Merge branch 'master' into comparableReadmeUpdate

adoptium · Oct 25, 2024 · ed9b935 · ed9b935
2 parents 1b2f20e + 63781da
commit ed9b935
Show file tree

Hide file tree

Showing 13 changed files with 188 additions and 299 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -235,7 +235,7 @@ jobs:
      steps:
      - name: Restore cygwin packages from cache
        id: cygwin
-       uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+       uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
        with:
         path: C:\cygwin64
         key: cygwin-packages-${{ runner.os }}-v1
@@ -279,15 +279,15 @@ jobs:
      - name: Restore Visual Studio 2017 from cache
        id: vs2017
        if: matrix.version == 'jdk8u'
-       uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+       uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
        with:
          path: ~/vs2017.exe
          key: vs2017
 
      - name: Restore Visual Studio 2019 from cache
        id: vs2019
        if: matrix.version == 'jdk11u' || matrix.version == 'jdk17u'
-       uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+       uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
        with:
          path: ~/vs2019.exe
          key: vs2019

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -58,7 +58,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -68,7 +68,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -81,6 +81,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
@@ -46,6 +46,6 @@ jobs:
         name: SARIF file
         path: results.sarif
         retention-days: 5
-    - uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v2.13.4
+    - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v2.13.4
       with:
         sarif_file: results.sarif
diff --git a/docker-build.sh b/docker-build.sh
@@ -20,19 +20,19 @@
 #
 ################################################################################
 
-# the ${BUILD_CONFIG[CONTAINER_AS_ROOT]} can not be quoted. It is sudo (or simialrly) or nothing. "" is not an option.
-# simialrly the  ${cpuset} and ${userns}
+# The ${BUILD_CONFIG[CONTAINER_AS_ROOT]} can not be quoted. It is sudo (or similar) or nothing. "" is not an option.
+# Similarly for ${cpuset} and ${userns}.
 # shellcheck disable=SC2206
 # shellcheck disable=SC2046
 # shellcheck disable=SC2086
 
 set -eu
 
-# Create a data volume called ${BUILD_CONFIG[DOCKER_SOURCE_VOLUME_NAME]},
-# this gets mounted at /openjdk/build inside the container and is persistent
+# Create a data volume called ${BUILD_CONFIG[DOCKER_SOURCE_VOLUME_NAME]}.
+# This gets mounted at /openjdk/build inside the container and is persistent
 # between builds/tests unless -c is passed to this script, in which case it is
 # recreated using the source in the current ./openjdk directory on the host
-# machine (outside the container)
+# machine (outside the container).
 createPersistentDockerDataVolume()
 {
   set +e
@@ -57,7 +57,7 @@ createPersistentDockerDataVolume()
   fi
 }
 
-# Build the docker container
+# Build the docker container.
 buildDockerContainer()
 {
   echo "Building docker container"
@@ -76,7 +76,7 @@ buildDockerContainer()
   ${BUILD_CONFIG[CONTAINER_AS_ROOT]} "${BUILD_CONFIG[CONTAINER_COMMAND]}" build -t "${BUILD_CONFIG[CONTAINER_NAME]}" -f "${dockerFile}" . --build-arg "OPENJDK_CORE_VERSION=${BUILD_CONFIG[OPENJDK_CORE_VERSION]}" --build-arg "HostUID=${UID}"
 }
 
-# Execute the (Adoptium) OpenJDK build inside the Docker Container
+# Execute the (Adoptium) OpenJDK build inside the Docker Container.
 buildOpenJDKViaDocker()
 {
   local hostDir
@@ -89,12 +89,12 @@ buildOpenJDKViaDocker()
   local localsourcesdir=
 
   if [ "${BUILD_CONFIG[OPENJDK_LOCAL_SOURCE_ARCHIVE]}" = "true" ] ; then
-    # OPENJDK_LOCAL_SOURCE_ARCHIVE_ABSPATH can be file, you can nto mount file
+    # OPENJDK_LOCAL_SOURCE_ARCHIVE_ABSPATH can be file, you can not mount file.
     localsourcesdir=$(dirname "${BUILD_CONFIG[OPENJDK_LOCAL_SOURCE_ARCHIVE_ABSPATH]}")
   fi
 
