kie-issues#1352: Enforce reproducible build on kie-tools (#2455)

README.md

@@ -117,6 +117,66 @@ Bootstrapping installs the necessary dependencies for each package.
 
 ---
 
+## Reproducible Builds for _maven-based_ packages
+
+It is mandatory that any _maven-based_ package that releases artifacts runs [Reproducible Builds](https://reproducible-builds.org/)
+to build it's artifacts, in this case, in our `build:prod` scripts.
+
+`@kie-tools/maven-base` provides the `reproducible-build` `maven` profile to enable _Reproducible Builds_ in our builds.
+To use it follow the steps:
+
+- Make sure the `package.json` depends on `@kie-tools/maven-base`:
+
+```json
+{
+  "dependencies": {
+    "@kie-tools/maven-base": "workspace:*"
+  }
+}
+```
+
+- Make the package `pom.xml` has `kie-tools-maven-base` as a parent and declares the `project.build.outputTimestamp` property like:
+
+```xml
+<project>
+  <parent>
+    <groupId>org.kie</groupId>
+    <artifactId>kie-tools-maven-base</artifactId>
+    <version>${revision}</version>
+    <relativePath>./node_modules/@kie-tools/maven-base/pom.xml</relativePath>
+  </parent>
+  ...
+  <properties>
+    <project.build.outputTimestamp>2024-01-12T00:00:00Z</project.build.outputTimestamp>
+  </properties>
+  ...
+<projec>
+```
+
+- In your `package.json` scripts, enable the _Reproducible Build_ profile adding the `-Dreproducible` argument in `build:prod` scripts, like:
+
+```json
+{
+  "scripts": {
+    "build:prod": "pnpm lint && run-script-os",
+    "build:prod:darwin:linux": "mvn clean deploy [...other maven options...] -Dreproducible",
+    "build:prod:win32": "pnpm powershell \"mvn clean deploy [...other maven options...] `-Dreproducible\""
+  }
+}
+```
+
+> IMPORTANT: the current version of the `maven-artifact-plugin` (3.4.1) used in `kie-tools` bans the `maven-flatten-plugin` that
+> we use to generate deployable artifacts using the dynamic `${revision}` variable. You can check the full list of banned
+> plugins [here](https://maven.apache.org/plugins-archives/maven-artifact-plugin-3.4.1/plugin-issues.html).
+> The issue that caused the ban [flatten-maven-plugin/issues/256](https://github.com/mojohaus/flatten-maven-plugin/issues/256) was a result
+> of change in `maven` behaviour between `v3.8.1` and `v3.8.2`, and isn't a problem on the `maven-flatten-plugin`.
+> Actually, in later versions of the `maven-artifact-plugin` the ban got revoked.
+> Having this in mind, and due to the fact that `kie-tools` requires newer `maven` versions, our _Reproducible Builds_ require
+> temporarily overriding the list of banned plugins, until we upgrade to a newer `maven-artifact-plugin` version.
+> This will be addressed by https://github.com/apache/incubator-kie-issues/issues/1371
+
+---
+
 ## Applications
 
 The Apache KIE Tools project contains several applications. To develop each one of them individually, refer to the instructions below.

packages/extended-services-java/package.json

@@ -21,8 +21,8 @@
     "build:dev:linux:darwin": "mvn clean install -DskipTests -DskipITs && pnpm dist",
     "build:dev:win32": "pnpm powershell \"mvn clean install `-DskipTests `-DskipITs\" && pnpm dist",
     "build:prod": "run-script-os",
-    "build:prod:linux:darwin": "mvn clean install -DskipTests=$(build-env tests.run --not) -Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) -DskipITs=$(build-env endToEndTests.run --not) && pnpm dist",
-    "build:prod:win32": "pnpm powershell \"mvn clean install `-DskipTests=$(build-env tests.run --not) `-Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) `-DskipITs=$(build-env endToEndTests.run --not)\" && pnpm dist",
+    "build:prod:linux:darwin": "mvn clean install -DskipTests=$(build-env tests.run --not) -Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) -DskipITs=$(build-env endToEndTests.run --not) -Dreproducible && pnpm dist",
+    "build:prod:win32": "pnpm powershell \"mvn clean install `-DskipTests=$(build-env tests.run --not) `-Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) `-DskipITs=$(build-env endToEndTests.run --not) `-Dreproducible\" && pnpm dist",
     "copy:app": "run-script-os",
     "copy:app:linux:darwin": "copyfiles -u 1 \"target/quarkus-app/**/*\" dist/",
     "copy:app:win32": "copyfiles -u 1 \"target/quarkus-app/**\" dist/",

