Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4458025218 Some commits are pushed directly, others are created by GitHub's `web-flow` user. By running a workflow at each commit, you can generate tamper-resistant proof of who committed something and when, possibly with the results of an associated PR. Neither Git nor GPG have tamper-resistant timestamps: you basically put the date you want. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
garydgregory commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4455826413 "explain how commits come into existence." What does this mean?! A commit comes from a git commit command. Is there more? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4435796045 The PRs are independent and follow separate SLSA tracks: - This PR is necessary for the [SLSA Build Track](https://slsa.dev/spec/v1.2/build-track-basics) and generates attestations to explain how binaries are built. - apache/commons-parent#706 is necessary for the [SLSA Source Track](https://slsa.dev/spec/v1.2/source-requirements) and generates attestation to explain how commits come into existence. Deployed together they are stronger: you can verify that a binary comes from a particular commit **and** the commit was submitted to a protected branch. In recent supply-chain attacks, one of those conditions are not satisfied: for example the build is original, but the tagged commit comes from a fork, not the original repository. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
garydgregory commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4435700478 Hi @ppkarwasz What is the relationship b/w this PR and the one in Commons Parent? Is one required by the other? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4434587007 @garydgregory I've added tests that specifically exercise the serialization models with `serialize`/`deserialize` and `deserialize`/`serialize` round-trips, in b45f2edfa2ba306e61465b5d3567b6761415daa9 and 482a44556860f62d1935ba53d25153443630d861. These confirm that the Jackson models carry all the necessary fields and don't lose data in either direction. With those in place, I think coverage on this PR is in good shape: - **Main classes:** ~90% line coverage on average. - **DTOs:** ~80% line coverage on average. Let me know if there's a specific area you'd like me to push further. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4381394244 > I added comments. A bunch of new public code with zero tests? Ahem... please fix that. Those classes are DTOs. The surface is getters, setters, and Jackson annotations, and this PR already exercises them indirectly through the code that uses them, so I don't think per-field getter/setter tests would add much. I looked into golden-file tests against canonical examples, but neither in-toto nor SLSA publishes a conformance fixture set, and the parts of the schema that actually vary in practice (`predicate`, `externalParameters`, `internalParameters`) are spec'd as open `object` types. There's a limit to what a round-trip test pins down beyond the field names themselves. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
garydgregory commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4380317842 > I pushed the SLSA models to `master` in [546dfbf](https://github.com/apache/commons-release-plugin/commit/546dfbf92a3d016d6bb54ebdda175b3db59762bd) and changed the target of this PR to the same branch. > > This should reduce the overhead of reviewing this PR. I added comments. A bunch of new public code with zero tests? Ahem... please fix that. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4377364979 I pushed the SLSA models to `master` in 546dfbf92a3d016d6bb54ebdda175b3db59762bd and changed the target of this PR to the same branch. This should reduce the overhead of reviewing this PR. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4291717926 Hi @garydgregory, I corrected some minor defects, mostly in documentation, but with two relevant changes: - The attestation didn't have an important `_type` property. :stuck_out_tongue_winking_eye: Fixed in https://github.com/apache/commons-release-plugin/pull/422/commits/476ac4f510f4802d795d65403873b398fa00bed7 - The standard Maven `ScmManager` turned out less useful than I thought: it can not even return the current branch of a Git repo. Since I improved `GitUtils` to test methods against real repositories created by `git`, I just remove `ScmManager` in https://github.com/apache/commons-release-plugin/pull/422/commits/9f69d2e762efba20a24dd3057c7b174aecfb3241 and added some logic to find the current commit SHA1 manually. Since this PR is huge, what do you think about pushing the SLSA models to `master` directly, so we can only discuss the classes that matter? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3119366137
##
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/Statement.java:
##
@@ -0,0 +1,122 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.slsa.v1_2;
+
+import java.util.List;
+import java.util.Objects;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * In-toto v1 attestation envelope that binds a set of subject artifacts to an
SLSA provenance predicate.
+ *
+ * @see https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md";>in-toto
Statement v1
+ */
+public class Statement {
+
+/** The in-toto statement schema URI. */
+@JsonProperty("_type")
+public static final String TYPE = "https://in-toto.io/Statement/v1";;
Review Comment:
Fixed in
https://github.com/apache/commons-release-plugin/pull/422/commits/476ac4f510f4802d795d65403873b398fa00bed7
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3119365036
##
src/main/java/org/apache/commons/release/plugin/internal/DsseUtils.java:
##
@@ -0,0 +1,178 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Locale;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.codec.binary.Hex;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.release.plugin.slsa.v1_2.DsseEnvelope;
+import org.apache.commons.release.plugin.slsa.v1_2.Statement;
+import org.apache.maven.plugin.MojoExecutionException;
+import org.apache.maven.plugin.MojoFailureException;
+import org.apache.maven.plugin.logging.Log;
+import org.apache.maven.plugins.gpg.AbstractGpgSigner;
+import org.apache.maven.plugins.gpg.GpgSigner;
+import org.bouncycastle.bcpg.ArmoredInputStream;
+import org.bouncycastle.bcpg.sig.IssuerFingerprint;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureList;
+import org.bouncycastle.openpgp.PGPSignatureSubpacketVector;
+import org.bouncycastle.openpgp.bc.BcPGPObjectFactory;
+
+/**
+ * Utility methods for creating DSSE (Dead Simple Signing Envelope) envelopes
signed with a PGP key.
+ */
+public final class DsseUtils {
+
+/**
+ * Creates and prepares a {@link GpgSigner} from the given configuration.
+ *
+ * The returned signer has {@link AbstractGpgSigner#prepare()} already
called and is ready for use with {@link #signFile(AbstractGpgSigner, Path)}.
+ *
+ * @param executable path to the GPG executable, or {@code null} to
use {@code gpg} from {@code PATH}
+ * @param defaultKeyring whether to include the default GPG keyring
+ * @param lockMode GPG lock mode ({@code "once"}, {@code
"multiple"}, or {@code "never"}), or {@code null} for no explicit lock flag
+ * @param keynamename or fingerprint of the signing key, or {@code
null} for the default key
+ * @param useAgent whether to use gpg-agent for passphrase management
+ * @param logMaven logger to attach to the signer
+ * @return a prepared {@link AbstractGpgSigner}
+ * @throws MojoFailureException if {@link AbstractGpgSigner#prepare()}
fails
+ */
+public static AbstractGpgSigner createGpgSigner(final String executable,
final boolean defaultKeyring, final String lockMode, final String keyname,
+final boolean useAgent, final Log log) throws MojoFailureException
{
+final GpgSigner signer = new GpgSigner(executable);
+signer.setDefaultKeyring(defaultKeyring);
+signer.setLockMode(lockMode);
+signer.setKeyName(keyname);
+signer.setUseAgent(useAgent);
+signer.setLog(log);
+signer.prepare();
+return signer;
+}
+
+/**
+ * Extracts the key identifier from a binary OpenPGP Signature Packet.