   # TODO This could be extracted overridden by the user if we support more
-  # architectures going forwards
+  # architectures going forwards.
   local container_architecture
   container_architecture="$(uname -m)/${BUILD_CONFIG[CONTAINER_IMAGE]//:*/}"
   local build_variant_flag=""
@@ -154,7 +154,7 @@ buildOpenJDKViaDocker()
     BUILD_CONFIG[STATIC_LIBS_IMAGE_PATH]=$static_libs_dir
 
   if [ -z "$(command -v "${BUILD_CONFIG[CONTAINER_COMMAND]}")" ]; then
-     # shellcheck disable=SC2154
+    # shellcheck disable=SC2154
     echo "Error, please install docker and ensure that it is in your path and running!"
     exit
   fi
@@ -164,46 +164,46 @@ buildOpenJDKViaDocker()
   createPersistentDockerDataVolume
 
   # If keep is true then use the existing container (or build a new one if we
-  # can't find it)
+  # can't find it).
   if [[ "${BUILD_CONFIG[REUSE_CONTAINER]}" == "true" ]] ; then
      # shellcheck disable=SC2086
-     # If we can't find the previous Docker container then build a new one
+     # If we can't find the previous Docker container then build a new one.
      if [ "$(${BUILD_CONFIG[CONTAINER_AS_ROOT]} ${BUILD_CONFIG[CONTAINER_COMMAND]} ps -a | grep -c \"${BUILD_CONFIG[CONTAINER_NAME]}\")" == 0 ]; then
-         echo "No docker container for reuse was found, so creating '${BUILD_CONFIG[CONTAINER_NAME]}' "
+         echo "No docker container for reuse was found, so creating '${BUILD_CONFIG[CONTAINER_NAME]}'"
          buildDockerContainer
      fi
   else
      # shellcheck disable=SC2154
      echo "Since you specified --ignore-container, we are removing the existing container (if it exists) and building you a new one{$good}"
-     # Find the previous Docker container and remove it (if it exists)
+     # Find the previous Docker container and remove it (if it exists).
      ${BUILD_CONFIG[CONTAINER_AS_ROOT]} "${BUILD_CONFIG[CONTAINER_COMMAND]}" ps -a | awk '{ print $1,$2 }' | grep "${BUILD_CONFIG[CONTAINER_NAME]}" | awk '{print $1 }' | xargs -I {} ${BUILD_CONFIG[CONTAINER_AS_ROOT]} "${BUILD_CONFIG[CONTAINER_COMMAND]}" rm -f {}
 
-     # Build a new container
+     # Build a new container.
      buildDockerContainer
   fi
 
-  # Show the user all of the config before we build
+  # Show the user all of the config before we build.
   displayParams
 
   echo "Target binary directory on host machine: ${hostDir}/target"
   mkdir -p "${hostDir}/workspace/target"
 
   local cpuSet
   cpuSet="0-$((BUILD_CONFIG[NUM_PROCESSORS] - 1))"
-  
+
   local gitSshAccess=()
   if [[ "${BUILD_CONFIG[USE_SSH]}" == "true" ]] ; then
      gitSshAccess=(-v "${HOME}/.ssh:/home/build/.ssh" -v "${SSH_AUTH_SOCK}:/build-ssh-agent" -e "SSH_AUTH_SOCK=/build-ssh-agent")
   fi
- 
+
   local dockerMode=()
   local dockerEntrypoint=(--entrypoint /openjdk/sbin/build.sh "${BUILD_CONFIG[CONTAINER_NAME]}")
   if [[ "${BUILD_CONFIG[DEBUG_DOCKER]}" == "true" ]] ; then
      dockerMode=(-t -i)
      dockerEntrypoint=(--entrypoint "/bin/sh" "${BUILD_CONFIG[CONTAINER_NAME]}" -c "/bin/bash")
   fi
 
