Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How might we enhance validation on BOMs? #5922

Closed
suztomo opened this issue Apr 13, 2023 · 0 comments · Fixed by #5928
Closed

How might we enhance validation on BOMs? #5922

suztomo opened this issue Apr 13, 2023 · 0 comments · Fixed by #5928
Assignees
@suztomo
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@suztomo
Copy link
Member

suztomo commented Apr 13, 2023
edited
Loading

There were problems in the entries in the gapic-libraries-bom ( googleapis/google-cloud-java#9304) protobuf-bom (protocolbuffers/protobuf#12170). The challenge is that Maven's build lifecycle does not invalidate bad entries in a BOM.

How might we enhance validation on BOMs? Especially those that are in different location than this java-cloud-bom repository.

Create Github Actions (a composite action)

In GitHub Actions, we can easily reference a check in another repository.
https://github.com/googleapis/google-api-java-client-services/blob/main/.github/workflows/codegen.yaml#L48

A composite action (https://docs.github.com/en/actions/creating-actions/creating-a-composite-action) is a good fit for the tasks below.

Implementation: a composite action

Before running the composite action the caller (gapic-generator-java or google-cloud-java repository) needs to make the BOM and its contents available in Maven Central or local Maven repository.

The action takes BOM coordinates as an argument.

The action does the followings:

  • It reads the BOM and get all artifacts.
    • It may filter out "testlib" artifacts if they cause problems in subsequent steps
  • It creates a Maven project (a directory with a pom.xml file) with the artifacts as the dependencies. The project uses the BOM
    • This output project is actually beneficial for scanning security advisories.
  • It runs mvn install in the project to confirm the project is built.
@suztomo suztomo changed the title How might we enhance validation on BOMs How might we enhance validation on BOMs? Apr 13, 2023
@suztomo suztomo self-assigned this Apr 13, 2023
@alicejli alicejli added type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. priority: p2 Moderately-important priority. Fix may not be included in next release. labels Apr 14, 2023
This was referenced Apr 14, 2023
Merged
Merged
gcf-merge-on-green bot pushed a commit that referenced this issue Apr 17, 2023
@suztomo
ci: GitHub Actions to validate a Maven BOM (#5928)
04160b1 
Fixes #5922 

It worked in https://github.com/googleapis/gapic-generator-java/pull/1629


Todo: 
- Merge this pull request 5928.
- Update the branch name in https://github.com/googleapis/gapic-generator-java/pull/1629 to "main"
- Add another check in https://github.com/googleapis/google-cloud-java with "main"
@suztomo suztomo mentioned this issue Apr 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@suztomo suztomo

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ci: GitHub Actions to validate a Maven BOM googleapis/java-cloud-bom
2 participants
@suztomo @alicejli