+ *
+ * @param sigBytes raw binary OpenPGP Signature Packet bytes
+ * @return uppercase hex-encoded fingerprint or key ID string
+ * @throws MojoExecutionException if {@code sigBytes} cannot be parsed as
an OpenPGP signature
+ */
+public static String getKeyId(final byte[] sigBytes) throws
MojoExecutionException {
+try {
+final PGPSignatureList sigList = (PGPSignatureList) new
BcPGPObjectFactory(sigBytes).nextObject();
+final PGPSignature sig = sigList.get(0);
+final PGPSignatureSubpacketVector hashed =
sig.getHashedSubPackets();
+if (hashed != null) {
+final IssuerFingerprint fp = hashed.getIssuerFingerprint();
+if (fp != null) {
+return Hex.encodeHexString(fp.getFingerprint());
Review Comment:
In
https://github.com/apache/commons-release-plugin/pull/422/commits/21ad6733e7554ccc953686a6dbf5673f7e8b98d9
I convert the other
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3119361917
##
src/main/java/org/apache/commons/release/plugin/internal/GitUtils.java:
##
@@ -0,0 +1,118 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.MessageDigest;
+
+import org.apache.commons.codec.binary.Hex;
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.GitIdentifiers;
+
+/**
+ * Utilities for Git operations.
+ */
+public final class GitUtils {
+
+/** The SCM URI prefix for Git repositories. */
+private static final String SCM_GIT_PREFIX = "scm:git:";
+
+/**
+ * Walks up the directory tree from {@code path} to find the {@code .git}
directory.
+ *
+ * @param path A path inside the Git repository.
+ * @return The path to the {@code .git} directory (or file for worktrees).
+ * @throws IOException If no {@code .git} directory is found.
+ */
+private static Path findGitDir(final Path path) throws IOException {
+Path current = path.toAbsolutePath();
+while (current != null) {
+final Path candidate = current.resolve(".git");
+if (Files.isDirectory(candidate)) {
+return candidate;
+}
+if (Files.isRegularFile(candidate)) {
+// git worktree: .git is a file containing "gitdir:
/path/to/real/.git"
+final String content = new
String(Files.readAllBytes(candidate), StandardCharsets.UTF_8).trim();
+if (content.startsWith("gitdir: ")) {
+return Paths.get(content.substring("gitdir: ".length()));
Review Comment:
Fixed in
https://github.com/apache/commons-release-plugin/pull/422/commits/9b008bc1777e6aad68bfdc662682c70cd1f7dd32
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3119245593
##
src/main/java/org/apache/commons/release/plugin/internal/BuildDefinitions.java:
##
@@ -0,0 +1,141 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.management.ManagementFactory;
+import java.nio.file.Path;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.TreeMap;
+
+import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor;
+import org.apache.maven.execution.MavenExecutionRequest;
+import org.apache.maven.execution.MavenSession;
+
+/**
+ * Factory methods for the SLSA {@code BuildDefinition} fields: JVM, Maven
descriptors and external build parameters.
+ */
+public final class BuildDefinitions {
+
+/**
+ * Reconstructs the Maven command line string from the given execution
request.
+ *
+ * @param request the Maven execution request
+ * @return a string representation of the Maven command line
+ */
+static String commandLine(final MavenExecutionRequest request) {
+final List args = new ArrayList<>(request.getGoals());
+final String profiles = String.join(",", request.getActiveProfiles());
+if (!profiles.isEmpty()) {
+args.add("-P" + profiles);
+}
+request.getUserProperties().forEach((key, value) -> args.add("-D" +
key + "=" + value));
Review Comment:
Fixed in
https://github.com/apache/commons-release-plugin/pull/422/commits/a654a983d7dad51401b518af4e314f6455503434
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3119244291
##
src/main/java/org/apache/commons/release/plugin/internal/BuildDefinitions.java:
##
@@ -0,0 +1,141 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.management.ManagementFactory;
+import java.nio.file.Path;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.TreeMap;
+
+import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor;
+import org.apache.maven.execution.MavenExecutionRequest;
+import org.apache.maven.execution.MavenSession;
+
+/**
+ * Factory methods for the SLSA {@code BuildDefinition} fields: JVM, Maven
descriptors and external build parameters.
+ */
+public final class BuildDefinitions {
+
+/**
+ * Reconstructs the Maven command line string from the given execution
request.
+ *
+ * @param request the Maven execution request
+ * @return a string representation of the Maven command line
+ */
+static String commandLine(final MavenExecutionRequest request) {
+final List args = new ArrayList<>(request.getGoals());
+final String profiles = String.join(",", request.getActiveProfiles());
+if (!profiles.isEmpty()) {
+args.add("-P" + profiles);
+}
+request.getUserProperties().forEach((key, value) -> args.add("-D" +
key + "=" + value));
+return String.join(" ", args);
+}
+
+/**
+ * Returns a map of external build parameters captured from the current
JVM and Maven session.
+ *
+ * @param session the current Maven session
+ * @return a map of parameter names to values
+ */
+public static Map externalParameters(final MavenSession
session) {
+final Map params = new HashMap<>();
+params.put("jvm.args",
ManagementFactory.getRuntimeMXBean().getInputArguments());
+final MavenExecutionRequest request = session.getRequest();
+params.put("maven.goals", request.getGoals());
+params.put("maven.profiles", request.getActiveProfiles());
+params.put("maven.user.properties", request.getUserProperties());
+params.put("maven.cmdline", commandLine(request));
Review Comment:
Good point! :100:
Fixed in
https://github.com/apache/commons-release-plugin/pull/422/commits/a654a983d7dad51401b518af4e314f6455503434
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3117982421
##
src/main/java/org/apache/commons/release/plugin/mojos/BuildAttestationMojo.java:
##
@@ -0,0 +1,550 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.mojos;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.time.OffsetDateTime;
+import java.time.ZoneOffset;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.inject.Inject;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import org.apache.commons.release.plugin.internal.ArtifactUtils;
+import org.apache.commons.release.plugin.internal.BuildDefinitions;
+import org.apache.commons.release.plugin.internal.DsseUtils;
+import org.apache.commons.release.plugin.internal.GitUtils;
+import org.apache.commons.release.plugin.slsa.v1_2.BuildDefinition;
+import org.apache.commons.release.plugin.slsa.v1_2.BuildMetadata;
+import org.apache.commons.release.plugin.slsa.v1_2.Builder;
+import org.apache.commons.release.plugin.slsa.v1_2.DsseEnvelope;
+import org.apache.commons.release.plugin.slsa.v1_2.Provenance;
+import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor;
+import org.apache.commons.release.plugin.slsa.v1_2.RunDetails;
+import org.apache.commons.release.plugin.slsa.v1_2.Signature;
+import org.apache.commons.release.plugin.slsa.v1_2.Statement;
+import org.apache.maven.artifact.Artifact;
+import org.apache.maven.execution.MavenSession;
+import org.apache.maven.plugin.AbstractMojo;
+import org.apache.maven.plugin.MojoExecutionException;
+import org.apache.maven.plugin.MojoFailureException;
+import org.apache.maven.plugin.descriptor.PluginDescriptor;
+import org.apache.maven.plugins.annotations.LifecyclePhase;
+import org.apache.maven.plugins.annotations.Mojo;
+import org.apache.maven.plugins.annotations.Parameter;
+import org.apache.maven.plugins.annotations.ResolutionScope;
+import org.apache.maven.plugins.gpg.AbstractGpgSigner;
+import org.apache.maven.project.MavenProject;
+import org.apache.maven.project.MavenProjectHelper;
+import org.apache.maven.rtinfo.RuntimeInformation;
+import org.apache.maven.scm.CommandParameters;
+import org.apache.maven.scm.ScmException;
+import org.apache.maven.scm.ScmFileSet;
+import org.apache.maven.scm.command.info.InfoItem;
+import org.apache.maven.scm.command.info.InfoScmResult;
+import org.apache.maven.scm.manager.ScmManager;
+import org.apache.maven.scm.repository.ScmRepository;
+
+/**
+ * This plugin generates an in-toto attestation for all the artifacts.
