feat: configure gradle to build deterministic Block Node jar (#411)

Signed-off-by: Matt Peterson <[email protected]>
hashgraph · Dec 16, 2024 · 0441ba2 · 0441ba2
1 parent 4201258
commit 0441ba2
Show file tree

Hide file tree

Showing 8 changed files with 316 additions and 25 deletions.
diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml
@@ -56,10 +56,10 @@ jobs:
           fi
 
       - name: Set up JDK 21
-        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
         with:
-          distribution: 'temurin'
-          java-version: '21'
+          distribution: "temurin"
+          java-version: "21.0.4"
 
       - name: Run Acceptance Tests
         id: acceptance-tests

diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml
@@ -57,10 +57,10 @@ jobs:
           fi
 
       - name: Set up JDK 21
-        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
         with:
-          distribution: 'temurin'
-          java-version: '21'
+          distribution: "temurin"
+          java-version: "21.0.4"
 
       - name: Cache Gradle packages
         uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2

diff --git a/.github/workflows/release-automation.yaml b/.github/workflows/release-automation.yaml
@@ -91,10 +91,10 @@ jobs:
           passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }}
 
       - name: Install JDK
-        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
         with:
           distribution: "temurin"
-          java-version: 21
+          java-version: "21.0.4"
 
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3.5.0
@@ -192,10 +192,10 @@ jobs:
           passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }}
 
       - name: Install JDK
-        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
         with:
           distribution: "temurin"
-          java-version: 21
+          java-version: "21.0.4"
 
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3.5.0

diff --git a/.github/workflows/release-push-image.yaml b/.github/workflows/release-push-image.yaml
@@ -56,10 +56,10 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Install JDK
-        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
         with:
           distribution: "temurin"
-          java-version: 21
+          java-version: "21.0.4"
 
       - name: Build
         run: ./gradlew clean build

diff --git a/.github/workflows/smoke-test.yaml b/.github/workflows/smoke-test.yaml
@@ -57,10 +57,10 @@ jobs:
           fi
 
       - name: Set up JDK 21
-        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
         with:
-          distribution: 'temurin'
-          java-version: '21'
+          distribution: "temurin"
+          java-version: "21.0.4"
 
