Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SBOM jsf signing to openjdk_build_pipeline.groovy #1131

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add SBOM jsf signing to openjdk_build_pipeline.groovy #1131

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f78037e
SBOM jsf signing
Haroon-Khel Oct 30, 2024
bd1b4c5
Integrate build_sign_sbom_libraries job
Haroon-Khel Dec 2, 2024
8687693
Space
Haroon-Khel Dec 2, 2024
891aa66
Archiving cyclone dx jars not needed
Haroon-Khel Dec 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions pipelines/build/common/openjdk_build_pipeline.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1054,6 +1054,49 @@ class Build {
}
}
}

// Kick off the sign_temurin_jsf job to sign the SBOM
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the JSON vs XML discussion we've just had, we probably ought to call this job something slightly different... maybe simply sign_SBOM...

For the moment, we can have the XML discussion before we decide.

private void jsfSignSBOM() {
context.stage('SBOM Sign') {

context.println "Running build_sign_sbom_libraries to build the SBOM libraries"
def buildSBOMLibrariesJob = context.build job: 'build_sign_sbom_libraries',
propagate: true

def paramsJsf = [
context.string(name: 'UPSTREAM_JOB_NUMBER', value: "${env.BUILD_NUMBER}"),
context.string(name: 'UPSTREAM_JOB_NAME', value: "${env.JOB_NAME}"),
context.string(name: 'UPSTREAM_DIR', value: 'workspace'),
context.string(name: 'SBOM_LIBRARY_JOB_NUMBER', value: "${buildSBOMLibrariesJob.getNumber()}")
]

context.println "RUNNING sign_temurin_jsf for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..."
def signSBOMJob = context.build job: 'build-scripts/release/sign_temurin_jsf',
propagate: true,
parameters: params

context.node('worker') {
// Remove any previous workspace artifacts
context.sh 'rm -rf workspace/target/* || true'
context.copyArtifacts(
projectName: 'build-scripts/release/sign_temurin_jsf',
selector: context.specific("${signSBOMJob.getNumber()}"),
filter: '**/*.sig',
fingerprintArtifacts: true,
target: 'workspace/target/',
flatten: true)

// Archive SBOM signatures in Jenkins
try {
context.timeout(time: buildTimeouts.ARCHIVE_ARTIFACTS_TIMEOUT, unit: 'HOURS') {
context.archiveArtifacts artifacts: 'workspace/target/*.sig'
}
} catch (FlowInterruptedException e) {
throw new Exception("[ERROR] Archive artifact timeout (${buildTimeouts.ARCHIVE_ARTIFACTS_TIMEOUT} HOURS) for ${downstreamJobName} has been reached. Exiting...")
}
}
}
}
/*
Lists and returns any compressed archived or sbom file contents of the top directory of the build node
*/
Expand Down Expand Up @@ -2208,6 +2251,7 @@ class Build {
if (!env.JOB_NAME.contains('pr-tester') && context.JENKINS_URL.contains('adopt')) {
try {
gpgSign()
jsfSignSBOM()
} catch (Exception e) {
context.println(e.message)
currentBuild.result = 'FAILURE'
Expand Down
Loading