+ */
+@Mojo(name = "build-attestation", defaultPhase = LifecyclePhase.VERIFY,
requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME)
+public class BuildAttestationMojo extends AbstractMojo {
+
+/**
+ * The file extension for in-toto attestation files.
+ */
+private static final String ATTESTATION_EXTENSION = "intoto.jsonl";
+
+/**
+ * Shared Jackson object mapper used to serialize SLSA statements and DSSE
envelopes to JSON.
+ *
+ * Each attestation is written as a single JSON value followed by a
line separator, matching
+ * the https://jsonlines.org/";>JSON Lines format used by
{@code .intoto.jsonl}
+ * files. The mapper is configured not to auto-close the output stream so
the caller can append
+ * the trailing newline, and to emit ISO-8601 timestamps rather than
numeric ones.
+ */
+private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
+
+static {
+OBJECT_MAPPER.findAndRegisterModules();
+OBJECT_MAPPER.disable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS);
+OBJECT_MAPPER.disable(JsonGenerator.Feature.AUTO_CLOSE_TARGET);
+}
+
+/**
+ * Checksum algorithms used in the generated attestation.
+ */
+@Parameter(property = "commons.rele
Re: [PR] Add `build-attestation` target [commons-release-plugin]
Copilot commented on code in PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#discussion_r3112132915 ## pom.xml: ## @@ -26,7 +26,8 @@ commons-release-plugin maven-plugin - 1.9.3-SNAPSHOT + + 1.9.3.slsa-SNAPSHOT Review Comment: The project version is changed to `1.9.3.slsa-SNAPSHOT` with a note that it is temporary. If this PR is intended to land on the main development line, this will change the published coordinates and may break downstream consumers/CI expecting `1.9.3-SNAPSHOT`. Consider reverting the version change (or moving it to a separate, non-merged branch/workflow). ## fb-excludes.xml: ## @@ -18,6 +18,11 @@ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd";> + + Review Comment: This SpotBugs filter disables EI_EXPOSE_REP/EI_EXPOSE_REP2 globally for the entire project. That hides real findings outside the new SLSA model classes. Please scope the suppression to the specific package/classes that intentionally expose mutable state (e.g., the `slsa.v1_2` models) rather than suppressing the patterns unconditionally. ```suggestion ``` ## src/main/java/org/apache/commons/release/plugin/mojos/BuildAttestationMojo.java: ## @@ -0,0 +1,550 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.commons.release.plugin.mojos; + +import java.io.File; +import java.io.IOException; +import java.io.OutputStream; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.time.OffsetDateTime; +import java.time.ZoneOffset; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import javax.inject.Inject; + +import com.fasterxml.jackson.core.JsonGenerator; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.SerializationFeature; +import org.apache.commons.release.plugin.internal.ArtifactUtils; +import org.apache.commons.release.plugin.internal.BuildDefinitions; +import org.apache.commons.release.plugin.internal.DsseUtils; +import org.apache.commons.release.plugin.internal.GitUtils; +import org.apache.commons.release.plugin.slsa.v1_2.BuildDefinition; +import org.apache.commons.release.plugin.slsa.v1_2.BuildMetadata; +import org.apache.commons.release.plugin.slsa.v1_2.Builder; +import org.apache.commons.release.plugin.slsa.v1_2.DsseEnvelope; +import org.apache.commons.release.plugin.slsa.v1_2.Provenance; +import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor; +import org.apache.commons.release.plugin.slsa.v1_2.RunDetails; +import org.apache.commons.release.plugin.slsa.v1_2.Signature; +import org.apache.commons.release.plugin.slsa.v1_2.Statement; +import org.apache.maven.artifact.Artifact; +import org.apache.maven.execution.MavenSession; +import org.apache.maven.plugin.AbstractMojo; +import org.apache.maven.plugin.MojoExecutionException; +import org.apache.maven.plugin.MojoFailureException; +import org.apache.maven.plugin.descriptor.PluginDescriptor; +import org.apache.maven.plugins.annotations.LifecyclePhase; +import org.apache.maven.plugins.annotations.Mojo; +import org.apache.maven.plugins.annotations.Parameter; +import org.apache.maven.plugins.annotations.ResolutionScope; +import org.apache.maven.plugins.gpg.AbstractGpgSigner; +import org.apache.maven.project.MavenProject; +import org.apache.maven.project.MavenProjectHelper; +import org.apache.maven.rtinfo.RuntimeInformation; +import org.apache.maven.scm.CommandParameters; +import org.apache.maven.scm.ScmException; +import org.apache.maven.scm.ScmFileSet; +import org.apache.maven.scm.command.info.InfoItem; +import org.apache.maven.scm.command.info.InfoScmResult; +import org.apache.maven.scm.manager.ScmManager; +import org.apache.maven.scm.repository.ScmRepository; + +/** + * This plugin generates an in-toto attestation for all the artifacts. + */ +@Mojo(name = "build-attestation", defaultPhase = LifecycleP
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r356893
##
src/main/java/org/apache/commons/release/plugin/mojos/BuildAttestationMojo.java:
##
@@ -0,0 +1,543 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.mojos;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.time.OffsetDateTime;
+import java.time.ZoneOffset;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.inject.Inject;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import org.apache.commons.release.plugin.internal.ArtifactUtils;
+import org.apache.commons.release.plugin.internal.BuildDefinitions;
+import org.apache.commons.release.plugin.internal.DsseUtils;
+import org.apache.commons.release.plugin.internal.GitUtils;
+import org.apache.commons.release.plugin.slsa.v1_2.BuildDefinition;
+import org.apache.commons.release.plugin.slsa.v1_2.BuildMetadata;
+import org.apache.commons.release.plugin.slsa.v1_2.Builder;
+import org.apache.commons.release.plugin.slsa.v1_2.DsseEnvelope;
+import org.apache.commons.release.plugin.slsa.v1_2.Provenance;
+import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor;
+import org.apache.commons.release.plugin.slsa.v1_2.RunDetails;
+import org.apache.commons.release.plugin.slsa.v1_2.Signature;
+import org.apache.commons.release.plugin.slsa.v1_2.Statement;
+import org.apache.maven.artifact.Artifact;
+import org.apache.maven.execution.MavenSession;
+import org.apache.maven.plugin.AbstractMojo;
+import org.apache.maven.plugin.MojoExecutionException;
+import org.apache.maven.plugin.MojoFailureException;
+import org.apache.maven.plugins.annotations.LifecyclePhase;
+import org.apache.maven.plugins.annotations.Mojo;
+import org.apache.maven.plugins.annotations.Parameter;
+import org.apache.maven.plugins.annotations.ResolutionScope;
+import org.apache.maven.plugins.gpg.AbstractGpgSigner;
+import org.apache.maven.project.MavenProject;
+import org.apache.maven.project.MavenProjectHelper;
+import org.apache.maven.rtinfo.RuntimeInformation;
+import org.apache.maven.scm.CommandParameters;
+import org.apache.maven.scm.ScmException;
+import org.apache.maven.scm.ScmFileSet;
+import org.apache.maven.scm.command.info.InfoItem;
+import org.apache.maven.scm.command.info.InfoScmResult;
+import org.apache.maven.scm.manager.ScmManager;
+import org.apache.maven.scm.repository.ScmRepository;
+
+/**
+ * This plugin generates an in-toto attestation for all the artifacts.
+ */
+@Mojo(name = "build-attestation", defaultPhase = LifecyclePhase.VERIFY,
requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME)
+public class BuildAttestationMojo extends AbstractMojo {
+
+/**
+ * The file extension for in-toto attestation files.
