Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SBOM jsf signing to openjdk_build_pipeline.groovy #1131

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add SBOM jsf signing to openjdk_build_pipeline.groovy #1131

wants to merge 4 commits into from

Conversation

Haroon-Khel
Copy link
Contributor

@Haroon-Khel Haroon-Khel commented Oct 30, 2024
edited
Loading

ref adoptium/temurin-build#3946

Code to run the (incomplete) https://ci.adoptium.net/job/build-scripts/job/release/job/sign_temurin_jsf/ job which signs the SBOM using https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/sign_src/TemurinSignSBOM.java

On line 1866 it should archive the temurin-sign-sbom.jar so that it can be used later to sign the SBOM on the eclipse worker node. The artifact should get copied over during the sign_temurin_jsf job

Lines 1057 to 1094 is just the gpgSign() function repeated for the sign_temurin_jsf job

This pr is together with adoptium/temurin-build#4017

@github-actions GitHub Actions
Copy link

Thank you for creating a pull request!

Please check out the information below if you have not made a pull request here before (or if you need a reminder how things work).

Code Quality and Contributing Guidelines

If you have not done so already, please familiarise yourself with our Contributing Guidelines and Code Of Conduct, even if you have contributed before.

Tests

Github actions will run a set of jobs against your PR that will lint and unit test your changes. Keep an eye out for the results from these on the latest commit you submitted. For more information, please see our testing documentation.

In order to run the advanced pipeline tests (executing a set of mock pipelines), it requires an admin to post run tests on this PR.
If you are not an admin, please ask for one's attention in #infrastructure on Slack or ping one here.
To run full set of tests, use "run tests"; a subset of tests on specific jdk version, use "run tests quick 11,21"

@Haroon-Khel Haroon-Khel mentioned this pull request Oct 30, 2024
Open
@sophia-guo
Copy link
Contributor

Could this be done at post build stage as initially we tried to do this in post stage but due to the PEM issue it's blocked. i.e, to sign all sbom files at the post stage. https://github.com/adoptium/ci-jenkins-pipelines/pull/739/files

@Haroon-Khel Haroon-Khel marked this pull request as ready for review December 2, 2024 17:36
@karianna
Copy link
Contributor

karianna commented Dec 3, 2024

@Haroon-Khel linter failures

andrew-m-leonard
andrew-m-leonard requested changes Dec 3, 2024
View reviewed changes
pipelines/build/common/openjdk_build_pipeline.groovy
@@ -1054,6 +1054,49 @@ class Build {
}
}
}

// Kick off the sign_temurin_jsf job to sign the SBOM
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the JSON vs XML discussion we've just had, we probably ought to call this job something slightly different... maybe simply sign_SBOM...

For the moment, we can have the XML discussion before we decide.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrew-m-leonard andrew-m-leonard andrew-m-leonard requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
jenkins-pipeline
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Haroon-Khel @sophia-guo @karianna @andrew-m-leonard