HHH-18488 Configure archive tasks to produce reproducible archives

marko-bekhta · sebersole · commit e87a64d976ba · 2024-08-28T10:36:21.000-05:00
diff --git a/build.gradle b/build.gradle
@@ -38,7 +38,6 @@ plugins {
 
 apply from: file( 'gradle/module.gradle' )
 
-
 // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 // Release Task
 
diff --git a/ci/compare-build-results.sh b/ci/compare-build-results.sh
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# This is a simple script to check if builds are reproducible. The steps are:
+# 1. Build ORM with `./gradlew --no-daemon clean publishToMavenLocal --no-build-cache -Dmaven.repo.local=some-path/out/build1`
+# 2. Build ORM with `./gradlew --no-daemon clean publishToMavenLocal --no-build-cache -Dmaven.repo.local=some-path/out/build2` second time pointing to a different local maven repository to publish
+# 3. Compare the build results with sh ./ci/compare-build-results.sh some-path/out/build1 some-path/out/build2
+# 4. The generated .buildcompare file will also contain the diffscope commands to see/compare the problematic build artifacts
+
+outputDir1=$1
+outputDir2=$2
+outputDir1=${outputDir1%/}
+outputDir2=${outputDir2%/}
+
+ok=()
+okFiles=()
+ko=()
+koFiles=()
+
+for f in `find ${outputDir1} -type f | grep -v "javadoc.jar$" | grep -v "maven-metadata-local.xml$" | sort`
+do
+  flocal=${f#$outputDir1}
+  #  echo "comparing ${flocal}"
+  sha1=`shasum -a 512 $f | cut -f 1 -d ' '`
+  sha2=`shasum -a 512 $outputDir2$flocal | cut -f 1 -d ' '`
+  #  echo "$sha1"
+  #  echo "$sha2"
+  if [ "$sha1" = "$sha2" ]; then
+    ok+=($flocal)
+    okFiles+=(${flocal##*/})
+  else
+    ko+=($flocal)
+    koFiles+=(${flocal##*/})
+  fi
+done
+
+# generate .buildcompare
+buildcompare=".buildcompare"
+echo "ok=${#ok[@]}" >> ${buildcompare}
+echo "ko=${#ko[@]}" >> ${buildcompare}
+echo "okFiles=\"${okFiles[@]}\"" >> ${buildcompare}
+echo "koFiles=\"${koFiles[@]}\"" >> ${buildcompare}
+echo "" >> ${buildcompare}
+echo "# see what caused the mismatch in the checksum by executing the following diffscope commands" >> ${buildcompare}
+for f in ${ko[@]}
+do
+  echo "# diffoscope $outputDir1$f $outputDir2$f" >> ${buildcompare}
+done
+
+if [ ${#ko[@]} -eq 0 ]; then
+    exit 0
+else
+   exit 1
+fi
diff --git a/gradle/java-module.gradle b/gradle/java-module.gradle
@@ -57,6 +57,15 @@ if ( !project.description ) {
 	project.description = "The Hibernate ORM $project.name module"
 }
 
+// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+// Reproducible Builds
+
+// https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives
+// Configure archive tasks to produce reproducible archives:
+tasks.withType(AbstractArchiveTask).configureEach {
+	preserveFileTimestamps = false
+	reproducibleFileOrder = true
+}
 
 // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 // Configurations and Dependencies
diff --git a/tooling/hibernate-gradle-plugin/hibernate-gradle-plugin.gradle b/tooling/hibernate-gradle-plugin/hibernate-gradle-plugin.gradle
@@ -57,6 +57,10 @@ gradlePlugin {
 	}
 }
 
+tasks.withType(AbstractArchiveTask).configureEach {
+	preserveFileTimestamps = false
+	reproducibleFileOrder = true
+}
 
 test {
 	useJUnitPlatform()
@@ -153,4 +157,4 @@ gradle.taskGraph.whenReady { tg ->
 			}
 		}
 	}
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,10 @@ gradlePlugin {`
`57`	`57`	`}`
`58`	`58`	`}`
`59`	`59`
	`60`	`+tasks.withType(AbstractArchiveTask).configureEach {`
	`61`	`+ preserveFileTimestamps = false`
	`62`	`+ reproducibleFileOrder = true`
	`63`	`+}`
`60`	`64`
`61`	`65`	`test {`
`62`	`66`	`useJUnitPlatform()`
`@@ -153,4 +157,4 @@ gradle.taskGraph.whenReady { tg ->`
`153`	`157`	`}`
`154`	`158`	`}`
`155`	`159`	`}`
`156`		`-}`
	`160`	`+}`