packages/extended-services-java/pom.xml

@@ -45,6 +45,7 @@
   </licenses>
 
   <properties>
+    <project.build.outputTimestamp>2024-01-12T00:00:00Z</project.build.outputTimestamp>
     <java.module.name>org.kie.tools.extended-services</java.module.name>
   </properties>
 

packages/jbpm-quarkus-devui/package.json

@@ -17,8 +17,8 @@
     "build:dev:darwin:linux": "mvn clean install -DskipTests",
     "build:dev:win32": "pnpm powershell \"mvn clean install -DskipTests \"",
     "build:prod": "pnpm lint && run-script-os",
-    "build:prod:darwin:linux": "mvn clean deploy -DdeployAtEnd -DskipTests=$(build-env tests.run --not) -Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) -Dmaven.deploy.skip=$(build-env maven.deploy.skip)",
-    "build:prod:win32": "pnpm powershell \"mvn clean deploy `-DdeployAtEnd `-DskipTests `-Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) `-Dmaven.deploy.skip=$(build-env maven.deploy.skip)\"",
+    "build:prod:darwin:linux": "mvn clean deploy -DdeployAtEnd -DskipTests=$(build-env tests.run --not) -Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) -Dmaven.deploy.skip=$(build-env maven.deploy.skip) -Dreproducible",
+    "build:prod:win32": "pnpm powershell \"mvn clean deploy `-DdeployAtEnd `-DskipTests `-Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) `-Dmaven.deploy.skip=$(build-env maven.deploy.skip) `-Dreproducible\"",
     "install": "node install.js",
     "lint": "echo 'Linting'",
     "powershell": "@powershell -NoProfile -ExecutionPolicy Unrestricted -Command",

packages/jbpm-quarkus-devui/pom.xml

@@ -39,6 +39,7 @@
   <packaging>pom</packaging>
 
   <properties>
+    <project.build.outputTimestamp>2024-01-12T00:00:00Z</project.build.outputTimestamp>
     <java.module.name>org.jbpm.quarkus.dev.ui</java.module.name>
   </properties>
 

