copying sboms to dist
where the build server hopefully will find them
Bug: 283119819
Test: ./gradlew exportSboms && find ../../out/dist/sboms -type f
Test: Treehugger runs busytown/androidx_incremental.sh
Change-Id: I501111cd88f40962a54158efc0d24bafefa74ba7
diff --git a/buildSrc/private/src/main/kotlin/androidx/build/sbom/Sbom.kt b/buildSrc/private/src/main/kotlin/androidx/build/sbom/Sbom.kt
index 5836ed8..669aa02 100644
--- a/buildSrc/private/src/main/kotlin/androidx/build/sbom/Sbom.kt
+++ b/buildSrc/private/src/main/kotlin/androidx/build/sbom/Sbom.kt
@@ -21,6 +21,7 @@
import androidx.build.GMavenZipTask
import androidx.build.ProjectLayoutType
import androidx.build.addToBuildOnServer
+import androidx.build.getDistributionDirectory
import androidx.build.getPrebuiltsRoot
import androidx.build.getSupportRootFolder
import androidx.build.gitclient.MultiGitClient
@@ -34,6 +35,7 @@
import org.gradle.api.Project
import org.gradle.api.artifacts.Configuration
import org.gradle.api.artifacts.ModuleVersionIdentifier
+import org.gradle.api.tasks.Copy
import org.gradle.api.tasks.bundling.AbstractArchiveTask
import org.gradle.api.tasks.bundling.Zip
import org.gradle.jvm.tasks.Jar
@@ -201,6 +203,8 @@
/** Enables the publishing of an sbom that lists our embedded dependencies */
fun Project.configureSbomPublishing() {
val uuid = project.coordinatesToUUID().toString()
+ val projectName = project.name
+ val projectVersion = project.version.toString()
project.configurations.create(sbomEmptyConfiguration)
project.apply(plugin = "org.spdx.sbom")
@@ -209,9 +213,30 @@
val supportRootDir = getSupportRootFolder()
val allowPublicRepos = System.getenv("ALLOW_PUBLIC_REPOS") != null
+ val sbomPublishDir = project.getSbomPublishDir()
+
+ val sbomBuiltFile = project.layout.buildDirectory.file(
+ "spdx/release.spdx.json"
+ ).get().getAsFile()
+
+ val publishTask = project.tasks.register("exportSboms", Copy::class.java) { publishTask ->
+ publishTask.destinationDir = sbomPublishDir
+ val sbomBuildDir = sbomBuiltFile.parentFile
+ publishTask.from(sbomBuildDir)
+ publishTask.rename(sbomBuiltFile.name, "$projectName-$projectVersion.spdx.json")
+
+ publishTask.doFirst {
+ if (!sbomBuiltFile.exists()) {
+ throw GradleException(
+ "sbom file does not exist: $sbomBuiltFile"
+ )
+ }
+ }
+ }
project.tasks.withType(SpdxSbomTask::class.java).configureEach { task ->
val sbomProjectDir = project.projectDir
+
task.taskExtension.set(
object : DefaultSpdxSbomTaskExtension() {
override fun mapRepoUri(repoUri: URI, artifact: ModuleVersionIdentifier): URI {
@@ -277,6 +302,9 @@
target.getConfigurations().set(sbomConfigurations)
}
project.addToBuildOnServer(tasks.named("spdxSbomForRelease"))
+ publishTask.configure { task ->
+ task.dependsOn("spdxSbomForRelease")
+ }
}
}
@@ -310,6 +338,11 @@
throw GradleException("Could not identify git remote url for project at $dir")
}
+fun Project.getSbomPublishDir(): File {
+ val groupPath = project.group.toString().replace(".", "/")
+ return File(getDistributionDirectory(), "sboms/$groupPath/${project.name}/${project.version}")
+}
+
private const val MAVEN_CENTRAL_REPO_URL = "https://repo.maven.apache.org/maven2"
private const val GMAVEN_REPO_URL = "https://dl.google.com/android/maven2"
/** Returns a mapping from local repo url to public repo url */
diff --git a/busytown/androidx.sh b/busytown/androidx.sh
index cbecee6..1adf6b1 100755
--- a/busytown/androidx.sh
+++ b/busytown/androidx.sh
@@ -19,7 +19,7 @@
else
# Run Gradle
# If/when we enable desktop, enable VerifyDependencyVersionsTask.kt/shouldVerifyConfiguration
- if ! impl/build.sh buildOnServer createAllArchives checkExternalLicenses listTaskOutputs \
+ if ! impl/build.sh buildOnServer createAllArchives checkExternalLicenses listTaskOutputs exportSboms \
-Pandroidx.enableComposeCompilerMetrics=true \
-Pandroidx.enableComposeCompilerReports=true \
-Pandroidx.constraints=true \
diff --git a/busytown/androidx_incremental.sh b/busytown/androidx_incremental.sh
index f8ed79c..0c0a486 100755
--- a/busytown/androidx_incremental.sh
+++ b/busytown/androidx_incremental.sh
@@ -64,7 +64,7 @@
else
# Run Gradle
# TODO: when b/278730831 ( https://youtrack.jetbrains.com/issue/KT-58547 ) is resolved, remove "-Pkotlin.incremental=false"
- if impl/build.sh $DIAGNOSE_ARG buildOnServer checkExternalLicenses listTaskOutputs \
+ if impl/build.sh $DIAGNOSE_ARG buildOnServer checkExternalLicenses listTaskOutputs exportSboms \
--profile \
-Pkotlin.incremental=false \
"$@"; then
