Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SBOM jsf signing to openjdk_build_pipeline.groovy #1131

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add SBOM jsf signing to openjdk_build_pipeline.groovy #1131

wants to merge 6 commits into from

Conversation

Haroon-Khel
Copy link
Contributor

@Haroon-Khel Haroon-Khel commented Oct 30, 2024
edited
Loading

ref adoptium/temurin-build#3946

Code to run the (incomplete) https://ci.adoptium.net/job/build-scripts/job/release/job/sign_temurin_jsf/ job which signs the SBOM using https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/sign_src/TemurinSignSBOM.java

On line 1866 it should archive the temurin-sign-sbom.jar so that it can be used later to sign the SBOM on the eclipse worker node. The artifact should get copied over during the sign_temurin_jsf job

Lines 1057 to 1094 is just the gpgSign() function repeated for the sign_temurin_jsf job

This pr is together with adoptium/temurin-build#4017

@github-actions GitHub Actions
Copy link

Thank you for creating a pull request!

Please check out the information below if you have not made a pull request here before (or if you need a reminder how things work).

Code Quality and Contributing Guidelines

If you have not done so already, please familiarise yourself with our Contributing Guidelines and Code Of Conduct, even if you have contributed before.

Tests

Github actions will run a set of jobs against your PR that will lint and unit test your changes. Keep an eye out for the results from these on the latest commit you submitted. For more information, please see our testing documentation.

In order to run the advanced pipeline tests (executing a set of mock pipelines), it requires an admin to post run tests on this PR.
If you are not an admin, please ask for one's attention in #infrastructure on Slack or ping one here.
To run full set of tests, use "run tests"; a subset of tests on specific jdk version, use "run tests quick 11,21"

@Haroon-Khel Haroon-Khel mentioned this pull request Oct 30, 2024
Open
@sophia-guo
Copy link
Contributor

Could this be done at post build stage as initially we tried to do this in post stage but due to the PEM issue it's blocked. i.e, to sign all sbom files at the post stage. https://github.com/adoptium/ci-jenkins-pipelines/pull/739/files

@Haroon-Khel Haroon-Khel marked this pull request as ready for review December 2, 2024 17:36
@karianna
Copy link
Contributor

karianna commented Dec 3, 2024

@Haroon-Khel linter failures

@Haroon-Khel Haroon-Khel mentioned this pull request Dec 5, 2024
Open
andrew-m-leonard
andrew-m-leonard reviewed Dec 12, 2024
View reviewed changes
pipelines/build/common/openjdk_build_pipeline.groovy Outdated
context.copyArtifacts(
projectName: 'build-scripts/release/sign_temurin_jsf',
selector: context.specific("${signSBOMJob.getNumber()}"),
filter: '**/*.sig',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be the SBOM json file

pipelines/build/common/openjdk_build_pipeline.groovy Outdated
// Archive SBOM signatures in Jenkins
try {
context.timeout(time: buildTimeouts.ARCHIVE_ARTIFACTS_TIMEOUT, unit: 'HOURS') {
context.archiveArtifacts artifacts: 'workspace/target/*.sig'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JSF Signature is in the SBOM json, that needs archiving

@Haroon-Khel Haroon-Khel mentioned this pull request Dec 16, 2024
Open
@Haroon-Khel
Copy link
Contributor Author

Well that was a terrible attempt at a rebase. Trying again

@Haroon-Khel Haroon-Khel force-pushed the temurin.sign.jsf branch 4 times, most recently from da92d8a to a399cb0 Compare December 17, 2024 14:24
andrew-m-leonard
andrew-m-leonard requested changes Dec 19, 2024
View reviewed changes
Copy link
Contributor

@andrew-m-leonard andrew-m-leonard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needs updates to job params

@Haroon-Khel Haroon-Khel mentioned this pull request Dec 19, 2024
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrew-m-leonard andrew-m-leonard andrew-m-leonard requested changes

@karianna karianna karianna approved these changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
jenkins-pipeline
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Haroon-Khel @sophia-guo @karianna @andrew-m-leonard