diff --git a/pipelines/build/common/build_base_file.groovy b/pipelines/build/common/build_base_file.groovy index a5b350595..656ca5ee6 100644 --- a/pipelines/build/common/build_base_file.groovy +++ b/pipelines/build/common/build_base_file.groovy @@ -747,6 +747,40 @@ class Builder implements Serializable { return true } + /* + Call job to do post task. For now enable sbom sign + */ + def postStage() { + context.stage('post-build') { + //Job name need to discuss + context.println "Post build - parallel post tasks, e.g. sbom sign" + def postBuildJob = context.build job: 'Sophia_pipeline', + parameters: [ + context.string(name: 'UPSTREAM_JOB_NAME', value: env.JOB_NAME), + context.string(name: 'UPSTREAM_JOB_NUMBER', value: "${currentBuild.getNumber()}") + ] + context.node('worker') { + // Remove any previous workspace artifacts + context.sh 'rm -rf *.json || true' + context.copyArtifacts( + projectName: 'Sophia_pipeline', + selector: context.specific("${postBuildJob.getNumber()}"), + filter: '*.json', + fingerprintArtifacts: true, + target: 'sbom/', + flatten: true) + + // Archive signed sbom in Jenkins + try { + context.timeout(time: pipelineTimeouts.ARCHIVE_ARTIFACTS_TIMEOUT, unit: 'HOURS') { + context.archiveArtifacts artifacts: "sbom/*.json" + } + } catch (FlowInterruptedException e) { + throw new Exception("[ERROR] Archive artifact timeout (${pipelineTimeouts.ARCHIVE_ARTIFACTS_TIMEOUT} HOURS) for Sophia_pipeline has been reached. Exiting...") + } + } + } + } /* Call job to push artifacts to github. Usually it's only executed on a nightly build @@ -933,7 +967,12 @@ class Builder implements Serializable { } } context.parallel jobs - + + try { + postStage() + } catch (Exception e) { + context.println(e.message) + } // publish to github if needed // Don't publish release automatically if (publish && !release) { diff --git a/tools/post-build/Jenkinsfile b/tools/post-build/Jenkinsfile new file mode 100644 index 000000000..d74a34d16 --- /dev/null +++ b/tools/post-build/Jenkinsfile @@ -0,0 +1,62 @@ +NODE_LABEL = 'dockerBuild&&linux&&x64&&gpgsign' + +pipeline { + agent none + parameters { + string(name: 'UPSTREAM_JOB_NAME', defaultValue: '', description: 'Pipeline job with sbom files') + string(name: 'UPSTREAM_JOB_NUMBER', defaultValue: '', description: 'Pipeline job number') + + } + stages { + stage('Post-Build') { + parallel { + stage('sbomSign') { + agent { + label NODE_LABEL + } + steps { + sbomSign() + } + } + } + } + } +} + +def sbomSign() { + cleanWs() + docker.image('adoptopenjdk/centos7_build_image').inside { + checkout scm + checkout([$class: 'GitSCM', branches: [[name: 'master']], doGenerateSubmoduleConfigurations: false, extensions: [[$class: 'RelativeTargetDirectory', relativeTargetDir: "sbomSign"]], submoduleCfg: [], userRemoteConfigs: [[url: "/~https://github.com/adoptium/temurin-build.git"]]]) + copyArtifacts excludes: '**/OpenJDK*-sbom*metadata.json', + filter: '**/OpenJDK*-sbom*.json', + fingerprintArtifacts: true, + flatten: true, + projectName: "${params.UPSTREAM_JOB_NAME}", + target: 'sbom/', + selector: specific("${params.UPSTREAM_JOB_NUMBER}") + withCredentials([file(credentialsId: 'adoptium-artifactory-gpg-key', variable: 'PRIVATE_GPG_KEY')]) { + withEnv(['PRIVATE_GPG_KEY='+${PRIVATE_GPG_KEY}]) { + script { + dir("sbomSign/cyclonedx-lib") { + sh label: 'build-sign-sbom', script: ''' + JAVA_HOME=/usr/lib/jvm/jdk-17 ant clean + JAVA_HOME=/usr/lib/jvm/jdk-17 ant build-sign-sbom + ''' + } + def sbomFiles = findFiles(glob: "**/OpenJDK*-sbom*.json") + for (def sbomFile: sbomFiles) { + def sbomFileName = sbomFile.path + def classPath = "sbomSign/cyclonedx-lib/build/jar/*" + sh label: 'sign-sbom', script: """ + /usr/lib/jvm/jdk-17/bin/java -cp "${classPath}" temurin.sbom.TemurinSignSBOM --signSBOM --jsonFile ${sbomFileName} --privateKeyFile ./sbomSign/cyclonedx-lib/testPrivateFile + /usr/lib/jvm/jdk-17/bin/java -cp "${classPath}" temurin.sbom.TemurinSignSBOM --verifySignature --jsonFile ${sbomFileName} --publicKeyFile ./sbomSign/cyclonedx-lib/publicPemFile + """ + } + } + }// some block + } + + archiveArtifacts artifacts: "**/OpenJDK*-sbom*.json" + } +}