packages/maven-base/not-reproducible-plugins.properties

@@ -0,0 +1,91 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+# KIE-TOOLS DISCLAIMER:
+# This file has been copied from the "maven-artifact-plugin" github repo (https://github.com/apache/maven-artifact-plugin/tree/maven-artifact-plugin-3.4.1/)
+# with the unique goal of enabling then "maven-flatten-plugin" in the "kie-tools" reproducible builds.
+# We are re-enabling the "maven-flatten-plugin" because the issue that caused the inclusion of plugin in this file (https://github.com/mojohaus/flatten-maven-plugin/issues/256)
+# won't have any effect in our builds. The issue was reported due to a change in "maven" behaviour between v3.8.1 & v3.8.2
+# and "kie-tools" require newer "maven" versions.
+# This file will be removed as a part of: https://github.com/apache/incubator-kie-issues/issues/1371
+
+
+# list of plugins that did not produce reproducible output in the past, with minimum reproducible version
+
+# default org.apache.maven.plugins groupId
+maven-archetype-plugin=3.2.0
+# https://issues.apache.org/jira/browse/ARCHETYPE-590
+maven-assembly-plugin=3.2.0
+# https://issues.apache.org/jira/browse/MASSEMBLY-921
+maven-jar-plugin=3.2.0
+# https://issues.apache.org/jira/browse/MJAR-263
+# https://issues.apache.org/jira/browse/MJAR-275
+maven-ejb-plugin=3.1.0
+# https://issues.apache.org/jira/browse/MEJB-128
+maven-plugin-plugin=3.5.1
+# https://issues.apache.org/jira/browse/MPLUGIN-326
+maven-remote-resources-plugin=1.7.0
+# https://issues.apache.org/jira/browse/MRRESOURCES-114
+maven-shade-plugin=3.2.3
+# https://issues.apache.org/jira/browse/MSHADE-352
+# https://issues.apache.org/jira/browse/MSHADE-420 for some shaded jars, timezone counts: does not really make the build not reproducible, just harder
+maven-source-plugin=3.2.1
+# https://issues.apache.org/jira/browse/MSOURCES-123
+maven-war-plugin=3.3.1
+# https://issues.apache.org/jira/browse/MWAR-432
+maven-ear-plugin=3.1.0
+# https://issues.apache.org/jira/browse/MEAR-280
+maven-rar-plugin=3.0.0
+# https://issues.apache.org/jira/browse/MRAR-86
+maven-acr-plugin=3.2.0
+# https://issues.apache.org/jira/browse/MACR-53
+
+# plugin-specific groupId
+
+org.antlr+antlr3-maven-plugin=fail:https://github.com/antlr/antlr3/pull/195
+
+org.apache.felix+maven-bundle-plugin=5.1.5
+# https://issues.apache.org/jira/browse/FELIX-6495
+# https://issues.apache.org/jira/browse/FELIX-6496
+org.apache.karaf.tooling+karaf-maven-plugin=4.3.7
+# https://issues.apache.org/jira/browse/KARAF-7367
+org.apache.nifi+nifi-nar-maven-plugin=1.3.4
+# https://issues.apache.org/jira/browse/NIFI-9857
+org.apache.servicemix.tooling+depends-maven-plugin=fail:https://issues.apache.org/jira/browse/SM-5021
+
+org.codehaus.plexus+plexus-component-metadata=2.1.0
+# https://github.com/codehaus-plexus/plexus-containers/issues/27
+org.codehaus.mojo+jaxb2-maven-plugin=fail:https://github.com/mojohaus/jaxb2-maven-plugin
+#
+org.codehaus.mojo+properties-maven-plugin=1.1.0
+# https://github.com/mojohaus/properties-maven-plugin/pull/75
+
+# Commenting to enable the "flatten-maven-plugin" for "kie-tools", please refer to the DISCLAIMER for more info.
+# org.codehaus.mojo+flatten-maven-plugin=fail:https://github.com/mojohaus/flatten-maven-plugin/issues/256
+
+org.eclipse.sisu+sisu-maven-plugin=0.3.4
+# https://github.com/eclipse/sisu.inject/pull/5
+org.eclipse.jetty+jetty-jspc-maven-plugin=fail:https://github.com/eclipse/jetty.project/
+
+org.jboss.jandex+jandex-maven-plugin=fail:https://github.com/wildfly/jandex-maven-plugin/pull/35
+
+org.springframework.boot+spring-boot-maven-plugin=2.7.1
+# https://github.com/spring-projects/spring-boot/issues/21005
+
+org.vafer+jdeb=1.10
+# https://github.com/tcurdt/jdeb/pull/363

packages/maven-base/package.json

@@ -17,8 +17,8 @@
     "build:dev:darwin:linux": "mvn clean install -DskipTests",
     "build:dev:win32": "pnpm powershell \"mvn clean install -DskipTests \"",
     "build:prod": "pnpm lint && run-script-os",
-    "build:prod:darwin:linux": "mvn clean deploy -DdeployAtEnd -DskipTests=$(build-env tests.run --not) -Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) -Dmaven.deploy.skip=$(build-env maven.deploy.skip)",
-    "build:prod:win32": "pnpm powershell \"mvn clean deploy `-DdeployAtEnd `-DskipTests `-Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) `-Dmaven.deploy.skip=$(build-env maven.deploy.skip)\"",
+    "build:prod:darwin:linux": "mvn clean deploy -DdeployAtEnd -DskipTests=$(build-env tests.run --not) -Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) -Dmaven.deploy.skip=$(build-env maven.deploy.skip) -Dreproducible",
+    "build:prod:win32": "pnpm powershell \"mvn clean deploy `-DdeployAtEnd `-DskipTests `-Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) `-Dmaven.deploy.skip=$(build-env maven.deploy.skip) `-Dreproducible\"",
     "install": "pnpm set-quarkus-version && pnpm set-kogito-version && node install.js",
     "lint": "echo 'Linting'",
     "powershell": "@powershell -NoProfile -ExecutionPolicy Unrestricted -Command",