+ */
+private static final String ATTESTATION_EXTENSION = "intoto.jsonl";
+
+/**
+ * Shared Jackson object mapper for serializing attestation statements.
Review Comment:
Right, I clarified this in:
https://github.com/apache/commons-release-plugin/pull/422/commits/8118ebbaa2a11f9d98319bba8a469a2c11b61819
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#discussion_r317641 ## src/site/markdown/slsa/v0.1.0.md: ## @@ -0,0 +1,131 @@ + + +# Build Type: Apache Commons Maven Release + +```jsonc +"buildType": "https://commons.apache.org/proper/commons-release-plugin/slsa/v0.1.0"; +``` + +This is a [SLSA Build Provenance](https://slsa.dev/spec/v1.2/build-provenance) build type +that describes releases produced by Apache Commons PMC release managers running Maven on their own equipment. + +## Build definition + +Artifacts are generated by a single Maven execution, typically of the form: + +```shell +mvn -Prelease deploy +``` + +The provenance is recorded by the `build-attestation` goal of the +`commons-release-plugin`, which runs in the `verify` phase. + +### External parameters + +External parameters capture everything supplied by the release manager at invocation time. +All parameters are captured from the running Maven session. + +| Parameter | Type | Description | +|-|--|-| +| `maven.goals` | string[] | The list of Maven goals passed on the command line (e.g. `["deploy"]`). | +| `maven.profiles`| string[] | The list of active profiles passed via `-P` (e.g. `["release"]`). | +| `maven.user.properties` | object | User-defined properties passed via `-D` flags. | +| `maven.cmdline` | string | The reconstructed Maven command line. | +| `jvm.args` | string[] | JVM input arguments. | +| `env` | object | A filtered subset of environment variables: `TZ` and locale variables. | + +### Internal parameters + +No internal parameters are recorded for this build type. + +### Resolved dependencies + +The `resolvedDependencies` list captures all inputs that contributed to the build output. +It always contains the following entries, in order: + + JDK + +Represents the Java Development Kit used to run Maven (`"name": "JDK"`). +To allow verification of the JDK's integrity, a `gitTree` digest is computed over the `java.home` directory. + +The following annotations are recorded from [ +`System.getProperties()`](https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/lang/System.html#getProperties()): + +| Annotation key | System property | Description | +|-|--|--| +| `version` | `java.version` | Java Runtime Environment version.| +| `version.date` | `java.version.date` | Java Runtime Environment version date, in ISO-8601 -MM-DD format.| +| `vendor`| `java.vendor` | Java Runtime Environment vendor. | +| `vendor.url`| `java.vendor.url` | Java vendor URL. | +| `vendor.version`| `java.vendor.version` | Java vendor version _(optional)_.| +| `home` | `java.home` | Java installation directory. | +| `vm.specification.version` | `java.vm.specification.version` | Java Virtual Machine specification version. | +| `vm.specification.vendor` | `java.vm.specification.vendor` | Java Virtual Machine specification vendor. | +| `vm.specification.name` | `java.vm.specification.name` | Java Virtual Machine specification name. | +| `vm.version`| `java.vm.version` | Java Virtual Machine implementation version. | +| `vm.vendor` | `java.vm.vendor` | Java Virtual Machine implementation vendor. | +| `vm.name` | `java.vm.name` | Java Virtual Machine implementation name.| +| `specification.version` | `java.specification.version` | Java Runtime Environment specification version. | +| `specification.mai
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#discussion_r310788 ## src/site/markdown/slsa/v0.1.0.md: ## @@ -0,0 +1,131 @@ + + +# Build Type: Apache Commons Maven Release + +```jsonc +"buildType": "https://commons.apache.org/proper/commons-release-plugin/slsa/v0.1.0"; +``` + +This is a [SLSA Build Provenance](https://slsa.dev/spec/v1.2/build-provenance) build type +that describes releases produced by Apache Commons PMC release managers running Maven on their own equipment. + +## Build definition + +Artifacts are generated by a single Maven execution, typically of the form: + +```shell +mvn -Prelease deploy +``` + +The provenance is recorded by the `build-attestation` goal of the +`commons-release-plugin`, which runs in the `verify` phase. + +### External parameters + +External parameters capture everything supplied by the release manager at invocation time. +All parameters are captured from the running Maven session. + +| Parameter | Type | Description | +|-|--|-| +| `maven.goals` | string[] | The list of Maven goals passed on the command line (e.g. `["deploy"]`). | +| `maven.profiles`| string[] | The list of active profiles passed via `-P` (e.g. `["release"]`). | +| `maven.user.properties` | object | User-defined properties passed via `-D` flags. | +| `maven.cmdline` | string | The reconstructed Maven command line. | +| `jvm.args` | string[] | JVM input arguments. | +| `env` | object | A filtered subset of environment variables: `TZ` and locale variables. | + +### Internal parameters + +No internal parameters are recorded for this build type. Review Comment: This purpose is to describe the contents of all user-defined element of a SLSA attestation. Therefore we should document the fact that `internalParameters` will always be empty. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#discussion_r3111099442 ## src/site/markdown/slsa/v0.1.0.md: ## @@ -0,0 +1,131 @@ + + +# Build Type: Apache Commons Maven Release + +```jsonc +"buildType": "https://commons.apache.org/proper/commons-release-plugin/slsa/v0.1.0"; +``` + +This is a [SLSA Build Provenance](https://slsa.dev/spec/v1.2/build-provenance) build type +that describes releases produced by Apache Commons PMC release managers running Maven on their own equipment. + +## Build definition + +Artifacts are generated by a single Maven execution, typically of the form: + +```shell +mvn -Prelease deploy +``` + +The provenance is recorded by the `build-attestation` goal of the +`commons-release-plugin`, which runs in the `verify` phase. + +### External parameters + +External parameters capture everything supplied by the release manager at invocation time. +All parameters are captured from the running Maven session. + +| Parameter | Type | Description | +|-|--|-| +| `maven.goals` | string[] | The list of Maven goals passed on the command line (e.g. `["deploy"]`). | Review Comment: Fixed in https://github.com/apache/commons-release-plugin/pull/422/commits/9d8dc45cf01fcfdb0660de89725d3b7df310ad75 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#discussion_r3111095869 ## src/site/markdown/slsa/v0.1.0.md: ## @@ -0,0 +1,131 @@ + + +# Build Type: Apache Commons Maven Release + +```jsonc +"buildType": "https://commons.apache.org/proper/commons-release-plugin/slsa/v0.1.0"; +``` + +This is a [SLSA Build Provenance](https://slsa.dev/spec/v1.2/build-provenance) build type +that describes releases produced by Apache Commons PMC release managers running Maven on their own equipment. Review Comment: Fixed in https://github.com/apache/commons-release-plugin/pull/422/commits/d64965bf39428e762e1ed13caa257a2ab45052ad -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#discussion_r3110692723 ## src/main/java/org/apache/commons/release/plugin/internal/package-info.java: ## @@ -0,0 +1,23 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Internal utilities for the commons-release-plugin. Review Comment: This Javadoc isn't really for maintainers, but for possible third-party users: this API can change at any time without notice. I improved the Javadoc in https://github.com/apache/commons-release-plugin/pull/422/commits/89d61d277a202380377f306d746bb0b80e26d7f4 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#discussion_r3110668195 ## pom.xml: ## @@ -113,7 +114,22 @@ true true + +2.21.1 + 2.21 Review Comment: Fixed in https://github.com/apache/commons-release-plugin/pull/422/commits/ad63bc775e915471004b73dca60a97c91e09acb5 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3110646699
##
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/RunDetails.java:
##
@@ -0,0 +1,137 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.slsa.v1_2;
+
+import java.util.List;
+import java.util.Objects;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * Details about the build invocation: the builder identity, execution
metadata, and any byproduct artifacts.