-  # Command without gitSshAccess or dockerMode arrays
+  # Command without gitSshAccess or dockerMode arrays.
   if [ -e "${hostDir}"/pipelines ] ; then
     local pipelinesdir="${hostDir}"/pipelines
   else
@@ -219,11 +219,11 @@ buildOpenJDKViaDocker()
   else
     local userns=""
   fi
-  local mountflag=Z #rw? maybe this should be bound to root/rootles content of BUILD_CONFIG[CONTAINER_AS_ROOT] rather then just podman/docker in USE_DOCKER?
-  mkdir -p "${hostDir}"/workspace/build  # shouldnt be already there?
-  local localsourcesdirmount=
+  local mountflag=Z #rw? Maybe this should be bound to root/rootless content of BUILD_CONFIG[CONTAINER_AS_ROOT] rather then just podman/docker in USE_DOCKER?
+  mkdir -p "${hostDir}"/workspace/build  # Shouldn't be already there?
+  local localsourcesdirmount=""
   if [ -n "${localsourcesdir}" ] ; then
-    localsourcesdirmount="-v ${localsourcesdir}:${localsourcesdir}:${mountflag}" #read only? Is copied anwya
+    localsourcesdirmount="-v ${localsourcesdir}:${localsourcesdir}:${mountflag}" # read only? Is copied anyway.
   fi
   echo "If you get permissions denied on ${targetdir} or ${pipelinesdir} try to turn off selinux"
   local commandString=(
@@ -234,28 +234,28 @@ buildOpenJDKViaDocker()
          -v "${targetdir}":/"${BUILD_CONFIG[WORKSPACE_DIR]}"/"${BUILD_CONFIG[TARGET_DIR]}":"${mountflag}"
          -v "${pipelinesdir}":/openjdk/pipelines:"${mountflag}"
          -v "${configdir}":/"${BUILD_CONFIG[WORKSPACE_DIR]}"/"config":"${mountflag}"
-         -e "DEBUG_DOCKER_FLAG=${BUILD_CONFIG[DEBUG_DOCKER]}" 
+         -e "DEBUG_DOCKER_FLAG=${BUILD_CONFIG[DEBUG_DOCKER]}"
          -e "BUILD_VARIANT=${BUILD_CONFIG[BUILD_VARIANT]}"
           "${dockerEntrypoint[@]:+${dockerEntrypoint[@]}}")
 
-  # If build specifies --ssh, add array to the command string
+  # If build specifies --ssh, add array to the command string.
   if [[ "${BUILD_CONFIG[USE_SSH]}" == "true" ]] ; then
         commandString=("${gitSshAccess[@]:+${gitSshAccess[@]}}" "${commandString[@]}")
   fi
 
-  # If build specifies --debug-docker, add array to the command string
+  # If build specifies --debug-docker, add array to the command string.
   if [[ "${BUILD_CONFIG[DEBUG_DOCKER]}" == "true" ]] ; then
         commandString=("${dockerMode[@]:+${dockerMode[@]}}" "${commandString[@]}")
         echo "DEBUG DOCKER MODE. To build jdk run /openjdk/sbin/build.sh"
   fi
 
-  # Run the command string in Docker
+  # Run the command string in Docker.
   ${BUILD_CONFIG[CONTAINER_AS_ROOT]} "${BUILD_CONFIG[CONTAINER_COMMAND]}" run --name "${BUILD_CONFIG[OPENJDK_CORE_VERSION]}-${BUILD_CONFIG[BUILD_VARIANT]}" "${commandString[@]}"
 
-  # Tell user where the resulting binary can be found on the host system
+  # Tell user where the resulting binary can be found on the host system.
   echo "The finished image can be found in ${targetdir} on the host system"
 
-  # If we didn't specify to keep the container then remove it
+  # If we didn't specify to keep the container then remove it.
   if [[ "${BUILD_CONFIG[KEEP_CONTAINER]}" == "false" ]] ; then
       echo "Removing container ${BUILD_CONFIG[OPENJDK_CORE_VERSION]}-${BUILD_CONFIG[BUILD_VARIANT]}"
       ${BUILD_CONFIG[CONTAINER_AS_ROOT]} "${BUILD_CONFIG[CONTAINER_COMMAND]}" ps -a | awk '{ print $1,$(NF) }' | grep "${BUILD_CONFIG[OPENJDK_CORE_VERSION]}-${BUILD_CONFIG[BUILD_VARIANT]}" | awk '{print $1 }' | xargs -I {} ${BUILD_CONFIG[CONTAINER_AS_ROOT]} ${BUILD_CONFIG[CONTAINER_COMMAND]} rm {}

