raboof/pekko
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Packages Wiki Activity Actions 10

Include 'reproducible builds' sbt plugin (#26546)

Browse source 
This does 2 things:
* publish a 'buildinfo' report along with the project artifacts to describe
the build context and parameters
* post-process the jars to remove 'arbitrary' differences, such as jar file
ordering and timestamps.

This makes it easier to detect and explain when 2 builds of the same source
don't produce a bit-per-bit identical result. This for example can improve
our confidence that our distribution pipeline has not been compromised.
This commit is contained in:
Arnout Engelen 2019-03-18 17:12:21 +01:00 committed by GitHub
parent 17c80b3be9
commit 6f66981542
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
build.sbt
View file

@ -522,6 +522,7 @@ lazy val discovery = akkaModule("akka-discovery")
def akkaModule(name: String): Project = def akkaModule(name: String): Project =
Project(id = name, base = file(name)) Project(id = name, base = file(name))
.enablePlugins(ReproducibleBuildsPlugin)
.settings(akka.AkkaBuild.buildSettings) .settings(akka.AkkaBuild.buildSettings)
.settings(akka.AkkaBuild.defaultSettings) .settings(akka.AkkaBuild.defaultSettings)
.enablePlugins(BootstrapGenjavadoc) .enablePlugins(BootstrapGenjavadoc)

11
project/OSGi.scala
View file

@ -9,6 +9,7 @@ import com.typesafe.sbt.osgi.SbtOsgi._
import com.typesafe.sbt.osgi.SbtOsgi.autoImport._ import com.typesafe.sbt.osgi.SbtOsgi.autoImport._
import sbt._ import sbt._
import sbt.Keys._ import sbt.Keys._
import net.bzzt.reproduciblebuilds.ReproducibleBuildsPlugin
object OSGi { object OSGi {
@ -16,7 +17,15 @@ object OSGi {
// in the .../bundles directory which makes testing locally published artifacts // in the .../bundles directory which makes testing locally published artifacts
// a pain. Create bundles but publish them to the normal .../jars directory. // a pain. Create bundles but publish them to the normal .../jars directory.
def osgiSettings = defaultOsgiSettings ++ Seq( def osgiSettings = defaultOsgiSettings ++ Seq(
Compile / packageBin := OsgiKeys.bundle.value, Compile / packageBin := {
val bundle = OsgiKeys.bundle.value
// This normally happens automatically when loading the
// sbt-reproducible-builds plugin, but because we replace
// `packageBin` wholesale here we need to invoke the post-processing
// manually. See also
// https://github.com/raboof/sbt-reproducible-builds#sbt-osgi
ReproducibleBuildsPlugin.postProcessJar(bundle)
},
// This will fail the build instead of accidentally removing classes from the resulting artifact. // This will fail the build instead of accidentally removing classes from the resulting artifact.
// Each package contained in a project MUST be known to be private or exported, if it's undecided we MUST resolve this // Each package contained in a project MUST be known to be private or exported, if it's undecided we MUST resolve this
OsgiKeys.failOnUndecidedPackage := true, OsgiKeys.failOnUndecidedPackage := true,

1
project/plugins.sbt
View file

@ -22,6 +22,7 @@ addSbtPlugin("com.typesafe.sbt" % "sbt-git" % "1.0.0")
addSbtPlugin("de.heikoseeberger" % "sbt-header" % "5.0.0") // for maintenance of copyright file header addSbtPlugin("de.heikoseeberger" % "sbt-header" % "5.0.0") // for maintenance of copyright file header
addSbtPlugin("com.hpe.sbt" % "sbt-pull-request-validator" % "1.0.0") addSbtPlugin("com.hpe.sbt" % "sbt-pull-request-validator" % "1.0.0")
addSbtPlugin("org.scoverage" % "sbt-scoverage" % "1.6.0-M5") addSbtPlugin("org.scoverage" % "sbt-scoverage" % "1.6.0-M5")
addSbtPlugin("net.bzzt" % "sbt-reproducible-builds" % "0.20")
// used for @unidoc directive // used for @unidoc directive
libraryDependencies += "io.github.classgraph" % "classgraph" % "4.4.12" libraryDependencies += "io.github.classgraph" % "classgraph" % "4.4.12"