Release process improvements (#988)

- Adds Licensee for dependency license verification - Adds CycloneDX to generate SBOMs - Includes LICENSE, SBOM and license verification report into the jars - Updates dependency verification metadata - Adds Nexus Publish plugin to automate publish process - Updates relevant workflows {patch} Signed-off-by: Esta Nagy <[email protected]>
nagyesta · May 10, 2024 · b864226 · b864226
1 parent 2e857c2
commit b864226
Show file tree

Hide file tree

Showing 6 changed files with 455 additions and 3,171 deletions.
diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
@@ -67,7 +67,8 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build with Gradle
         run: >
-          ./gradlew publish -x test -x dockerClean -x dockerPrepare -x dockerRun -x dockerRunStatus -x dockerStop
+          ./gradlew publish  publishToSonatype closeAndReleaseSonatypeStagingRepository
+          -x test -x dockerClean -x dockerPrepare -x dockerRun -x dockerRunStatus -x dockerStop
           -PgithubUser=${{ secrets.PUBLISH_USER_NAME }}
           -PgithubToken=${{ secrets.PUBLISH_KEY }}
           -PossrhUsername=${{ secrets.OSSRH_USER }}

diff --git a/.github/workflows/update-dependency-checksums.yml b/.github/workflows/update-dependency-checksums.yml
@@ -26,7 +26,7 @@ jobs:
         with:
           cache-disabled: true
       - name: Update checksums
-        run: ./gradlew --write-verification-metadata sha256
+        run: ./gradlew help licensee --write-verification-metadata sha256
       - name: Git commit
         run: |
           git config --global user.name 'Esta Nagy'

diff --git a/build.gradle b/build.gradle
@@ -2,6 +2,9 @@ plugins {
     alias(libs.plugins.versioner)
     alias(libs.plugins.index.scan)
     alias(libs.plugins.owasp.dependencycheck)
+    alias(libs.plugins.nexus.publish.plugin)
+    alias libs.plugins.cyclonedx.bom apply false
+    alias libs.plugins.licensee.plugin apply false
 }
 
 group = 'com.github.nagyesta.lowkey-vault'
@@ -65,6 +68,8 @@ configure(subprojects.findAll({
     apply plugin: 'signing'
     apply plugin: 'org.sonatype.gradle.plugins.scan'
     apply plugin: 'org.owasp.dependencycheck'
+    apply plugin: 'org.cyclonedx.bom'
+    apply plugin: 'app.cash.licensee'
 
     versioner.apply()
 
@@ -150,6 +155,64 @@ configure(subprojects.findAll({
     }
     checkstyle.toolVersion = libs.versions.checkstyle.get()
 
