Add SBOM jsf signing to openjdk_build_pipeline.groovy #1131
+44
−0
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ref adoptium/temurin-build#3946
Code to run the (incomplete) https://ci.adoptium.net/job/build-scripts/job/release/job/sign_temurin_jsf/ job which signs the SBOM using https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/sign_src/TemurinSignSBOM.java
On line 1866 it should archive the
temurin-sign-sbom.jar
so that it can be used later to sign the SBOM on the eclipse worker node. The artifact should get copied over during the sign_temurin_jsf jobLines 1057 to 1094 is just the gpgSign() function repeated for the sign_temurin_jsf job
This pr is together with adoptium/temurin-build#4017