Merge pull request #19 from cryptomator/feature/reproducible-builds

Reproducible Builds

Author: overheadhunter

.github/release.yml

@@ -0,0 +1,23 @@
+# .github/release.yml
+# see https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes#configuring-automatically-generated-release-notes
+
+changelog:
+  exclude:
+    authors:
+      - cryptobot
+      - dependabot
+      - github-actions
+  categories:
+    - title: What's New 🎉
+      labels:
+        - enhancement
+    - title: Bugfixes 🐛
+      labels:
+        - bug
+    - title: Other Changes 📎
+      labels:
+        - "*"
+      exclude:
+        labels:
+          - bug
+          - enhancement

.github/workflows/build.yml

@@ -12,8 +12,8 @@ jobs:
           fetch-depth: 0
       - uses: actions/setup-java@v3
         with:
-          java-version: 11
-          distribution: 'temurin'
+          java-version: 21
+          distribution: 'zulu'
           cache: 'maven'
       - name: Cache SonarCloud packages
         uses: actions/cache@v3
@@ -23,11 +23,10 @@ jobs:
           restore-keys: ${{ runner.os }}-sonar
       - name: Ensure to use tagged version
         if: startsWith(github.ref, 'refs/tags/')
-        run: mvn versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
+        run: ./mvnw versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
       - name: Build and Test
-        id: buildAndTest
         run: >
-          mvn -B verify
+          ./mvnw -B verify
           jacoco:report
           org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
           -Pcoverage,dependency-check
@@ -41,12 +40,33 @@ jobs:
         with:
           name: artifacts
           path: target/*.jar
+      - name: Calculate Checksums
+        id: checksums
+        run: |
+          {
+            echo 'sha256<<EOF'
+            shasum -a256 target/*.jar
+            echo EOF
+          } >> $GITHUB_OUTPUT
       - name: Create Release
-        uses: actions/create-release@v1 # NOTE: action is unmaintained and archived
         if: startsWith(github.ref, 'refs/tags/')
-        env:
-          GITHUB_TOKEN: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }} # release as "cryptobot"
+        uses: softprops/action-gh-release@v1
         with:
-          tag_name: ${{ github.ref }}
-          release_name: Release ${{ github.ref }}
-          prerelease: true
+          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
+          body: |-
+            ## Maven Coordinates
+            ```xml
+              <dependency>
+                <groupId>org.cryptomator</groupId>
+                <artifactId>siv-mode</artifactId>
+                <version>${{ github.ref_name }}</version>
+              </dependency>
+            ```
+
+            ## Artifact Checksums
+            ```txt
+            ${{ steps.checksums.outputs.sha256 }}
+            ```
+
+            See [README.md](../#reproducible-builds) section regarding reproducing this build.
+          generate_release_notes: true

.github/workflows/codeql-analysis.yml

@@ -20,14 +20,14 @@ jobs:
         fetch-depth: 2
     - uses: actions/setup-java@v3
       with:
-        java-version: 11
-        distribution: 'temurin'
+        java-version: 21
+        distribution: 'zulu'
         cache: 'maven'
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v2
       with:
         languages: java
     - name: Build and Test
-      run: mvn -B install -DskipTests
+      run: ./mvnw -B install -DskipTests
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v2

.github/workflows/publish-central.yml

@@ -15,18 +15,20 @@ jobs:
           ref: "refs/tags/${{ github.event.inputs.tag }}"
       - uses: actions/setup-java@v3
         with:
-          java-version: 11
-          distribution: 'temurin'
+          java-version: 21
+          distribution: 'zulu'
           cache: 'maven'
           server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml
           server-username: MAVEN_USERNAME # env variable for username in deploy
           server-password: MAVEN_PASSWORD # env variable for token in deploy
           gpg-private-key: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
           gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
-      - name: Enforce project version ${{ github.event.inputs.tag }}
-        run: mvn versions:set -B -DnewVersion=${{ github.event.inputs.tag }}
+      - name: Verify project version = ${{ github.event.release.tag_name }}
+        run: |
+          PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
+          test "$PROJECT_VERSION" = "${{ github.event.release.tag_name }}"
       - name: Deploy
-        run: mvn deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress
+        run: ./mvnw deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress
         env:
           MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
           MAVEN_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}

.github/workflows/publish-github.yml

@@ -10,15 +10,17 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-java@v3
         with:
-          java-version: 11
-          distribution: 'temurin'
+          java-version: 21
+          distribution: 'zulu'
           cache: 'maven'
           gpg-private-key: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
           gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
-      - name: Enforce project version ${{ github.event.release.tag_name }}
-        run: mvn versions:set -B -DnewVersion=${{ github.event.release.tag_name }}
+      - name: Verify project version = ${{ github.event.release.tag_name }}
+        run: |
+          PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
+          test "$PROJECT_VERSION" = "${{ github.event.release.tag_name }}"
       - name: Deploy
-        run: mvn deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress
+        run: ./mvnw deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}

.mvn/wrapper/maven-wrapper.properties

@@ -0,0 +1,18 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+# 
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.4/apache-maven-3.9.4-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar

README.md

@@ -53,7 +53,7 @@ public void encryptWithAssociatedData() {
 </dependencies>
 ```
 
-## JPMS
+## Java Module
 
 From version 1.3.2 onwards this library is an explicit module with the name `org.cryptomator.siv`. You can use it by adding the following line to your `module-info.java`.
 
@@ -63,11 +63,15 @@ requires org.cryptomator.siv;
 
 Because BouncyCastle classes are shaded, this library only depends on `java.base`.
 
-## Building
+## Reproducible Builds
 
-This is a Maven project. To build it, run `mvn clean install`.
+This is a Maven project that can be built using `mvn install`. However, if you want to build this reproducibly, please make sure:
 
-Requires JDK 11.0.3 or newer at build time due to JPMS support.
+1. Use the same build environment
+    * The same [JDK as our CI builds](https://github.com/cryptomator/siv-mode/blob/develop/.github/workflows/build.yml#L15-L16)
+    * Ideally the same same arch and OS (x86_64 Linux)
+    * Same locale (en_US) and linebreaks (POSIX)
+2. Use `./mvnw install` instead (or `./mvnw verify` or `./mvnw package -DskipTests`, depending on your intentions)
 
 ## License
 Distributed under the MIT X Consortium license. See the LICENSE file for more info.