X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?a=blobdiff_plain;f=jjb%2Flf-maven-jobs.yaml;h=61743770448ed19f6f9958642b19dd7301025a1b;hb=532e97b5b965cab5ace406d8ecc845afc98920ac;hp=c63fe81902b79a511c1f5208b54bbbeac0770766;hpb=ce35c1d5681c319ca4c330892ba19aa6a020c0ee;p=releng%2Fglobal-jjb.git diff --git a/jjb/lf-maven-jobs.yaml b/jjb/lf-maven-jobs.yaml index c63fe819..61743770 100644 --- a/jjb/lf-maven-jobs.yaml +++ b/jjb/lf-maven-jobs.yaml @@ -17,7 +17,7 @@ - builder: name: lf-maven-deploy builders: - - shell: !include-raw: + - shell: !include-raw-escape: - ../shell/common-variables.sh - ../shell/maven-deploy.sh @@ -72,7 +72,7 @@ # COMMON FUNCTIONS # #################### -- lf_maven_common: &lf_maven_common +- _lf_maven_common: &lf_maven_common name: lf-maven-common ###################### @@ -127,7 +127,7 @@ # Maven CLM # ############# -- lf_maven_clm: &lf_maven_clm +- _lf_maven_clm: &lf_maven_clm name: lf-maven-clm ###################### @@ -140,7 +140,7 @@ disable-job: false git-url: "$GIT_URL/$PROJECT" github-url: "https://github.com" - java-version: openjdk8 + java-version: openjdk11 mvn-global-settings: global-settings mvn-goals: clean install mvn-opts: "" @@ -288,7 +288,173 @@ github-hooks: true org-list: - "{github-org}" - white-list: "{obj:github_pr_whitelist}" + white-list: "{obj:github_pr_allowlist}" + admin-list: "{obj:github_pr_admin_list}" + white-list-target-branches: + - "{branch}" + +################## +# Maven Snyk CLI # +################## + +- _lf_maven_snyk_cli: &lf_maven_snyk_cli + name: lf-maven-snyk_cli + + ###################### + # Default parameters # + ###################### + + branch: master + build-days-to-keep: 30 # 30 days for troubleshooting purposes + build-timeout: 60 + disable-job: false + git-url: "$GIT_URL/$PROJECT" + github-url: "https://github.com" + java-version: openjdk11 + mvn-global-settings: global-settings + mvn-goals: clean install + mvn-opts: "" + mvn-params: "" + mvn-version: mvn35 + snyk-cli-options: "" + snyk-token-credential-id: snyk-token + snyk-org-credential-id: snyk-org + stream: master + submodule-recursive: true + submodule-timeout: 10 + submodule-disable: false + + gerrit_snyk_triggers: + - comment-added-contains-event: + comment-contains-value: '^Patch Set\s+\d+:\s+run-snyk\s*$' + + parameters: + - lf-infra-parameters: + project: "{project}" + branch: "{branch}" + stream: "{stream}" + - lf-infra-maven-parameters: + mvn-opts: "{mvn-opts}" + mvn-params: "{mvn-params}" + mvn-version: "{mvn-version}" + - string: + name: SNYK_CLI_OPTIONS + default: "{snyk-cli-options}" + description: Additional Snyk CLI commands and options + - string: + name: ARCHIVE_ARTIFACTS + default: "{archive-artifacts}" + description: Artifacts to archive to the logs server. + + wrappers: + - credentials-binding: + - text: + credential-id: "{snyk-token-credential-id}" + variable: SNYK_TOKEN + - text: + credential-id: "{snyk-org-credential-id}" + variable: SNYK_ORG + + ##################### + # Job Configuration # + ##################### + + disabled: "{disable-job}" + + builders: + - lf-infra-pre-build + - lf-maven-install: + mvn-version: "{mvn-version}" + - lf-update-java-alternatives: + java-version: "{java-version}" + - lf-provide-maven-settings: + global-settings-file: "{mvn-global-settings}" + settings-file: "{mvn-settings}" + - lf-maven-build: + mvn-goals: "{mvn-goals}" + - lf-infra-snyk-cli-scanner + - lf-provide-maven-settings-cleanup + - shell: 'find . -regex ".