Add separate reproducibility check workflow (#271)

Adds a reproducibility check workflow based on a Nexus repository and not the local Maven repo.

We also deprecate the reproducibility check in `build-reusable.yaml`.

.github/workflows/build-reusable.yaml

@@ -31,6 +31,15 @@ on:
       maven-args:
         description: Additional Maven arguments
         type: string
+      ref:
+        description: The branch, tag or SHA to checkout
+        # When running on `pull_request_target` use the PR branch, not the target branch
+        default: ${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }}
+        type: string
+      repository:
+        description: GitHub repository name with owner
+        default: ${{ github.repository }}
+        type: string
       reproducibility-check-enabled:
         description: Runs a reproducibility check on the build
         default: true
@@ -39,6 +48,14 @@ on:
         description: Flag indicating if Maven `site` goal should be run
         default: false
         type: boolean
+      test-report-enabled:
+        description: Enables the upload of test reports
+        default: true
+        type: boolean
+      test-report-suffix:
+        description: Suffix to add to the uploaded artifacts
+        default: ''
+        type: string
 
     secrets:
       DV_ACCESS_TOKEN:
@@ -64,8 +81,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683   # 4.2.2
         with:
-          # When running on `pull_request` use the PR branch, not the target branch
-          ref: ${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }}
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.ref }}
 
       - name: Set up Java
         uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b   # 4.5.0
@@ -105,8 +122,7 @@ jobs:
         with:
           develocity-access-key: ${{ secrets.DV_ACCESS_TOKEN }}
 
-      # We could have used `verify`, but `clean install` is required while generating the build reproducibility report, which is performed in the next step.
-      # For details, see: https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility
+      # We use `install` instead of `verify`, otherwise the build website step below fails
       - name: Build
         id: build
         shell: bash
@@ -119,10 +135,10 @@ jobs:
 
       # We upload tests results.
       - name: Upload test reports
-        if: always()
+        if: ${{ always() && inputs.test-report-enabled }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882   # 4.4.3
         with:
-          name: surefire-${{matrix.os}}-${{github.run_number}}-${{github.run_attempt}}
+          name: "test-report-${{matrix.os}}-${{github.run_number}}-${{github.run_attempt}}${{inputs.test-report-suffix}}"
           path: |
             **/target/surefire-reports
             **/target/logs

.github/workflows/verify-reproducibility-reusable.yaml

@@ -0,0 +1,87 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: verify-reproducibility-reusable
+
+on:
+  workflow_call:
+    inputs:
+      java-version:
+        description: The Java compiler version
+        default: 17
+        type: string
+      maven-args:
+        description: Additional Maven arguments
+        type: string
+      nexus-url:
+        description: The URL of the reference Nexus repository
+        type: string
+      runs-on:
+        description: The type of runners to use as JSON array
+        default: '["ubuntu-latest"]'
+        type: string
+
+env:
+  MAVEN_ARGS: ${{ inputs.maven-args }}
+
+jobs:
+
+  build:
+
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      matrix:
+        os: ${{ fromJSON(inputs.runs-on) }}
+
+    steps:
+
+      - name: Checkout repository
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871   # 4.2.1
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Set up Java
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73   # 4.4.0
+        with:
+          distribution: zulu
+          java-version: ${{ inputs.java-version }}
+          cache: maven
+
+      # `clean verify artifact:compare` is required to generate the build reproducibility report.
+      # For details, see: https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility
+      - name: Verify build reproducibility
+        shell: bash
+        run: |
+          ./mvnw \
+            --show-version --batch-mode --errors --no-transfer-progress \
+            -DskipTests=true \
+            -Dreference.repo=${{ inputs.nexus-url }} \
+            clean verify artifact:compare
+
+      # Upload reproducibility results if the build fails.
+      - name: Upload reproducibility results
+        if: failure()
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882   # 4.4.3
+        with:
+          name: reproducibility-${{matrix.os}}-${{github.run_number}}-${{github.run_attempt}}
+          path: |
+            **/target/bom.xml
+            **/target/*.buildcompare
+            **/target/*.jar
+            **/target/*.zip
+            **/target/reference/**

src/changelog/.11.x.x/verify_reproducibility_reusable.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns="https://logging.apache.org/xml/ns"
+       xsi:schemaLocation="https://logging.apache.org/xml/ns https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"
+       type="changed">
+  <issue id="246" link="https://github.com/apache/logging-parent/pull/246"/>
+  <description format="asciidoc">
+    Adds a `verify_reproducibility-reusable.yaml` workflow to check reproducibility of artifacts in a Maven repo.
+    Deprecates the reproducibility check in `build-reusable.yaml`.
+  </description>
+</entry>

src/site/antora/modules/ROOT/pages/features.adoc

@@ -53,7 +53,6 @@ The provided reusable GitHub Actions workflows feature the following convenience
 
 {project-github-url}/blob/main/.github/workflows/build-reusable.yaml[`build-reusable.yaml`]::
 * Compiles using the specified Java compiler version
-* Verifies reproducibility
 * Submits build scans to the Develocity server
 
 {project-github-url}/blob/main/.github/workflows/deploy-release-reusable.yaml[`deploy-release-reusable.yaml`]::
@@ -72,6 +71,9 @@ The provided reusable GitHub Actions workflows feature the following convenience
 {project-github-url}/blob/main/.github/workflows/merge-dependabot-reusable.yaml[`merge-dependabot-reusable.yaml`]::
 * Merges `dependabot` PRs along with changelog entries
 
+{project-github-url}/blob/main/.github/workflows/merge-dependabot-reusable.yaml[`verify-reproducibility-reusable.yaml`]::
+* Verifies reproducibility of a previous deployment workflow.
+
 [#release-instructions]
 === Release instructions