+ *
+ * @see https://slsa.dev/spec/v1.2";>SLSA v1.2 Specification
+ */
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class RunDetails {
+
+ /** Entity that executed the build. */
+ @JsonProperty("builder")
+ private Builder builder;
+
+ /** Metadata about the build invocation. */
+ @JsonProperty("metadata")
+ private BuildMetadata metadata;
+
+ /** Artifacts produced as a side effect of the build. */
+ @JsonProperty("byproducts")
+ private List byproducts;
+
+ /** Creates a new RunDetails instance. */
+ public RunDetails() {
+ }
+
+ /**
+ * Creates a new RunDetails with the given builder and metadata.
+ *
+ * @param builder entity that executed the build
+ * @param metadata metadata about the build invocation
+ */
+ public RunDetails(Builder builder, BuildMetadata metadata) {
+this.builder = builder;
+this.metadata = metadata;
+ }
+
+ /**
+ * Gets the builder that executed the invocation.
+ *
+ * Trusted to have correctly performed the operation and populated this
provenance.
+ *
+ * @return the builder, or {@code null} if not set
+ */
+ public Builder getBuilder() {
Review Comment:
Nice suggestion!
I refactored all setter to return `this` in
https://github.com/apache/commons-release-plugin/pull/422/commits/b457710c7689987b165b58dd3a100af7e4a05186
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3110648148
##
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/Builder.java:
##
@@ -0,0 +1,125 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.slsa.v1_2;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * Entity that executed the build and is trusted to have correctly performed
the operation and populated the provenance.
+ *
+ * @see https://slsa.dev/spec/v1.2";>SLSA v1.2 Specification
+ */
+public class Builder {
+
+/** Identifier URI of the builder. */
+@JsonProperty("id")
+private String id = "https://commons.apache.org/builds/0.1.0";;
+
+/** Orchestrator dependencies that may affect provenance generation. */
+@JsonProperty("builderDependencies")
+private List builderDependencies = new ArrayList<>();
+
+/** Map of build platform component names to their versions. */
+@JsonProperty("version")
+private Map version = new HashMap<>();
+
+/** Creates a new Builder instance. */
+public Builder() {
+}
+
+/**
+ * Gets the identifier of the builder.
+ *
+ * @return the builder identifier URI
+ */
+public String getId() {
+return id;
+}
+
+/**
+ * Sets the identifier of the builder.
+ *
+ * @param id the builder identifier URI
+ */
+public void setId(String id) {
Review Comment:
Fixed order in
https://github.com/apache/commons-release-plugin/commit/717bc2cf93585834136cc4b29e3ea52053e8a656
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#discussion_r3110608551 ## checkstyle.xml: ## @@ -185,7 +185,7 @@ - + Review Comment: IIRC this is inconsistent with other Commons projects, where `com.*` and `org.*` imports are in the same group. Is there any reason to group them separately? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3110579969
##
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/RunDetails.java:
##
@@ -0,0 +1,137 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.slsa.v1_2;
+
+import java.util.List;
+import java.util.Objects;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * Details about the build invocation: the builder identity, execution
metadata, and any byproduct artifacts.
+ *
+ * @see https://slsa.dev/spec/v1.2";>SLSA v1.2 Specification
+ */
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class RunDetails {
+
+ /** Entity that executed the build. */
+ @JsonProperty("builder")
+ private Builder builder;
+
+ /** Metadata about the build invocation. */
+ @JsonProperty("metadata")
+ private BuildMetadata metadata;
+
+ /** Artifacts produced as a side effect of the build. */
+ @JsonProperty("byproducts")
+ private List byproducts;
+
+ /** Creates a new RunDetails instance. */
+ public RunDetails() {
+ }
+
+ /**
+ * Creates a new RunDetails with the given builder and metadata.
+ *
+ * @param builder entity that executed the build
+ * @param metadata metadata about the build invocation
+ */
+ public RunDetails(Builder builder, BuildMetadata metadata) {
+this.builder = builder;
+this.metadata = metadata;
+ }
+
+ /**
+ * Gets the builder that executed the invocation.
+ *
+ * Trusted to have correctly performed the operation and populated this
provenance.
+ *
+ * @return the builder, or {@code null} if not set
+ */
+ public Builder getBuilder() {
Review Comment:
I sorted the methods in
https://github.com/apache/commons-release-plugin/pull/422/commits/717bc2cf93585834136cc4b29e3ea52053e8a656
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3110550497
##
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/RunDetails.java:
##
@@ -0,0 +1,137 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.slsa.v1_2;
+
+import java.util.List;
+import java.util.Objects;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * Details about the build invocation: the builder identity, execution
metadata, and any byproduct artifacts.
+ *
+ * @see https://slsa.dev/spec/v1.2";>SLSA v1.2 Specification
+ */
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class RunDetails {
Review Comment:
Fixed in
https://github.com/apache/commons-release-plugin/pull/422/commits/db99b3c9904ee9127d8469d7d3c0994606fa8ca0
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3110542953
##
src/main/java/org/apache/commons/release/plugin/internal/GitUtils.java:
##
@@ -0,0 +1,118 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.MessageDigest;
+
+import org.apache.commons.codec.binary.Hex;
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.GitIdentifiers;
+
+/**
+ * Utilities for Git operations.
+ */
+public final class GitUtils {
+
+/** The SCM URI prefix for Git repositories. */
+private static final String SCM_GIT_PREFIX = "scm:git:";
+
+/**
+ * Returns the Git tree hash for the given directory.
+ *
+ * @param path A directory path.
+ * @return A hex-encoded SHA-1 tree hash.
+ * @throws IOException If the path is not a directory or an I/O error
occurs.
+ */
+public static String gitTree(Path path) throws IOException {
+if (!Files.isDirectory(path)) {
+throw new IOException("Path is not a directory: " + path);
+}
+MessageDigest digest = DigestUtils.getSha1Digest();
Review Comment:
Fixed in
https://github.com/apache/commons-release-plugin/pull/422/commits/c3cff4d616c2dab5640954530b9ea8f77fcba941
Shouldn't CheckStyle pick up these stylistic choices? In other projects,
local variables must be `final`, but local variables in `try-with-resources`
constructs must **not** be `final`, which I always found strange.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3110531808
##
src/main/java/org/apache/commons/release/plugin/internal/BuildDefinitions.java:
##
@@ -0,0 +1,170 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.management.ManagementFactory;
+import java.nio.file.Path;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor;
+import org.apache.maven.execution.MavenExecutionRequest;
+import org.apache.maven.execution.MavenSession;
+
+/**
+ * Factory methods for the SLSA {@code BuildDefinition} fields: JVM, Maven
descriptors and external build parameters.
+ */
+public final class BuildDefinitions {
+
+/**
+ * No instances.
+ */
+private BuildDefinitions() {
+}
+
+/**
+ * Creates a {@link ResourceDescriptor} for the JDK used during the build.
+ *
+ * @param javaHome path to the JDK home directory (value of the {@code
java.home} system property)
+ * @return a descriptor with digest and annotations populated from system
properties
+ * @throws IOException if hashing the JDK directory fails
+ */
+public static ResourceDescriptor jvm(Path javaHome) throws IOException {
+ResourceDescriptor descriptor = new ResourceDescriptor();
+descriptor.setName("JDK");
+Map digest = new HashMap<>();
+digest.put("gitTree", GitUtils.gitTree(javaHome));
+descriptor.setDigest(digest);
+String[] propertyNames = {
+"java.version", "java.version.date",
+"java.vendor", "java.vendor.url", "java.vendor.version",
+"java.home",
+"java.vm.specification.version", "java.vm.specification.vendor",
"java.vm.specification.name",
+"java.vm.version", "java.vm.vendor", "java.vm.name",
+"java.specification.version",
"java.specification.maintenance.version",
+"java.specification.vendor", "java.specification.name",
+};
+Map annotations = new HashMap<>();
+for (String prop : propertyNames) {
+annotations.put(prop.substring("java.".length()),
System.getProperty(prop));
+}
+descriptor.setAnnotations(annotations);
+return descriptor;
+}
+
+/**
+ * Creates a {@link ResourceDescriptor} for the Maven installation used
during the build.
+ *
+ * {@code build.properties} resides in a JAR inside {@code
${maven.home}/lib/}, which is loaded by Maven's Core Classloader.
+ * Plugin code runs in an isolated Plugin Classloader, which does see that
resources. Therefore, we need to pass the classloader from a class from
+ * Maven Core, such as {@link
org.apache.maven.rtinfo.RuntimeInformation}.
+ *
+ * @param version Maven version string
+ * @param mavenHome path to the Maven home directory
+ * @param coreClassLoader a classloader from Maven's Core Classloader
realm, used to load core resources
+ * @return a descriptor for the Maven installation
+ * @throws IOException if hashing the Maven home directory fails
+ */
+public static ResourceDescriptor maven(String version, Path mavenHome,
ClassLoader coreClassLoader) throws IOException {
+ResourceDescriptor descriptor = new ResourceDescriptor();
+descriptor.setName("Maven");
+descriptor.setUri("pkg:maven/org.apache.maven/apache-maven@" +
version);
+Map digest = new HashMap<>();
+digest.put("gitTree", GitUtils.gitTree(mavenHome));
+descriptor.setDigest(digest);
+Properties buildProps = new Properties();
+try (InputStream in =
coreClassLoader.getResourceAsStream("org/apache/maven/messages/build.properties"))
{
+if (in != null) {
+buildProps.load(in);
+}
+}
+if (!buildProps.isEmpty()) {
+Map annotations = new HashMap<>();
+buildProps.forEach((key, value) -> annotations.p
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3110412255
##
src/main/java/org/apache/commons/release/plugin/internal/ArtifactUtils.java:
##
@@ -0,0 +1,118 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor;
+import org.apache.maven.artifact.Artifact;
+import org.apache.maven.plugin.MojoExecutionException;
+
+/**
+ * Utilities to convert {@link Artifact} from and to other types.
+ */
+public final class ArtifactUtils {
+
+/** No instances. */
+private ArtifactUtils() {
+// prevent instantiation
+}
+
+/**
+ * Returns the conventional filename for the given artifact.
+ *
+ * @param artifact A Maven artifact.
+ * @return A filename.
+ */
+public static String getFileName(Artifact artifact) {
+return getFileName(artifact,
artifact.getArtifactHandler().getExtension());
+}
+
+/**
+ * Returns the filename for the given artifact with a changed extension.
+ *
+ * @param artifact A Maven artifact.
+ * @param extension The file name extension.
+ * @return A filename.
+ */
+public static String getFileName(Artifact artifact, String extension) {
+StringBuilder fileName = new StringBuilder();
+
fileName.append(artifact.getArtifactId()).append("-").append(artifact.getVersion());
+if (artifact.getClassifier() != null) {
+fileName.append("-").append(artifact.getClassifier());
+}
+fileName.append(".").append(extension);
+return fileName.toString();
+}
+
+/**
+ * Returns the Package URL corresponding to this artifact.
+ *
+ * @param artifact A maven artifact.
+ * @return A PURL for the given artifact.
+ */
+public static String getPackageUrl(Artifact artifact) {
+StringBuilder sb = new StringBuilder();
+
sb.append("pkg:maven/").append(artifact.getGroupId()).append("/").append(artifact.getArtifactId()).append("@").append(artifact.getVersion())
+.append("?");
+String classifier = artifact.getClassifier();
+if (classifier != null) {
+sb.append("classifier=").append(classifier).append("&");
+}
+sb.append("type=").append(artifact.getType());
+return sb.toString();
+}
+
+/**
+ * Returns a map of checksum algorithm names to hex-encoded digest values
for the given artifact file.
+ *
+ * @param artifact A Maven artifact.
+ * @return A map of checksum algorithm names to hex-encoded digest values.
+ * @throws IOException If an I/O error occurs reading the artifact file.
+ */
+private static Map getChecksums(Artifact artifact) throws
IOException {
+Map checksums = new HashMap<>();
+DigestUtils digest = new DigestUtils(DigestUtils.getSha256Digest());
Review Comment:
This is a good question!
Actually there was no particular reason I chose SHA-256. There are many
algorithms supported by _in-toto_, including some that are not supported by
`MessageDigest`. In
https://github.com/apache/commons-release-plugin/pull/422/commits/28f0b57811318f6c05ff15cfc45eee4bc211ffaa
I made the list configurable, with a default of `SHA-512,SHA-256,SHA-1,MD5`.
The reason for including SHA-1 and MD5 is to allow users to verify the
artifacts in Maven Central, without downloading them.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3110155519
##
src/main/java/org/apache/commons/release/plugin/internal/ArtifactUtils.java:
##
@@ -0,0 +1,118 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor;
+import org.apache.maven.artifact.Artifact;
+import org.apache.maven.plugin.MojoExecutionException;
+
+/**
+ * Utilities to convert {@link Artifact} from and to other types.
+ */
+public final class ArtifactUtils {
+
+/** No instances. */
+private ArtifactUtils() {
+// prevent instantiation
+}
+
+/**
+ * Returns the conventional filename for the given artifact.
Review Comment:
Fixed in
https://github.com/apache/commons-release-plugin/pull/422/commits/c8855e36dedc68ec2000d9aeebd99be06cc58297
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3110078281
##
src/main/java/org/apache/commons/release/plugin/internal/ArtifactUtils.java:
##
@@ -0,0 +1,118 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor;
+import org.apache.maven.artifact.Artifact;
+import org.apache.maven.plugin.MojoExecutionException;
+
+/**
+ * Utilities to convert {@link Artifact} from and to other types.
+ */
+public final class ArtifactUtils {
+
+/** No instances. */
+private ArtifactUtils() {
+// prevent instantiation
+}
+
+/**
+ * Returns the conventional filename for the given artifact.
+ *
+ * @param artifact A Maven artifact.
+ * @return A filename.
+ */
+public static String getFileName(Artifact artifact) {
+return getFileName(artifact,
artifact.getArtifactHandler().getExtension());
+}
+
+/**
+ * Returns the filename for the given artifact with a changed extension.
+ *
+ * @param artifact A Maven artifact.
+ * @param extension The file name extension.
+ * @return A filename.
+ */
+public static String getFileName(Artifact artifact, String extension) {
+StringBuilder fileName = new StringBuilder();
+
fileName.append(artifact.getArtifactId()).append("-").append(artifact.getVersion());
+if (artifact.getClassifier() != null) {
+fileName.append("-").append(artifact.getClassifier());
+}
+fileName.append(".").append(extension);
+return fileName.toString();
+}
+
+/**
+ * Returns the Package URL corresponding to this artifact.
