Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Push SBOM to Maven central when releasing #6154

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Push SBOM to Maven central when releasing #6154

wants to merge 2 commits into from

Conversation

LogFlames
Copy link

@LogFlames LogFlames commented Jan 24, 2025
edited
Loading

See #5255 , push sbom (cyclonedx) to maven central when releasing.

Added cyclonedx-maven-plugin to spoon-pom/pom.xml which is included in spoon-core and spoon-javadoc. Currently spoon-pom will not include the sbom on maven central as the project is never packages, only the pom.xml is uploaded.

Since JReleaser version 1.6.0 it has support for additional artifacts in Maven deployers (jreleaser/jreleaser#1135 ). The version in nixpkgs unstable (used in spoon) is 1.16.0 - meaning the sbom will be included in CI as well.

I then confirmed the sboms will be included in the upload by running the chore/release.sh patch script locally, modified to use jreleaser full-release --dry-run and not push anything to github. The output of that command can be seen below:

Output of `jreleaser full-release --dry-run` 
::group::Releasing
[INFO]  JReleaser 1.16.0
[INFO]  Configuring with jreleaser.yml
[INFO]    - basedir set to /Users/elias/code/kth/CHAINS/spoon
[INFO]    - outputdir set to /Users/elias/code/kth/CHAINS/spoon/out/jreleaser
[INFO]  Reading configuration
🚨 project.java is deprecated since 1.16.0 and will be removed in 2.0.0. Use project.languages.java instead
[INFO]  git-root-search set to false
[INFO]  Loading variables from /Users/elias/.jreleaser/config.properties
[INFO]  Validating configuration
[INFO]  Strict mode set to false
[INFO]  Project version set to 11.2.1
[INFO]  Release is not snapshot
[INFO]  Timestamp is 2025-01-24T20:39:03.635015+01:00
[INFO]  HEAD is at fd3a4eb
[INFO]  Platform is osx-aarch_64
[INFO]  dry-run set to true
[INFO]  Generating changelog
[INFO]  Storing changelog: out/jreleaser/release/CHANGELOG.md
[INFO]  Calculating checksums for distributions and files
[INFO]    [checksum] No files configured for checksum. Skipping
[INFO]  Cataloging artifacts
[INFO]    Cataloging is not enabled. Skipping
[INFO]  Signing distributions and files
[INFO]    [sign] No files configured for signing. Skipping
[INFO]  Deploying Maven artifacts
[INFO]    [maven] Deploying all staged artifacts
[INFO]      [nexus2] Deploying to maven-central
[INFO]      [nexus2] nexus2 set to FULL_DEPLOYMENT
[INFO]      [nexus2] Verifying prerequisites
[INFO]      [nexus2] Verifying POMs
[INFO]      [nexus2] Signing key 381686F1082D983F expires at 2025-01-29T12:17:40
[INFO]      [nexus2] Checking if key 381686F1082D983F has been published
[WARN]      [nexus2] Key 381686F1082D983F was NOT found as published
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-javadoc.jar
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-sources.jar
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.xml
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-jar-with-dependencies.jar
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-pom/11.2.1/spoon-pom-11.2.1.pom
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.jar
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-sources.jar
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-javadoc.jar
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.jar
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.json
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.xml
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.json
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.pom
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.pom
[INFO]      [nexus2] Lookup staging profile for fr.inria.gforge
[WARN]      [nexus2] Could not find a staging profile matching fr.inria.gforge
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.json
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.json.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.json.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.json.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.json.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.json.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.xml
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.xml.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.xml.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.xml.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.xml.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.xml.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-jar-with-dependencies.jar
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-jar-with-dependencies.jar.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-jar-with-dependencies.jar.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-jar-with-dependencies.jar.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-jar-with-dependencies.jar.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-jar-with-dependencies.jar.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-javadoc.jar
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-javadoc.jar.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-javadoc.jar.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-javadoc.jar.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-javadoc.jar.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-javadoc.jar.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-sources.jar
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-sources.jar.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-sources.jar.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-sources.jar.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-sources.jar.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-sources.jar.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.jar
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.jar.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.jar.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.jar.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.jar.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.jar.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.pom
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.pom.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.pom.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.pom.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.pom.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.pom.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.json
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.json.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.json.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.json.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.json.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.json.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.xml
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.xml.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.xml.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.xml.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.xml.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.xml.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-javadoc.jar
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-javadoc.jar.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-javadoc.jar.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-javadoc.jar.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-javadoc.jar.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-javadoc.jar.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-sources.jar
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-sources.jar.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-sources.jar.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-sources.jar.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-sources.jar.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-sources.jar.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.jar
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.jar.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.jar.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.jar.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.jar.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.jar.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.pom
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.pom.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.pom.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.pom.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.pom.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.pom.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-pom/11.2.1/spoon-pom-11.2.1.pom
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-pom/11.2.1/spoon-pom-11.2.1.pom.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-pom/11.2.1/spoon-pom-11.2.1.pom.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-pom/11.2.1/spoon-pom-11.2.1.pom.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-pom/11.2.1/spoon-pom-11.2.1.pom.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-pom/11.2.1/spoon-pom-11.2.1.pom.sha512
[INFO]  Uploading distributions and files
[INFO]    [upload] Uploading is not enabled. Skipping
[INFO]  Releasing to https://github.com/INRIA/spoon@release/11.2.1
[INFO]  Announcing release
[INFO]    [announce] Announcing is not enabled. Skipping
[INFO]  Writing output properties to out/jreleaser/output.properties
[INFO]  JReleaser succeeded after 15.966 s
::endgroup::

algomaster99
algomaster99 reviewed Jan 26, 2025
View reviewed changes
pom.xml Outdated Show resolved Hide resolved
@LogFlames LogFlames force-pushed the 5255-push-SBOM-to-Maven-Central-when-releasing branch from d8a6bdb to 4f02fe3 Compare January 28, 2025 11:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yogyagamage yogyagamage yogyagamage left review comments

@algomaster99 algomaster99 algomaster99 approved these changes

@I-Al-Istannen I-Al-Istannen Awaiting requested review from I-Al-Istannen

@MartinWitt MartinWitt Awaiting requested review from MartinWitt

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@LogFlames @algomaster99 @yogyagamage