Built: improve reproducible archive files (#2432)

snazy · web-flow · commit 00ca832734c0 · 2025-08-27T10:43:17.000-04:00
As part of the effort for #2204, this change fixes a few aspects around reproducible builds: Some Gradle projects produce archive files, but don't get the necessary Gradle archive-tasks settings applied: one not-published project but also the tarball&zip of the distribution. This change moves the logic to the new build-plugin `polaris-reproducible`. Another change is to have some Quarkus generated jar files adhere to the same conventions, which are constant timestamps for the zip entries and a deterministic order of the entries. That's sadly not a full fix, as the classes that are generated or instumented by Quarkus differ in each build. Contributes to #2204
diff --git a/build-logic/src/main/kotlin/Utilities.kt b/build-logic/src/main/kotlin/Utilities.kt
@@ -14,6 +14,11 @@
  * limitations under the License.
  */
 
+import java.io.File
+import java.io.FileOutputStream
+import java.nio.file.attribute.FileTime
+import java.util.zip.ZipFile
+import java.util.zip.ZipOutputStream
 import org.gradle.api.Project
 import org.gradle.process.JavaForkOptions
 
@@ -61,3 +66,41 @@ fun JavaForkOptions.addSparkJvmOptions() {
         "-Djdk.reflect.useDirectMethodHandle=false",
       )
 }
+
+/**
+ * Rewrites the given ZIP file.
+ *
+ * The timestamps of all entries are set to `1980-02-01 00:00`, zip entries appear in a
+ * deterministic order.
+ */
+fun makeZipReproducible(source: File) {
+  val t = FileTime.fromMillis(318211200_000) // 1980-02-01 00:00 GMT
+
+  val outFile = File(source.absolutePath + ".tmp.out")
+
+  val names = mutableListOf<String>()
+  ZipFile(source).use { zip -> zip.stream().forEach { e -> names.add(e.name) } }
+  names.sort()
+
+  ZipOutputStream(FileOutputStream(outFile)).use { dst ->
+    ZipFile(source).use { zip ->
+      names.forEach { n ->
+        val e = zip.getEntry(n)
+        zip.getInputStream(e).use { src ->
+          e.setCreationTime(t)
+          e.setLastAccessTime(t)
+          e.setLastModifiedTime(t)
+          dst.putNextEntry(e)
+          src.copyTo(dst)
+          dst.closeEntry()
+          src.close()
+        }
+      }
+    }
+  }
+
+  val origFile = File(source.absolutePath + ".tmp.orig")
+  source.renameTo(origFile)
+  outFile.renameTo(source)
+  origFile.delete()
+}
diff --git a/build-logic/src/main/kotlin/polaris-java.gradle.kts b/build-logic/src/main/kotlin/polaris-java.gradle.kts
@@ -34,6 +34,7 @@ plugins {
   `jvm-test-suite`
   checkstyle
   id("polaris-spotless")
+  id("polaris-reproducible")
   id("jacoco-report-aggregation")
   id("net.ltgt.errorprone")
 }
@@ -253,9 +254,20 @@ configurations.all {
     }
 }
 
-// ensure jars conform to reproducible builds
-// (https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives)
-tasks.withType<AbstractArchiveTask>().configureEach {
-  isPreserveFileTimestamps = false
-  isReproducibleFileOrder = true
+if (plugins.hasPlugin("io.quarkus")) {
+  tasks.named("quarkusBuild") {
+    actions.addLast {
+      listOf(
+          "quarkus-app/quarkus-run.jar",
+          "quarkus-app/quarkus/generated-bytecode.jar",
+          "quarkus-app/quarkus/transformed-bytecode.jar",
+        )
+        .forEach { name ->
+          val file = project.layout.buildDirectory.get().file(name).asFile
+          if (file.exists()) {
+            makeZipReproducible(file)
+          }
+        }
+    }
+  }
 }
diff --git a/build-logic/src/main/kotlin/polaris-reproducible.gradle.kts b/build-logic/src/main/kotlin/polaris-reproducible.gradle.kts
@@ -0,0 +1,25 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+// ensure jars conform to reproducible builds
+// (https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives)
+tasks.withType<AbstractArchiveTask>().configureEach {
+  isPreserveFileTimestamps = false
+  isReproducibleFileOrder = true
+}
diff --git a/runtime/distribution/build.gradle.kts b/runtime/distribution/build.gradle.kts
@@ -23,6 +23,7 @@ import publishing.PublishingHelperPlugin
 plugins {
     id("distribution")
     id("signing")
+    id("polaris-reproducible")
 }
 
 description = "Apache Polaris Binary Distribution"
diff --git a/tools/config-docs/site/build.gradle.kts b/tools/config-docs/site/build.gradle.kts
@@ -19,6 +19,7 @@
 
 plugins {
   `java-library`
+  id("polaris-reproducible")
 }
 
 description = "Polaris site - reference docs"

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ import publishing.PublishingHelperPlugin`
`23`	`23`	`plugins {`
`24`	`24`	`id("distribution")`
`25`	`25`	`id("signing")`
	`26`	`+ id("polaris-reproducible")`
`26`	`27`	`}`
`27`	`28`
`28`	`29`	`description = "Apache Polaris Binary Distribution"`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@`
`19`	`19`
`20`	`20`	`plugins {`
`21`	`21`	`java-library`
	`22`	`+ id("polaris-reproducible")`
`22`	`23`	`}`
`23`	`24`
`24`	`25`	`description = "Polaris site - reference docs"`