diff --git a/sbin/common/downloaders.sh b/sbin/common/downloaders.sh
@@ -71,7 +71,7 @@ function downloadLinuxBootJDK() {
     set +e
     curl -L -o bootjdk.tar.gz "${apiURL}"
     if ! grep "No releases match the request" bootjdk.tar.gz; then
-      apiSigURL=$(curl -v "${apiURL}" 2>&1 | tr -d \\r | awk '/^< Location:/{print $3 ".sig"}')
+      apiSigURL=$(curl -v "${apiURL}" 2>&1 | tr -d \\r | awk '/^< [Ll]ocation:/{print $3 ".sig"}')
       curl -L -o bootjdk.tar.gz.sig "${apiSigURL}"
       gpg --keyserver keyserver.ubuntu.com --recv-keys 3B04D753C9050D9A5D343F39843C48A565F8F04B
       echo -e "5\ny\n" |  gpg --batch --command-fd 0 --expert --edit-key 3B04D753C9050D9A5D343F39843C48A565F8F04B trust;

diff --git a/test/system/reproducibleCompare/build.xml b/test/system/reproducibleCompare/build.xml
@@ -65,6 +65,7 @@
 		<copy todir="." failonerror="false">
 			<fileset dir="temurin-build/tooling/reproducible/" includes="*.sh" />
 		</copy>
+		<chmod dir="." perm="755" includes="**/*.sh"/>
 		<copy todir="." failonerror="false">
 			<fileset dir="${TEST_ROOT}/../jdkbinary/" >
 				<include name="*-sbom_*.json"/>

diff --git a/test/system/reproducibleCompare/playlist.xml b/test/system/reproducibleCompare/playlist.xml
@@ -60,4 +60,25 @@
 		</versions>
 		<platformRequirements>os.win</platformRequirements>
 	</test>
+	<test>
+		<testCaseName>Rebuild_Same_JDK_Reproducibility_Test_Mac</testCaseName>
+		<command>unset SPEC;\
+		ls -l $(TEST_ROOT)$(D)system$(D)reproducibleCompare$(D);\
+		$(TEST_ROOT)$(D)system$(D)reproducibleCompare$(D)macos_repro_build_compare.sh $(SBOM_FILE) $(JDK_FILE) $(REPORTDIR); \
+	$(TEST_STATUS)
+		</command>
+		<levels>
+			<level>dev</level>
+		</levels>
+		<groups>
+			<group>system</group>
+		</groups>
+        <vendors>
+            <vendor>eclipse</vendor>
+        </vendors>
+		<versions>
+			<version>21+</version>
+		</versions>
+		<platformRequirements>os.osx,arch.aarch64</platformRequirements>
+	</test>
 </playlist>
diff --git a/test/system/reproducibleCompare/reproducible.mk b/test/system/reproducibleCompare/reproducible.mk
@@ -16,6 +16,7 @@ ifndef SBOM_FILE
 	SBOM_FILE := $(TEST_ROOT)/../jdkbinary/$(SBOM_FILE)
 endif
 ifndef JDK_FILE
+	JDK_FILE := $(shell find $(TEST_ROOT)/../jdkbinary/ -type f -name '*-jdk_*.tar.gz')
 	ifneq (,$(findstring win,$(SPEC)))
 		JDK_FILE := $(shell find $(TEST_ROOT)/../jdkbinary/ -type f -name '*-jdk_*.zip')
 	endif

diff --git a/tooling/reproducible/comparable_patch.sh b/tooling/reproducible/comparable_patch.sh
@@ -338,7 +338,8 @@ echo "Successfully removed all Signatures from ${JDK_DIR}"
 removeExcludedFiles
 
 # Needed due to vendor variation in jmod re-packing after signing, putting attributes in different order
-processModuleInfo
+# Comparable patch, as per read-me, requires java on path
+processModuleInfo "${JDK_DIR}" "${OS}" "$(dirname "$(dirname "$(readlink -f  "$(which java)")")")"
 
 # Patch Windows VS_VERSION_INFO[COMPANY_NAME]
 if [[ "$OS" =~ CYGWIN* ]] && [[ "$PATCH_VS_VERSION_INFO" = true ]]; then