*karaf/target" | xargs rm -rf' + +- builder: + name: lf-infra-snyk-cli-scanner + # Download and run the Snyk CLI scanner + builders: + - shell: !include-raw-escape: + - ../shell/snyk-cli-scanner-run.sh + +- job-template: + name: "{project-name}-maven-snyk-cli-{stream}" + id: gerrit-maven-snyk-cli + <<: *lf_maven_common + # yamllint disable-line rule:key-duplicates + <<: *lf_maven_snyk_cli + + scm: + - lf-infra-gerrit-scm: + jenkins-ssh-credential: "{jenkins-ssh-credential}" + git-url: "{git-url}" + refspec: "$GERRIT_REFSPEC" + branch: "$GERRIT_BRANCH" + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" + submodule-disable: "{submodule-disable}" + choosing-strategy: default + + triggers: + # Build weekly on Saturdays + - timed: "H H * * 6" + - gerrit: + server-name: "{gerrit-server-name}" + trigger-on: "{obj:gerrit_snyk_triggers}" + projects: + - project-compare-type: ANT + project-pattern: "{project}" + branches: + - branch-compare-type: ANT + branch-pattern: "**/{branch}" + skip-vote: + successful: true + failed: true + unstable: true + notbuilt: true + +- job-template: + name: "{project-name}-maven-snyk-cli-{stream}" + id: github-maven-snyk-cli + <<: *lf_maven_common + # yamllint disable-line rule:key-duplicates + <<: *lf_maven_snyk_cli + + properties: + - lf-infra-properties: + build-days-to-keep: "{build-days-to-keep}" + - github: + url: "{github-url}/{github-org}/{project}" + + scm: + - lf-infra-github-scm: + url: "{git-clone-url}{github-org}/{project}" + refspec: "" + branch: "refs/heads/{branch}" + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" + submodule-disable: "{submodule-disable}" + choosing-strategy: default + jenkins-ssh-credential: "{jenkins-ssh-credential}" + + triggers: + # Build weekly on Saturdays + - timed: "H H * * 6" + - github-pull-request: + trigger-phrase: "^run-snyk$" + only-trigger-phrase: true + status-context: "SNYK scan" + permit-all: true + github-hooks: true + org-list: + - "{github-org}" + white-list: "{obj:github_pr_allowlist}" admin-list: "{obj:github_pr_admin_list}" white-list-target-branches: - "{branch}" @@ -297,7 +463,7 @@ # Maven Javadoc Publish # ######################### -- lf_maven_javadoc_publish: &lf_maven_javadoc_publish +- _lf_maven_javadoc_publish: &lf_maven_javadoc_publish name: lf-maven-javadoc-publish ###################### @@ -310,7 +476,7 @@ disable-job: false git-url: "$GIT_URL/$PROJECT" github-url: "https://github.com" - java-version: openjdk8 + java-version: openjdk11 mvn-dir: "." mvn-global-settings: global-settings mvn-opts: "" @@ -420,7 +586,7 @@ github-hooks: true org-list: - "{github-org}" - white-list: "{obj:github_pr_whitelist}" + white-list: "{obj:github_pr_allowlist}" admin-list: "{obj:github_pr_admin_list}" white-list-target-branches: - "{branch}" @@ -429,7 +595,7 @@ # Maven Javadoc Verify # ######################## -- lf_maven_javadoc_verify: &lf_maven_javadoc_verify +- _lf_maven_javadoc_verify: &lf_maven_javadoc_verify name: lf-maven-javadoc-verify ###################### @@ -442,7 +608,7 @@ disable-job: false git-url: "$GIT_URL/$PROJECT" github-url: "https://github.com" - java-version: openjdk8 + java-version: openjdk11 mvn-dir: "." mvn-global-settings: global-settings mvn-opts: "" @@ -553,7 +719,7 @@ # Maven Merge # ############### -- lf_maven_merge: &lf_maven_merge +- _lf_maven_merge: &lf_maven_merge name: lf-maven-merge ###################### @@ -567,13 +733,20 @@ disable-job: false git-url: "$GIT_URL/$PROJECT" github-url: "https://github.com" - java-version: openjdk8 + jacoco-exclude-pattern: >- + **/gen/**, + **/generated-sources/**, + **/yang-gen**, + **/pax/**, + java-version: openjdk11 mvn-global-settings: global-settings mvn-goals: clean deploy mvn-opts: "" mvn-params: "-Dmerge" mvn-version: mvn35 nexus-cut-dirs: 6 # Number of dirs in the Nexus path to remove for wget -r. + pre-build-script: "# pre-build script goes here" + post-build-script: "# post-build script goes here" stream: master submodule-recursive: true submodule-timeout: 10 @@ -617,14 +790,17 @@ NEXUS_CUT_DIRS={nexus-cut-dirs} NEXUS_REPO={nexus-snapshot-repo} - shell: !include-raw-escape: ../shell/maven-fetch-metadata.sh + - shell: "{pre-build-script}" - lf-maven-build: mvn-goals: "{mvn-goals}" + - shell: "{post-build-script}" - lf-maven-deploy - lf-provide-maven-settings-cleanup publishers: - findbugs - - lf-jacoco-report + - lf-jacoco-report: + exclude-pattern: "{jacoco-exclude-pattern}" - lf-infra-publish - trigger-parameterized-builds: "{obj:post_build_trigger}" @@ -696,7 +872,7 @@ github-hooks: true org-list: - "{github-org}" - white-list: "{obj:github_pr_whitelist}" + white-list: "{obj:github_pr_allowlist}" admin-list: "{obj:github_pr_admin_list}" white-list-target-branches: - "{branch}" @@ -706,7 +882,7 @@ # Maven Merge for Docker # ########################## -- lf_maven_docker_merge: &lf_maven_docker_merge +- _lf_maven_docker_merge: &lf_maven_docker_merge name: lf-maven-docker-merge builders: @@ -807,7 +983,7 @@ github-hooks: true org-list: - "{github-org}" - white-list: "{obj:github_pr_whitelist}" + white-list: "{obj:github_pr_allowlist}" admin-list: "{obj:github_pr_admin_list}" white-list-target-branches: - "{branch}" @@ -817,7 +993,7 @@ # Maven Stage # ############### -- lf_maven_stage: &lf_maven_stage +- _lf_maven_stage: &lf_maven_stage name: lf-maven-stage ###################### @@ -827,11 +1003,11 @@ branch: master build-days-to-keep: 30 # 30 days in case a release takes long to get approved. build-timeout: 60 - cron: "@daily" + cron: "" disable-job: false git-url: "$GIT_URL/$PROJECT" github-url: "https://github.com" - java-version: openjdk8 + java-version: openjdk11 maven-versions-plugin: false version-properties-file: version.properties mvn-central: false @@ -842,6 +1018,10 @@ mvn-version: mvn35 ossrh-profile-id: "" mvn-pom: "" + sbom-flags: "" + sbom-path: "$WORKSPACE" + sbom-generator: false + sbom-generator-version: "v0.0.15" sign-artifacts: false sign-mode: serial stream: master @@ -889,6 +1069,14 @@ name: STAGING_PROFILE_ID default: "{staging-profile-id}" description: Nexus staging profile ID. + - string: + name: SBOM_GENERATOR_VERSION + default: "{sbom-generator-version}" + description: SBOM generator version to download and run. + - string: + name: SBOM_PATH + default: "{sbom-path}" + description: path where SBOM needs to be executed. builders: - lf-infra-pre-build @@ -909,6 +1097,14 @@ - shell: !include-raw-escape: ../shell/maven-patch-release.sh - lf-maven-build: mvn-goals: "{mvn-goals}" + # With SBOM Generator + - conditional-step: + condition-kind: boolean-expression + condition-expression: "{sbom-generator}" + steps: + - shell: echo 'Running SBOM Generator' + - lf-infra-maven-sbom-generator: + sbom-flags: "{sbom-flags}" - lf-sigul-sign-dir: sign-artifacts: "{sign-artifacts}" sign-dir: "$WORKSPACE/m2repo" @@ -995,7 +1191,7 @@ # Maven Stage for Docker # ########################## -- lf_maven_docker_stage: &lf_maven_docker_stage +- _lf_maven_docker_stage: &lf_maven_docker_stage name: lf-maven-docker-stage builders: @@ -1025,6 +1221,14 @@ CONTAINER_PUSH_REGISTRY={container-staging-registry} - lf-maven-build: mvn-goals: "{mvn-goals}" + # With SBOM Generator + - conditional-step: + condition-kind: boolean-expression + condition-expression: "{sbom-generator}" + steps: + - shell: echo 'Running SBOM Generator' + - lf-infra-maven-sbom-generator: + sbom-flags: "{sbom-flags}" - lf-sigul-sign-dir: sign-artifacts: "{sign-artifacts}" sign-dir: "$WORKSPACE/m2repo" @@ -1112,7 +1316,7 @@ # Maven Sonar # ############### -- lf_maven_sonar: &lf_maven_sonar +- _lf_maven_sonar: &lf_maven_sonar name: lf-maven-sonar ###################### @@ -1126,7 +1330,12 @@ disable-job: false git-url: "$GIT_URL/$PROJECT" github-url: "https://github.com" - java-version: openjdk8 + jacoco-exclude-pattern: >- + **/gen/**, + **/generated-sources/**, + **/yang-gen**, + **/pax/**, + java-version: openjdk11 java-opts: "" mvn-global-settings: global-settings mvn-goals: clean install @@ -1137,10 +1346,10 @@ sonarcloud: false sonarcloud-project-key: "" sonarcloud-project-organization: "" - sonarcloud-api-token: "" - # SonarCloud scan using jdk8 will become deprecated by Oct, 2020 - # Projects not compatible with jdk11 can set java-version to something else - sonarcloud-java-version: openjdk11 + sonarcloud-api-token-cred-id: sonarcloud-api-token + sonarcloud-qualitygate-wait: false + # Projects not compatible with jdk17 can set java-version to something else + sonarcloud-java-version: openjdk17 stream: master submodule-recursive: true submodule-timeout: 10 @@ -1183,6 +1392,12 @@ however to use a specific version of the sonar-maven-plugin we can call "org.codehaus.mojo:sonar-maven-plugin:3.3.0.603:sonar". + wrappers: + - credentials-binding: + - text: + credential-id: "{sonarcloud-api-token-cred-id}" + variable: API_TOKEN + triggers: - timed: "{obj:cron}" - gerrit: @@ -1201,11 +1416,12 @@ notbuilt: true publishers: - - lf-jacoco-report + - lf-jacoco-report: + exclude-pattern: "{jacoco-exclude-pattern}" - findbugs - lf-infra-publish -- mvn_sonar_builders: &mvn_sonar_builders +- _mvn_sonar_builders: &mvn_sonar_builders name: mvn-sonar-builders builders: - lf-infra-pre-build @@ -1222,8 +1438,8 @@ mvn-version: "{mvn-version}" sonarcloud-project-key: "{sonarcloud-project-key}" sonarcloud-project-organization: "{sonarcloud-project-organization}" - sonarcloud-api-token: "{sonarcloud-api-token}" sonarcloud-java-version: "{sonarcloud-java-version}" + sonarcloud-qualitygate-wait: "{sonarcloud-qualitygate-wait}" scan-dev-branch: "{scan-dev-branch}" # With SonarQube - conditional-step: @@ -1239,7 +1455,7 @@ mvn-settings: "{mvn-settings}" mvn-version: "{mvn-version}" -- mvn_sonar_builders_prescan_script: &mvn_sonar_builders_prescan_script +- _mvn_sonar_builders_prescan_script: &mvn_sonar_builders_prescan_script name: mvn-sonar-builders-prescan-script builders: - shell: "{sonar-prescan-script}" @@ -1257,8 +1473,8 @@ mvn-version: "{mvn-version}" sonarcloud-project-key: "{sonarcloud-project-key}" sonarcloud-project-organization: "{sonarcloud-project-organization}" - sonarcloud-api-token: "{sonarcloud-api-token}" sonarcloud-java-version: "{sonarcloud-java-version}" + sonarcloud-qualitygate-wait: "{sonarcloud-qualitygate-wait}" scan-dev-branch: "{scan-dev-branch}" # With SonarQube - conditional-step: @@ -1274,6 +1490,16 @@ mvn-settings: "{mvn-settings}" mvn-version: "{mvn-version}" +- builder: + name: lf-infra-maven-sbom-generator + # Run Maven goals and trigger SPDX SBOM Generator tool + builders: + - inject: + properties-content: | + SBOM_FLAGS={sbom-flags} + - shell: !include-raw-escape: + - ../shell/sbom-generator.sh + - builder: name: lf-infra-maven-sonar # Run a Sonar build with Maven @@ -1310,9 +1536,9 @@ PROJECT_KEY={sonarcloud-project-key} PROJECT_ORGANIZATION={sonarcloud-project-organization} MAVEN_GOALS={mvn-goals} - API_TOKEN={sonarcloud-api-token} SONARCLOUD_JAVA_VERSION={sonarcloud-java-version} SCAN_DEV_BRANCH={scan-dev-branch} + SONARCLOUD_QUALITYGATE_WAIT={sonarcloud-qualitygate-wait} - lf-provide-maven-settings: global-settings-file: global-settings settings-file: "{mvn-settings}" @@ -1340,6 +1566,54 @@ submodule-disable: "{submodule-disable}" choosing-strategy: default +- job-template: + name: "{project-name}-sonar-verify" + id: gerrit-maven-sonar-verify + <<: *lf_maven_common + # yamllint disable-line rule:key-duplicates + <<: *lf_maven_sonar + <<: *mvn_sonar_builders + + sonarcloud: true + scan-dev-branch: true + sonarcloud-qualitygate-wait: false + + gerrit_sonar_triggers: + - patchset-created-event: + exclude-drafts: true + exclude-trivial-rebase: false + exclude-no-code-change: false + - draft-published-event + - comment-added-contains-event: + comment-contains-value: '^Patch Set\s+\d+:\s+(recheck|reverify)\s*$' + + gerrit_trigger_file_paths: + - compare-type: REG_EXP + pattern: ".