packages/maven-base/pom.xml

@@ -169,6 +169,12 @@
           <version>${version.maven.artifact.plugin}</version>
           <configuration>
             <outputTimestamp>${project.build.outputTimestamp}</outputTimestamp>
+            <!--
+            This configuration overrides the list of issues registered in the plugin to enable the `maven-flatten-plugin`
+            TODO: remove as a part of: https://github.com/apache/incubator-kie-issues/issues/1371
+            -->
+            <pluginIssues
+            >${session.executionRootDirectory}/node_modules/@kie-tools/maven-base/not-reproducible-plugins.properties</pluginIssues>
           </configuration>
         </plugin>
       </plugins>
@@ -219,4 +225,45 @@
       </plugin>
     </plugins>
   </build>
+
+  <profiles>
+    <profile>
+      <id>reproducible-build</id>
+      <activation>
+        <activeByDefault>false</activeByDefault>
+        <property>
+          <name>reproducible</name>
+        </property>
+      </activation>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-artifact-plugin</artifactId>
+            <configuration />
+            <executions>
+              <execution>
+                <id>check-buildplan</id>
+                <goals>
+                  <goal>check-buildplan</goal>
+                </goals>
+                <!-- The execution's configuration is part of the pluginManagement. This piece here only makes sure the
+                     execution is enabled (by specifying a phase) for full profile builds. -->
+                <phase>validate</phase>
+              </execution>
+              <execution>
+                <id>compare</id>
+                <goals>
+                  <goal>compare</goal>
+                </goals>
+                <!-- The execution's configuration is part of the pluginManagement. This piece here only makes sure the
+                     execution is enabled (by specifying a phase) for full profile builds. -->
+                <phase>install</phase>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
 </project>

packages/sonataflow-quarkus-devui/package.json

@@ -17,8 +17,8 @@
     "build:dev:darwin:linux": "mvn clean install -DskipTests",
     "build:dev:win32": "pnpm powershell \"mvn clean install -DskipTests \"",
     "build:prod": "pnpm lint && run-script-os",
-    "build:prod:darwin:linux": "mvn clean deploy -DdeployAtEnd -DskipTests=$(build-env tests.run --not) -Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) -Dmaven.deploy.skip=$(build-env maven.deploy.skip)",
-    "build:prod:win32": "pnpm powershell \"mvn clean deploy `-DdeployAtEnd `-DskipTests `-Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) `-Dmaven.deploy.skip=$(build-env maven.deploy.skip)\"",
+    "build:prod:darwin:linux": "mvn clean deploy -DdeployAtEnd -DskipTests=$(build-env tests.run --not) -Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) -Dmaven.deploy.skip=$(build-env maven.deploy.skip) -Dreproducible",
+    "build:prod:win32": "pnpm powershell \"mvn clean deploy `-DdeployAtEnd `-DskipTests `-Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) `-Dmaven.deploy.skip=$(build-env maven.deploy.skip) `-Dreproducible\"",
     "install": "node install.js",
     "lint": "echo 'Linting'",
     "powershell": "@powershell -NoProfile -ExecutionPolicy Unrestricted -Command",

packages/sonataflow-quarkus-devui/pom.xml

@@ -39,6 +39,7 @@
   <packaging>pom</packaging>
 
   <properties>
+    <project.build.outputTimestamp>2024-01-12T00:00:00Z</project.build.outputTimestamp>
     <java.module.name>org.kie.kogito.quarkus.swf.dev.ui</java.module.name>
   </properties>
 