+ *
+ * @param artifact A maven artifact.
+ * @return A PURL for the given artifact.
+ */
+public static String getPackageUrl(Artifact artifact) {
Review Comment:
Package URL is rather new. As far as I know, even Maven 4 does not expose
this API, although it would be useful to add its support to both Resolver and
Maven Core (the two `Artifact` classes in Maven).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3110057303
##
src/test/java/org/apache/commons/release/plugin/internal/BuildDefinitionsTest.java:
##
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import static java.util.Arrays.asList;
+import static java.util.Collections.emptyList;
+import static java.util.Collections.singletonList;
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.util.List;
+import java.util.Properties;
+import java.util.stream.Stream;
+
+import org.apache.maven.execution.DefaultMavenExecutionRequest;
+import org.apache.maven.execution.MavenExecutionRequest;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+
+class BuildDefinitionsTest {
+
+static Stream commandLineArguments() {
+return Stream.of(
+Arguments.of("empty", emptyList(), emptyList(), new
Properties(), ""),
+Arguments.of("single goal", singletonList("verify"),
emptyList(), new Properties(), "verify"),
+Arguments.of("multiple goals", asList("clean", "verify"),
emptyList(), new Properties(), "clean verify"),
+Arguments.of("single profile", singletonList("verify"),
singletonList("release"), new Properties(), "verify -Prelease"),
+Arguments.of("multiple profiles", singletonList("verify"),
asList("release", "sign"), new Properties(), "verify -Prelease,sign"),
+Arguments.of("user property", singletonList("verify"),
emptyList(), props("foo", "bar"), "verify -Dfoo=bar"),
+Arguments.of("goals, profile and property",
singletonList("verify"), singletonList("release"), props("foo", "bar"),
+"verify -Prelease -Dfoo=bar")
+);
+}
+
+@ParameterizedTest(name = "{0}")
+@MethodSource("commandLineArguments")
+void commandLineTest(final String description, final List goals,
final List profiles,
+final Properties userProperties, final String expected) {
+MavenExecutionRequest request = new DefaultMavenExecutionRequest();
+request.setGoals(goals);
+request.setActiveProfiles(profiles);
+request.setUserProperties(userProperties);
+assertThat(BuildDefinitions.commandLine(request)).isEqualTo(expected);
+}
+
+private static Properties props(final String key, final String value) {
Review Comment:
Fixed in
https://github.com/apache/commons-release-plugin/pull/422/commits/e633bc1d9a4c7d61a4e70395a4fe90b41da50133
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3110048044
##
src/test/java/org/apache/commons/release/plugin/internal/BuildDefinitionsTest.java:
##
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import static java.util.Arrays.asList;
+import static java.util.Collections.emptyList;
+import static java.util.Collections.singletonList;
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.util.List;
+import java.util.Properties;
+import java.util.stream.Stream;
+
+import org.apache.maven.execution.DefaultMavenExecutionRequest;
+import org.apache.maven.execution.MavenExecutionRequest;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+
+class BuildDefinitionsTest {
+
+static Stream commandLineArguments() {
+return Stream.of(
+Arguments.of("empty", emptyList(), emptyList(), new
Properties(), ""),
+Arguments.of("single goal", singletonList("verify"),
emptyList(), new Properties(), "verify"),
+Arguments.of("multiple goals", asList("clean", "verify"),
emptyList(), new Properties(), "clean verify"),
+Arguments.of("single profile", singletonList("verify"),
singletonList("release"), new Properties(), "verify -Prelease"),
+Arguments.of("multiple profiles", singletonList("verify"),
asList("release", "sign"), new Properties(), "verify -Prelease,sign"),
+Arguments.of("user property", singletonList("verify"),
emptyList(), props("foo", "bar"), "verify -Dfoo=bar"),
+Arguments.of("goals, profile and property",
singletonList("verify"), singletonList("release"), props("foo", "bar"),
+"verify -Prelease -Dfoo=bar")
+);
+}
+
+@ParameterizedTest(name = "{0}")
+@MethodSource("commandLineArguments")
+void commandLineTest(final String description, final List goals,
final List profiles,
+final Properties userProperties, final String expected) {
+MavenExecutionRequest request = new DefaultMavenExecutionRequest();
+request.setGoals(goals);
+request.setActiveProfiles(profiles);
+request.setUserProperties(userProperties);
+assertThat(BuildDefinitions.commandLine(request)).isEqualTo(expected);
Review Comment:
I removed AssertJ in
https://github.com/apache/commons-release-plugin/pull/422/commits/f519b3670795da3fb4f43b6af1f727eadf8e6800
I kept JSON Unit, but replaced `json-unit-assertj` with `json-unit`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3100762525
##
src/main/java/org/apache/commons/release/plugin/mojos/BuildAttestationMojo.java:
##
@@ -0,0 +1,543 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.mojos;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.time.OffsetDateTime;
+import java.time.ZoneOffset;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.inject.Inject;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import org.apache.commons.release.plugin.internal.ArtifactUtils;
+import org.apache.commons.release.plugin.internal.BuildDefinitions;
+import org.apache.commons.release.plugin.internal.DsseUtils;
+import org.apache.commons.release.plugin.internal.GitUtils;
+import org.apache.commons.release.plugin.slsa.v1_2.BuildDefinition;
+import org.apache.commons.release.plugin.slsa.v1_2.BuildMetadata;
+import org.apache.commons.release.plugin.slsa.v1_2.Builder;
+import org.apache.commons.release.plugin.slsa.v1_2.DsseEnvelope;
+import org.apache.commons.release.plugin.slsa.v1_2.Provenance;
+import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor;
+import org.apache.commons.release.plugin.slsa.v1_2.RunDetails;
+import org.apache.commons.release.plugin.slsa.v1_2.Signature;
+import org.apache.commons.release.plugin.slsa.v1_2.Statement;
+import org.apache.maven.artifact.Artifact;
+import org.apache.maven.execution.MavenSession;
+import org.apache.maven.plugin.AbstractMojo;
+import org.apache.maven.plugin.MojoExecutionException;
+import org.apache.maven.plugin.MojoFailureException;
+import org.apache.maven.plugins.annotations.LifecyclePhase;
+import org.apache.maven.plugins.annotations.Mojo;
+import org.apache.maven.plugins.annotations.Parameter;
+import org.apache.maven.plugins.annotations.ResolutionScope;
+import org.apache.maven.plugins.gpg.AbstractGpgSigner;
+import org.apache.maven.project.MavenProject;
+import org.apache.maven.project.MavenProjectHelper;
+import org.apache.maven.rtinfo.RuntimeInformation;
+import org.apache.maven.scm.CommandParameters;
+import org.apache.maven.scm.ScmException;
+import org.apache.maven.scm.ScmFileSet;
+import org.apache.maven.scm.command.info.InfoItem;
+import org.apache.maven.scm.command.info.InfoScmResult;
+import org.apache.maven.scm.manager.ScmManager;
+import org.apache.maven.scm.repository.ScmRepository;
+
+/**
+ * This plugin generates an in-toto attestation for all the artifacts.
+ */
+@Mojo(name = "build-attestation", defaultPhase = LifecyclePhase.VERIFY,
requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME)
+public class BuildAttestationMojo extends AbstractMojo {
+
+/**
+ * The file extension for in-toto attestation files.