*" + + triggers: + - gerrit: + server-name: "{gerrit-server-name}" + trigger-on: "{obj:gerrit_sonar_triggers}" + projects: + - project-compare-type: "ANT" + project-pattern: "{project}" + branches: + - branch-compare-type: "ANT" + branch-pattern: "**/{branch}" + file-paths: "{obj:gerrit_trigger_file_paths}" + + scm: + - lf-infra-gerrit-scm: + jenkins-ssh-credential: "{jenkins-ssh-credential}" + git-url: "{git-url}" + refspec: $GERRIT_REFSPEC + branch: $GERRIT_BRANCH + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" + submodule-disable: "{submodule-disable}" + choosing-strategy: gerrit + - job-template: name: "{project-name}-sonar-prescan-script" id: gerrit-maven-sonar-prescan-script @@ -1393,7 +1667,7 @@ github-hooks: true org-list: - "{github-org}" - white-list: "{obj:github_pr_whitelist}" + white-list: "{obj:github_pr_allowlist}" admin-list: "{obj:github_pr_admin_list}" white-list-target-branches: - "{branch}" @@ -1433,7 +1707,7 @@ github-hooks: true org-list: - "{github-org}" - white-list: "{obj:github_pr_whitelist}" + white-list: "{obj:github_pr_allowlist}" admin-list: "{obj:github_pr_admin_list}" white-list-target-branches: - "{branch}" @@ -1442,7 +1716,7 @@ # Maven Verify # ################ -- lf_maven_verify: &lf_maven_verify +- _lf_maven_verify: &lf_maven_verify name: lf-maven-verify ###################### @@ -1455,12 +1729,19 @@ disable-job: false git-url: "$GIT_URL/$PROJECT" github-url: "https://github.com" - java-version: openjdk8 + jacoco-exclude-pattern: >- + **/gen/**, + **/generated-sources/**, + **/yang-gen**, + **/pax/** + java-version: openjdk11 mvn-global-settings: global-settings mvn-goals: clean deploy mvn-opts: "" mvn-params: "-Dstream=$STREAM -Dmaven.source.skip=true" mvn-version: mvn35 + pre-build-script: "# pre-build script goes here" + post-build-script: "# post-build script goes here" stream: master submodule-recursive: true submodule-timeout: 10 @@ -1500,13 +1781,16 @@ - lf-provide-maven-settings: global-settings-file: "{mvn-global-settings}" settings-file: "{mvn-settings}" + - shell: "{pre-build-script}" - lf-maven-build: mvn-goals: "{mvn-goals}" + - shell: "{post-build-script}" - lf-provide-maven-settings-cleanup publishers: - findbugs - - lf-jacoco-report + - lf-jacoco-report: + exclude-pattern: "{jacoco-exclude-pattern}" - lf-infra-publish - job-template: @@ -1578,7 +1862,7 @@ # Maven Verify for Docker # ########################### -- lf_maven_docker_verify: &lf_maven_docker_verify +- _lf_maven_docker_verify: &lf_maven_docker_verify name: lf-maven-docker-verify # image push not allowed during verification @@ -1678,7 +1962,7 @@ # Maven Verify Dependencies # ############################# -- lf_maven_verify_dependencies: &lf_maven_verify_dependencies +- _lf_maven_verify_dependencies: &lf_maven_verify_dependencies name: lf-maven-verify-dependencies ###################### @@ -1691,7 +1975,12 @@ disable-job: false git-url: "$GIT_URL/$PROJECT" github-url: "https://github.com" - java-version: openjdk8 + jacoco-exclude-pattern: >- + **/gen/**, + **/generated-sources/**, + **/yang-gen**, + **/pax/** + java-version: openjdk11 mvn-global-settings: global-settings mvn-goals: clean deploy mvn-opts: "" @@ -1736,7 +2025,8 @@ publishers: - findbugs - - lf-jacoco-report + - lf-jacoco-report: + exclude-pattern: "{jacoco-exclude-pattern}" - lf-infra-publish - job-template: