-
-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SBOM jsf signing to openjdk_build_pipeline.groovy #1131
base: master
Are you sure you want to change the base?
Conversation
Thank you for creating a pull request!Please check out the information below if you have not made a pull request here before (or if you need a reminder how things work). Code Quality and Contributing GuidelinesIf you have not done so already, please familiarise yourself with our Contributing Guidelines and Code Of Conduct, even if you have contributed before. TestsGithub actions will run a set of jobs against your PR that will lint and unit test your changes. Keep an eye out for the results from these on the latest commit you submitted. For more information, please see our testing documentation. In order to run the advanced pipeline tests (executing a set of mock pipelines), it requires an admin to post |
Could this be done at post build stage as initially we tried to do this in post stage but due to the PEM issue it's blocked. i.e, to sign all sbom files at the post stage. https://github.com/adoptium/ci-jenkins-pipelines/pull/739/files |
@Haroon-Khel linter failures |
context.copyArtifacts( | ||
projectName: 'build-scripts/release/sign_temurin_jsf', | ||
selector: context.specific("${signSBOMJob.getNumber()}"), | ||
filter: '**/*.sig', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be the SBOM json file
// Archive SBOM signatures in Jenkins | ||
try { | ||
context.timeout(time: buildTimeouts.ARCHIVE_ARTIFACTS_TIMEOUT, unit: 'HOURS') { | ||
context.archiveArtifacts artifacts: 'workspace/target/*.sig' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
JSF Signature is in the SBOM json, that needs archiving
a399cb0
to
da92d8a
Compare
Well that was a terrible attempt at a rebase. Trying again |
da92d8a
to
a399cb0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needs updates to job params
Using the |
@andrew-m-leonard was this resolved with the rebase? |
ref adoptium/temurin-build#3946
Code to run the (incomplete) https://ci.adoptium.net/job/build-scripts/job/release/job/sign_temurin_jsf/ job which signs the SBOM using https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/sign_src/TemurinSignSBOM.java
On line 1866 it should archive the
temurin-sign-sbom.jar
so that it can be used later to sign the SBOM on the eclipse worker node. The artifact should get copied over during the sign_temurin_jsf jobLines 1057 to 1094 is just the gpgSign() function repeated for the sign_temurin_jsf job
This pr is together with adoptium/temurin-build#4017