packages/vscode-java-code-completion-extension-plugin/package.json

@@ -22,8 +22,8 @@
   "scripts": {
     "build:dev": "mvn clean install -DskipTests",
     "build:prod": "pnpm lint && run-script-os",
-    "build:prod:darwin:linux": "mvn clean install -DskipTests=$(build-env tests.run --not) -Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures)",
-    "build:prod:win32": "pnpm powershell \"mvn clean install `-DskipTests=$(build-env tests.run --not) `-Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures)\"",
+    "build:prod:darwin:linux": "mvn clean install -DskipTests=$(build-env tests.run --not) -Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) -Dreproducible",
+    "build:prod:win32": "pnpm powershell \"mvn clean install `-DskipTests=$(build-env tests.run --not) `-Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) `-Dreproducible\"",
     "install": "node install.js && pnpm install:mvnw",
     "install:mvnw": "mvn -e org.apache.maven.plugins:maven-wrapper-plugin:3.3.0:wrapper -f ./",
     "lint": "echo 'Linting'",

packages/vscode-java-code-completion-extension-plugin/pom.xml

@@ -41,6 +41,7 @@
   </modules>
 
   <properties>
+    <project.build.outputTimestamp>2024-01-12T00:00:00Z</project.build.outputTimestamp>
     <tycho.version>3.0.5</tycho.version>
     <tycho.extras.version>${tycho.version}</tycho.extras.version>
     <tycho.scmUrl>scm:git:https://github.com/apache/incubator-kie-tools.git</tycho.scmUrl>

packages/yard-model/package.json

@@ -18,8 +18,8 @@
     "build:dev:darwin:linux": "mvn clean install -DskipTests",
     "build:dev:win32": "pnpm powershell \"mvn clean install `-DskipTests\"",
     "build:prod": "pnpm lint && run-script-os",
-    "build:prod:darwin:linux": "mvn clean install -DskipTests=$(build-env tests.run --not) -Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures)",
-    "build:prod:win32": "pnpm powershell \"mvn clean install `-DskipTests=$(build-env tests.run --not) `-Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures)\"",
+    "build:prod:darwin:linux": "mvn clean install -DskipTests=$(build-env tests.run --not) -Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) -Dreproducible",
+    "build:prod:win32": "pnpm powershell \"mvn clean install `-DskipTests=$(build-env tests.run --not) `-Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) `-Dreproducible\"",
     "install": "node install.js && pnpm install:mvnw",
     "install:mvnw": "run-script-os",
     "install:mvnw:darwin:linux": "mvn -e org.apache.maven.plugins:maven-wrapper-plugin:3.3.0:wrapper",

packages/yard-model/pom.xml

@@ -42,6 +42,7 @@
   </licenses>
 
   <properties>
+    <project.build.outputTimestamp>2024-01-12T00:00:00Z</project.build.outputTimestamp>
     <yaml.mapper>0.4</yaml.mapper>
     <helper.maven.plugin>3.2.0</helper.maven.plugin>
     <maven.compiler.source>11</maven.compiler.source>

packages/yard-validator-worker/package.json

@@ -18,8 +18,8 @@
     "build:dev:darwin:linux": "mvn clean install -DskipTests",
     "build:dev:win32": "pnpm powershell \"mvn clean install `-DskipTests\"",
     "build:prod": "pnpm lint && run-script-os && pnpm copy:webworker",
-    "build:prod:darwin:linux": "mvn clean install -DskipTests=$(build-env tests.run --not) -Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures)",
-    "build:prod:win32": "pnpm powershell \"mvn clean install `-DskipTests=$(build-env tests.run --not) `-Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures)\"",
+    "build:prod:darwin:linux": "mvn clean install -DskipTests=$(build-env tests.run --not) -Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) -Dreproducible",
+    "build:prod:win32": "pnpm powershell \"mvn clean install `-DskipTests=$(build-env tests.run --not) `-Dmaven.test.failure.ignore=$(build-env tests.ignoreFailures) `-Dreproducible\"",
     "copy:webworker": "copyfiles -f target/worker/yard-validator-worker/yard-validator-worker.js dist",
     "install": "node install.js && pnpm install:mvnw",
     "install:mvnw": "run-script-os",

packages/yard-validator-worker/pom.xml

@@ -42,6 +42,7 @@
   </licenses>
 
   <properties>
+    <project.build.outputTimestamp>2024-01-12T00:00:00Z</project.build.outputTimestamp>
     <yaml.mapper>0.4</yaml.mapper>
     <org.jresearch.gwt.time>2.0.10</org.jresearch.gwt.time>
     <compiler-plugin.version>3.13.0</compiler-plugin.version>