+
+    cyclonedxBom {
+        includeConfigs = ["runtimeClasspath"]
+        skipConfigs = ["compileClasspath", "testCompileClasspath"]
+        skipProjects = []
+        projectType = project.name.endsWith("app") ? "application" : "library"
+        schemaVersion = "1.5"
+        destination = file("build/reports")
+        outputName = "bom"
+        outputFormat = "json"
+        //noinspection UnnecessaryQualifiedReference
+        final def attachmentText = new org.cyclonedx.model.AttachmentText()
+        attachmentText.setText(file("${project.rootProject.projectDir}/LICENSE").readBytes().encodeBase64().toString())
+        attachmentText.setEncoding("base64")
+        attachmentText.setContentType("text/plain")
+        //noinspection UnnecessaryQualifiedReference
+        final def license = new org.cyclonedx.model.License()
+        license.setName(project.rootProject.ext.licenseName)
+        license.setLicenseText(attachmentText)
+        license.setUrl(project.rootProject.ext.licenseUrl)
+        setLicenseChoice {
+            it.addLicense(license)
+        }
+    }
+
+    licensee {
+        allow("Apache-2.0")
+        allow("MIT")
+        allow("MIT-0")
+        allow("EPL-1.0")
+        allow("EPL-2.0")
+        allow("BSD-2-Clause")
+        allowUrl("https://www.bouncycastle.org/licence.html")
+        allowUrl("https://github.com/openjdk/nashorn/blob/main/LICENSE")
+        allowUrl("https://github.com/swagger-api/swagger-ui")
+        allowUrl("http://www.eclipse.org/legal/epl-2.0")
+        allowUrl("http://www.eclipse.org/org/documents/edl-v10.php")
+        allowUrl("https://asm.ow2.io/license.html")
+        ignoreDependencies("org.apache.tomcat", "tomcat-servlet-api")
+        unusedAction("IGNORE")
+    }
+
+    tasks.register('copyLegalDocs', Copy.class) {
+        from file("${project.rootProject.projectDir}/LICENSE")
+        from layout.buildDirectory.file("reports/licensee/artifacts.json").get().asFile
+        from layout.buildDirectory.file("reports/bom.json").get().asFile
+        into layout.buildDirectory.dir("resources/main/META-INF").get().asFile
+        rename('artifacts.json', 'dependency-licenses.json')
+        rename('bom.json', 'SBOM.json')
+    }
+    //noinspection ConfigurationAvoidance
+    tasks.copyLegalDocs.dependsOn(tasks.licensee)
+    tasks.copyLegalDocs.dependsOn(tasks.cyclonedxBom)
+    tasks.javadoc.dependsOn(tasks.copyLegalDocs)
+    tasks.compileTestJava.dependsOn(tasks.copyLegalDocs)
+    tasks.checkstyleMain.dependsOn(tasks.copyLegalDocs)
+    tasks.processResources.finalizedBy(tasks.copyLegalDocs)
+
     publishing {
         repositories {
             maven {
@@ -160,14 +223,6 @@ configure(subprojects.findAll({
                     password = rootProject.ext.gitToken
                 }
             }
-            maven {
-                name = "ossrh"
-                url = uri("https://oss.sonatype.org/service/local/staging/deploy/maven2")
-                credentials {
-                    username = rootProject.ext.ossrhUser
-                    password = rootProject.ext.ossrhPass
-                }
-            }
         }
     }
 
@@ -187,6 +242,15 @@ configure(subprojects.findAll({
     }
 }
 
+nexusPublishing {
+    repositories {
+        sonatype {
+            username = project.ext.ossrhUser
+            password = project.ext.ossrhPass
+        }
+    }
+}
+
 ossIndexAudit {
     username = rootProject.ext.ossIndexUser
     password = rootProject.ext.ossIndexPass

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -31,6 +31,9 @@ lombokPlugin = "8.6"
 springBootPlugin = "3.2.5"
 gitVersionerPlugin = "1.6.7"
 owaspPlugin = "9.1.0"
+cycloneDxBomPlugin = "1.8.2"
+licenseePlugin = "1.11.0"
+nexusPublishPlugin = "2.0.0"
 
 [libraries]
 spring-boot-starter = { module = "org.springframework.boot:spring-boot-starter", version.ref = "springBoot" }
@@ -118,3 +121,6 @@ docker-run = { id = "com.palantir.docker-run", version.ref = "dockerPlugin" }
 versioner = { id = "io.toolebox.git-versioner", version.ref = "gitVersionerPlugin" }
 index-scan = { id = "org.sonatype.gradle.plugins.scan", version.ref = "indexScanPlugin" }
 owasp-dependencycheck = { id = "org.owasp.dependencycheck", version.ref = "owaspPlugin" }
+cyclonedx-bom = { id = "org.cyclonedx.bom", version.ref = "cycloneDxBomPlugin" }
+licensee-plugin = { id = "app.cash.licensee", version.ref = "licenseePlugin" }
+nexus-publish-plugin = { id = "io.github.gradle-nexus.publish-plugin", version.ref = "nexusPublishPlugin" }