Review Comment:
This is the attestation format's name: https://in-toto.io/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on code in PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#discussion_r3100758643 ## src/main/java/org/apache/commons/release/plugin/mojos/BuildAttestationMojo.java: ## @@ -0,0 +1,543 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.commons.release.plugin.mojos; + +import java.io.File; +import java.io.IOException; +import java.io.OutputStream; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.time.OffsetDateTime; +import java.time.ZoneOffset; +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.inject.Inject; + +import com.fasterxml.jackson.core.JsonGenerator; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.SerializationFeature; +import org.apache.commons.release.plugin.internal.ArtifactUtils; +import org.apache.commons.release.plugin.internal.BuildDefinitions; +import org.apache.commons.release.plugin.internal.DsseUtils; +import org.apache.commons.release.plugin.internal.GitUtils; +import org.apache.commons.release.plugin.slsa.v1_2.BuildDefinition; +import org.apache.commons.release.plugin.slsa.v1_2.BuildMetadata; +import org.apache.commons.release.plugin.slsa.v1_2.Builder; +import org.apache.commons.release.plugin.slsa.v1_2.DsseEnvelope; +import org.apache.commons.release.plugin.slsa.v1_2.Provenance; +import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor; +import org.apache.commons.release.plugin.slsa.v1_2.RunDetails; +import org.apache.commons.release.plugin.slsa.v1_2.Signature; +import org.apache.commons.release.plugin.slsa.v1_2.Statement; +import org.apache.maven.artifact.Artifact; +import org.apache.maven.execution.MavenSession; +import org.apache.maven.plugin.AbstractMojo; +import org.apache.maven.plugin.MojoExecutionException; +import org.apache.maven.plugin.MojoFailureException; +import org.apache.maven.plugins.annotations.LifecyclePhase; +import org.apache.maven.plugins.annotations.Mojo; +import org.apache.maven.plugins.annotations.Parameter; +import org.apache.maven.plugins.annotations.ResolutionScope; +import org.apache.maven.plugins.gpg.AbstractGpgSigner; +import org.apache.maven.project.MavenProject; +import org.apache.maven.project.MavenProjectHelper; +import org.apache.maven.rtinfo.RuntimeInformation; +import org.apache.maven.scm.CommandParameters; +import org.apache.maven.scm.ScmException; +import org.apache.maven.scm.ScmFileSet; +import org.apache.maven.scm.command.info.InfoItem; +import org.apache.maven.scm.command.info.InfoScmResult; +import org.apache.maven.scm.manager.ScmManager; +import org.apache.maven.scm.repository.ScmRepository; + +/** + * This plugin generates an in-toto attestation for all the artifacts. Review Comment: In this case “in-toto” is the format name: https://in-toto.io/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
garydgregory commented on code in PR #422:
URL:
https://github.com/apache/commons-release-plugin/pull/422#discussion_r3099531006
##
src/test/java/org/apache/commons/release/plugin/internal/BuildDefinitionsTest.java:
##
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.internal;
+
+import static java.util.Arrays.asList;
+import static java.util.Collections.emptyList;
+import static java.util.Collections.singletonList;
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.util.List;
+import java.util.Properties;
+import java.util.stream.Stream;
+
+import org.apache.maven.execution.DefaultMavenExecutionRequest;
+import org.apache.maven.execution.MavenExecutionRequest;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+
+class BuildDefinitionsTest {
+
+static Stream commandLineArguments() {
+return Stream.of(
+Arguments.of("empty", emptyList(), emptyList(), new
Properties(), ""),
+Arguments.of("single goal", singletonList("verify"),
emptyList(), new Properties(), "verify"),
+Arguments.of("multiple goals", asList("clean", "verify"),
emptyList(), new Properties(), "clean verify"),
+Arguments.of("single profile", singletonList("verify"),
singletonList("release"), new Properties(), "verify -Prelease"),
+Arguments.of("multiple profiles", singletonList("verify"),
asList("release", "sign"), new Properties(), "verify -Prelease,sign"),
+Arguments.of("user property", singletonList("verify"),
emptyList(), props("foo", "bar"), "verify -Dfoo=bar"),
+Arguments.of("goals, profile and property",
singletonList("verify"), singletonList("release"), props("foo", "bar"),
+"verify -Prelease -Dfoo=bar")
+);
+}
+
+@ParameterizedTest(name = "{0}")
+@MethodSource("commandLineArguments")
+void commandLineTest(final String description, final List goals,
final List profiles,
+final Properties userProperties, final String expected) {
+MavenExecutionRequest request = new DefaultMavenExecutionRequest();
+request.setGoals(goals);
+request.setActiveProfiles(profiles);
+request.setUserProperties(userProperties);
+assertThat(BuildDefinitions.commandLine(request)).isEqualTo(expected);
Review Comment:
Please say simple things in a simple way: JUnit's `assertEquals()` is
simple, obvious, and is less code.
In this case, it's 1 JUnit vs. 2 AssertJ method calls.
AssertJ makes tests harder to maintain IMO. I pruned AssertJ, Hamcrest and
other obtuse libraries out of Commons, for the most part.
##
src/main/java/org/apache/commons/release/plugin/slsa/v1_2/RunDetails.java:
##
@@ -0,0 +1,137 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.release.plugin.slsa.v1_2;
+
+import java.util.List;
+import java.util.Objects;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * Details about the build invocation: the builder identity, execution
metadata, and any byproduct artifacts.
+ *
+ * @see https://slsa.dev/spec/v1.2";>SLSA v1.2 Specification
+ */
+@JsonInclude(JsonInclu
Re: [PR] Add `build-attestation` target [commons-release-plugin]
garydgregory commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4263647339 Let me take a look in the morning... -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4263154903 As I mentioned before, this PR might be hard to check in one piece. What do you think about splitting it into pieces and discussing each piece separately? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4263094337 That is what I did with overly complex Javadoc comments. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
garydgregory commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4263080587 If you don't review something, delete it then. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4263047644 @garydgregory, I have reviewed the generated parts, fixed Javadoc comments and added additional tests. The code is the first thing I look at and verify line by line. I must admit I don't look too much at Javadoc, especially since this project requires every method (even `private` ones) to have a comment. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
garydgregory commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4252413734 I don't want to review vibe coded output until _you_ review it line-by-line and prune/validate any junk out of it. When you say it's been proofed, I'll take a look. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4252120106 In https://github.com/apache/commons-release-plugin/pull/422/commits/16f776f54baa725884d8af5b338dc42d5569bf39 I added support for DSSE envelope signing, which leverages the functionality of the GPG Maven plugin to sign the attestation with GPG and wrap both the payload and signature in a single file. A lot of it is vibe-coded, mostly reviewed, but it needs a thorough review, especially on the documentation side. If this helps, I could split this PR into three parts: - the Jackson models for the data, - the generation of attestations without signing, - the signing feature. What do you think? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4170882406 Information about the JDK is already present. I don't know if we need information about the OS: that information is usually partially included in the JDK version strings. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
garydgregory commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4170771764 What about the JDK or OS? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] Add `build-attestation` target [commons-release-plugin]
ppkarwasz commented on PR #422: URL: https://github.com/apache/commons-release-plugin/pull/422#issuecomment-4170690783 You can find the documentation of what elements are contained in the attestations in this file (included in the PR): https://github.com/apache/commons-release-plugin/blob/feat/slsa/src/site/markdown/slsa/v0.1.0.md I have some doubts regarding, which dependencies of the project **build** should be included in the attestation: - Some information about the Maven distribution should certainly be present. - However the checksums of all project dependencies, Maven plugins and their dependencies might be more suited for the build SBOM. By verifying the SBOM reproducibility, we have already discovered some small differences in the dependencies used by the release build and the voting builds. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
