Skip to content

Commit

Permalink
Add SBOM jsf signing to openjdk_build_pipeline.groovy (#1131)
Browse files Browse the repository at this point in the history
* SBOM jsf signing

* Integrate build_sign_sbom_libraries job

* Space

* Archiving cyclone dx jars not needed

* Variable name typo

* archive sboms
  • Loading branch information
Haroon-Khel authored Jan 2, 2025
1 parent 6a55e2f commit 83e9bc8
Showing 1 changed file with 44 additions and 0 deletions.
44 changes: 44 additions & 0 deletions pipelines/build/common/openjdk_build_pipeline.groovy
Original file line number Diff line number Diff line change
@@ -1061,6 +1061,49 @@ class Build {
}
}
}

// Kick off the sign_temurin_jsf job to sign the SBOM
private void jsfSignSBOM() {
context.stage('SBOM Sign') {

context.println "Running build_sign_sbom_libraries to build the SBOM libraries"
def buildSBOMLibrariesJob = context.build job: 'build_sign_sbom_libraries',
propagate: true

def paramsJsf = [
context.string(name: 'UPSTREAM_JOB_NUMBER', value: "${env.BUILD_NUMBER}"),
context.string(name: 'UPSTREAM_JOB_NAME', value: "${env.JOB_NAME}"),
context.string(name: 'UPSTREAM_DIR', value: 'workspace/target'),
context.string(name: 'SBOM_LIBRARY_JOB_NUMBER', value: "${buildSBOMLibrariesJob.getNumber()}")
]

context.println "RUNNING sign_temurin_jsf for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..."
def signSBOMJob = context.build job: 'build-scripts/release/sign_temurin_jsf',
propagate: true,
parameters: paramsJsf

context.node('worker') {
// Remove any previous workspace artifacts
context.sh 'rm -rf workspace/target/* || true'
context.copyArtifacts(
projectName: 'build-scripts/release/sign_temurin_jsf',
selector: context.specific("${signSBOMJob.getNumber()}"),
filter: '**/*sbom*.json',
fingerprintArtifacts: true,
target: 'workspace/target/',
flatten: true)

// Archive SBOM signatures in Jenkins
try {
context.timeout(time: buildTimeouts.ARCHIVE_ARTIFACTS_TIMEOUT, unit: 'HOURS') {
context.archiveArtifacts artifacts: 'workspace/target/*sbom*.json'
}
} catch (FlowInterruptedException e) {
throw new Exception("[ERROR] Archive artifact timeout (${buildTimeouts.ARCHIVE_ARTIFACTS_TIMEOUT} HOURS) for ${downstreamJobName} has been reached. Exiting...")
}
}
}
}
/*
Lists and returns any compressed archived or sbom file contents of the top directory of the build node
*/
@@ -2442,6 +2485,7 @@ def buildScriptsAssemble(
try {
context.println "openjdk_build_pipeline: Running GPG signing process"
gpgSign()
jsfSignSBOM()
} catch (Exception e) {
context.println(e.message)
currentBuild.result = 'FAILURE'

0 comments on commit 83e9bc8

Please sign in to comment.