}" + local workflowUid="${workflowRef}" + local workflowName="temurin build script ${fullVer}" + local taskTypes="clone,build" + + # Read makejdk-any-platform args + local makejdk_args_file="${BUILD_CONFIG[WORKSPACE_DIR]}/config/makejdk-any-platform.args" + if [[ ! -s "${makejdk_args_file}" ]]; then + echo "INFO: makejdk-any-platform args file '${makejdk_args_file}' missing or empty, skipping build recipe generation." 1>&2 + return 0 + fi + + local makejdk_args + makejdk_args="$(< "${makejdk_args_file}")" + + # If the original args already contain "--build-reproducible-date" with double quotes, + # normalise them to use single quotes in the recipe. We need this to happen because double + # quotation marks need escaping and end up as \" in the SBoM, which confuses bash when running the recipe. + # i.e. from --build-reproducible-date "" to --build-reproducible-date '' + if [[ "${makejdk_args}" == *"--build-reproducible-date"* ]]; then + makejdk_args="$(printf '%s\n' "${makejdk_args}" | sed -E "s/--build-reproducible-date \"([^\"]*)\"/--build-reproducible-date '\1'/")" + fi + + # Git-Metadata i.e. buildSource.txt (Repo + Commit) + local build_src_file="${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/buildSource.txt" + if [[ ! -s "${build_src_file}" ]]; then + echo "INFO: buildSource metadata file '${build_src_file}' missing or empty, skipping build recipe generation." 1>&2 + return 0 + fi + + local build_src_url + build_src_url="$(< "${build_src_file}")" + + # Get repo + commit-id from URL + local repo_path sha repo_name + repo_path="${build_src_url#https://github.com/}" + repo_path="${repo_path%%/commit/*}" + repo_name="${repo_path##*/}" + sha="${build_src_url##*/}" + + local clone_url="https://github.com/${repo_path}.git" + + # Build Timestamp + local buildStamp + buildStamp="${BUILD_CONFIG[BUILD_REPRODUCIBLE_DATE]:-${BUILD_CONFIG[BUILD_TIMESTAMP]:-}}" + + # Normalise buildStamp: remove any surrounding " or ' to add single quotation marks later + buildStamp="${buildStamp%\"}" + buildStamp="${buildStamp#\"}" + buildStamp="${buildStamp%\'}" + buildStamp="${buildStamp#\'}" + + # Get DevKit-Tag + local metadata_build_args_file="${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/BUILD_ARGS" + local devkit_tag="" + if [[ -s "${metadata_build_args_file}" ]]; then + local build_args + build_args="$(< "${metadata_build_args_file}")" + # Search for --use-adoptium-devkit in build args + if [[ "${build_args}" =~ --use-adoptium-devkit[[:space:]]+([^[:space:]]+) ]]; then + devkit_tag="${BASH_REMATCH[1]}" + fi + fi + + # Build makejdk-any-platform command: + # Base: bash ./makejdk-any-platform.sh + # Add --build-reproducible-date only if not in args already + # Add -C --use-adoptium-devkit only if not in args already + # Then concatenate the rest + local makejdk_cmd="bash ./makejdk-any-platform.sh" + + if [[ -n "${buildStamp}" && ${makejdk_args} != *"--build-reproducible-date"* ]]; then + makejdk_cmd+=" --build-reproducible-date '${buildStamp}'" + fi + + if [[ -n "${devkit_tag}" && ${makejdk_args} != *"--use-adoptium-devkit"* ]]; then + makejdk_cmd+=" -C --use-adoptium-devkit ${devkit_tag}" + fi + + makejdk_cmd+=" ${makejdk_args}" + + # Workflow + addSBOMWorkflow "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "${workflowUid}" "${workflowName}" "${taskTypes}" + + # Steps + addSBOMWorkflowStep "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "clone repo" "clone repository" + addSBOMWorkflowStep "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "cd into repository" "cd into temurin-build and checkout commit" + addSBOMWorkflowStep "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "makejdk" "execute makejdk-any-platform.sh" + + # Commands + addSBOMWorkflowStepCmd "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "clone repo" "git clone ${clone_url}" + addSBOMWorkflowStepCmd "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "cd into repository" "cd ${repo_name}" + addSBOMWorkflowStepCmd "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "cd into repository" "git checkout ${sha}" + addSBOMWorkflowStepCmd "${javaHome}" "${classpath}" "${sbomJson}" "${formulaName}" "${workflowRef}" "makejdk" "${makejdk_cmd}" + } + + addTemurinBuildRecipeToSBOM # Add Build Docker image SHA1 local buildimagesha=$(cat ${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/docker.txt)