Skip to content

Using maven plugin prevents building from tarball #299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dvzrv opened this issue Dec 10, 2021 · 6 comments · Fixed by #300 or #301
Closed

Using maven plugin prevents building from tarball #299

dvzrv opened this issue Dec 10, 2021 · 6 comments · Fixed by #300 or #301
Assignees
@joschi
Milestone
2.0.1

Comments

@dvzrv
Copy link

dvzrv commented Dec 10, 2021

Hi! When packaging 2.0.0 for Arch Linux I realized that the tool can not be built from a tarball of a release as long as there is the git hooks maven plugin in use:

openapi-diff/pom.xml

Lines 290 to 294 in ed6345e

<plugin>
<groupId>io.github.phillipuniverse</groupId>
<artifactId>githook-maven-plugin</artifactId>
<version>1.0.5</version>
</plugin>

openapi-diff/pom.xml

Lines 349 to 366 in ed6345e

<plugin>
<groupId>io.github.phillipuniverse</groupId>
<artifactId>githook-maven-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>install</goal>
</goals>
<configuration>
<hooks>
<pre-commit>
mvn com.coveo:fmt-maven-plugin:format
</pre-commit>
</hooks>
</configuration>
</execution>
</executions>
</plugin>

As this seems to be only for code formatting, is it possible to circumvent its use (aside from removal), when using mvn clean install?
@joschi
Copy link
Contributor

joschi commented Dec 11, 2021

You can disable the githook-maven-plugin by setting the system property githook.plugin.skip to false.

https://github.com/phillipuniverse/githook-maven-plugin#additional-configuration-options

@joschi
Copy link
Contributor

joschi commented Dec 11, 2021

@dvzrv Why would you build the project from scratch when you could download the official JAR from Maven Central? It's not like your byte code would be any different.

@dvzrv
Copy link
Author

dvzrv commented Dec 11, 2021

You can disable the githook-maven-plugin by setting the system property githook.plugin.skip to false.

Thanks, I will look into that! :)

Why would you build the project from scratch when you could download the official JAR from Maven Central?

We generally build everything (that we can) from source. This allows for reproducibility and not being affected by supply chain attacks on a binary repository such as maven central or a compromised build infrastructure in which the official jar is being built.
Furthermore Arch Linux invests into having reproducible builds for all of its packages.

It's not like your byte code would be any different.

In fact, it would be, because maven builds are usually not bit-by-bit reproducible, unless configured so (for this purpose strip-nondeterminism is currently used to strip the resulting jar from nondeterministic strings such as timestamps).

@joschi
Copy link
Contributor

joschi commented Dec 11, 2021

In fact, it would be, because maven builds are usually not bit-by-bit reproducible

Yeah, I've heard that one before. 😉
dropwizard/dropwizard@c9158ff

joschi added a commit that referenced this issue Dec 12, 2021
@joschi
Enable reproducible builds
01ab029 
https://maven.apache.org/guides/mini/guide-reproducible-builds.html
https://reproducible-builds.org/

Refs #299
@joschi joschi mentioned this issue Dec 12, 2021
Merged
joschi added a commit that referenced this issue Dec 12, 2021
@joschi
Skip Git hook repository check to enable build without .git
2ccc6b3 
Refs #299
@joschi joschi mentioned this issue Dec 12, 2021
Merged
joschi added a commit that referenced this issue Dec 12, 2021
@joschi
Enable reproducible builds (#300)
7614541 
https://maven.apache.org/guides/mini/guide-reproducible-builds.html
https://reproducible-builds.org/

Refs #299
joschi added a commit that referenced this issue Dec 12, 2021
@joschi
Skip Git hook repository check to enable build without .git (#301)
d2a96f1 
The build process would fail if the `.git/` directory is missing, e. g. when downloading the repository contents from GitHub in a ZIP archive:
```text
[ERROR] Failed to execute goal io.github.phillipuniverse:githook-maven-plugin:1.0.5:install (default) on project openapi-diff-parent: Not a git repository, could not find a .git/hooks directory anywhere in the hierarchy of /path/to/openapi-diff/target. Turn off this behavior with skipRepositoryCheck=false -> [Help 1]
```

After the change, a missing `.git/` directory doesn't lead to a build failure:
```text
[INFO] --- githook-maven-plugin:1.0.5:install (default) @ openapi-diff-parent ---
[INFO] No .git directory found, skipping plugin execution
```

Refs #299
@joschi joschi added this to the 2.0.1 milestone Dec 12, 2021
@joschi joschi self-assigned this Dec 12, 2021
This was linked to pull requests Dec 27, 2021
Enable reproducible builds #300
Merged
Skip Git hook repository check to enable build without .git #301
Merged
@joschi
Copy link
Contributor

joschi commented Dec 27, 2021

@dvzrv This issue should've been resolved via #300 and #301.

@joschi joschi closed this as completed Dec 27, 2021
@dvzrv
Copy link
Author

dvzrv commented Dec 29, 2021

@joschi many thanks! ❤️

@joschi joschi mentioned this issue Mar 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joschi joschi

Labels
None yet
Projects
None yet
Milestone
2.0.1
2 participants
@joschi @dvzrv