       - name: Install grpcurl
         run: |

diff --git a/.github/workflows/support/scripts/generate-gradle-artifact-baseline.sh b/.github/workflows/support/scripts/generate-gradle-artifact-baseline.sh
@@ -0,0 +1,148 @@
+#!/usr/bin/env bash
+set -o pipefail
+set +e
+
+readonly RELEASE_LIB_PATH="hedera-node/data/lib"
+readonly RELEASE_APPS_PATH="hedera-node/data/apps"
+
+GROUP_ACTIVE="false"
+
+function fail {
+    printf '%s\n' "$1" >&2  ## Send message to stderr. Exclude >&2 if you don't want it that way.
+    if [[ "${GROUP_ACTIVE}" == "true" ]]; then
+      end_group
+    fi
+    exit "${2-1}"  ## Return a code specified by $2 or 1 by default.
+}
+
+function start_group {
+  if [[ "${GROUP_ACTIVE}" == "true" ]]; then
+    end_group
+  fi
+
+  GROUP_ACTIVE="true"
+  printf "::group::%s\n" "${1}"
+}
+
+function end_group {
+  GROUP_ACTIVE="false"
+  printf "::endgroup::\n"
+}
+
+function log {
+  local message="${1}"
+  shift
+  # shellcheck disable=SC2059
+  printf "${message}" "${@}"
+}
+
+function log_line {
+  local message="${1}"
+  shift
+  # shellcheck disable=SC2059
+  printf "${message}\n" "${@}"
+}
+
+function start_task {
+  local message="${1}"
+  shift
+  # shellcheck disable=SC2059
+  printf "${message} .....\t" "${@}"
+}
+
+function end_task {
+  printf "%s\n" "${1:-DONE}"
+}
+
+start_group "Configuring Environment"
+  # Access workflow environment variables
+  export GITHUB_WORKSPACE GITHUB_SHA GITHUB_OUTPUT MANIFEST_PATH
+
+  start_task "Initializing Temporary Directory"
+    TEMP_DIR="$(mktemp -d)" || fail "ERROR (Exit Code: ${?})" "${?}"
+    trap 'rm -rf "${TEMP_DIR}"' EXIT
+  end_task "DONE (Path: ${TEMP_DIR})"
+
+#  start_task "Resolving the GITHUB_WORKSPACE path"
+#    # Ensure GITHUB_WORKSPACE is provided or default to the repository root
+#    if [[ -z "${GITHUB_WORKSPACE}" || ! -d "${GITHUB_WORKSPACE}" ]]; then
+#      GITHUB_WORKSPACE="$(cd "$(dirname "${BASH_SOURCE[0]}")/../../../../" && pwd)"
+#    fi
+#  end_task "DONE (Path: ${GITHUB_WORKSPACE})"
+#
+#  start_task "Resolving the GITHUB_OUTPUT path"
+#    # Ensure GITHUB_OUTPUT is provided or default to the repository root
+#    if [[ -z "${GITHUB_OUTPUT}" ]]; then
+#      GITHUB_OUTPUT="${TEMP_DIR}/workflow-output.txt"
+#    fi
+#  end_task "DONE (Path: ${GITHUB_OUTPUT})"
+#
+#  start_task "Resolving the GITHUB_SHA hash"
+#    if [[ -z "${GITHUB_SHA}" ]]; then
+#      GITHUB_SHA="$(git rev-parse HEAD | tr -d '[:space:]')" || fail "ERROR (Exit Code: ${?})" "${?}"
+#    fi
+#  end_task "DONE (Commit: ${GITHUB_SHA})"
+#
+#  start_task "Resolving the MANIFEST_PATH variable"
+#    if [[ -z "${MANIFEST_PATH}" ]]; then
+#      MANIFEST_PATH="${GITHUB_WORKSPACE}/.manifests/gradle"
+#    fi
+#  end_task "DONE (Path: ${MANIFEST_PATH})"
+#
+#  start_task "Ensuring the MANIFEST_PATH location is present"
+#    if [[ ! -d "${MANIFEST_PATH}" ]]; then
+#      mkdir -p "${MANIFEST_PATH}" || fail "ERROR (Exit Code: ${?})" "${?}"
+#    fi
+#  end_task
+#
+#  start_task "Checking for the sha256sum command"
+#    if command -v sha256sum >/dev/null 2>&1; then
+#      SHA256SUM="$(command -v sha256sum)" || fail "ERROR (Exit Code: ${?})" "${?}"
+#    else
+#      fail "ERROR (Exit Code: ${?})" "${?}"
+#    fi
+#  end_task "DONE (Found: ${SHA256SUM})"
+#
+#  start_task "Checking for prebuilt libraries"
+#    ls -al "${GITHUB_WORKSPACE}/${RELEASE_LIB_PATH}"/*.jar >/dev/null 2>&1 || fail "ERROR (Exit Code: ${?})" "${?}"
+#  end_task "FOUND (Path: ${GITHUB_WORKSPACE}/${RELEASE_LIB_PATH}/*.jar)"
+#
+#  start_task "Checking for prebuilt applications"
+#    ls -al "${GITHUB_WORKSPACE}/${RELEASE_APPS_PATH}"/*.jar >/dev/null 2>&1 || fail "ERROR (Exit Code: ${?})" "${?}"
+#  end_task "FOUND (Path: ${GITHUB_WORKSPACE}/${RELEASE_APPS_PATH}/*.jar)"
+end_group
+
+#start_group "Generating Library Hashes (${GITHUB_WORKSPACE}/${RELEASE_LIB_PATH}/*.jar)"
+#  pushd "${GITHUB_WORKSPACE}/${RELEASE_LIB_PATH}" >/dev/null 2>&1 || fail "PUSHD ERROR (Exit Code: ${?})" "${?}"
+#  ${SHA256SUM} -b -- *.jar | sort -k 2 | tee -a "${TEMP_DIR}"/libraries.sha256
+#  popd >/dev/null 2>&1 || fail "POPD ERROR (Exit Code: ${?})" "${?}"
+#end_group
+#
+#start_group "Generating Application Hashes (${GITHUB_WORKSPACE}/${RELEASE_APPS_PATH}/*.jar)"
+#  pushd "${GITHUB_WORKSPACE}/${RELEASE_APPS_PATH}" >/dev/null 2>&1 || fail "PUSHD ERROR (Exit Code: ${?})" "${?}"
+#  ${SHA256SUM} -b -- *.jar | sort -k 2 | tee -a "${TEMP_DIR}"/applications.sha256
+#  popd >/dev/null 2>&1 || fail "POPD ERROR (Exit Code: ${?})" "${?}"
+#end_group
+#
+#start_group "Generating Final Release Manifests"
+#
+#  start_task "Generating the manifest archive"
+#  tar -czf "${TEMP_DIR}/manifest.tar.gz" -C "${TEMP_DIR}" libraries.sha256 applications.sha256 >/dev/null 2>&1 || fail "TAR ERROR (Exit Code: ${?})" "${?}"
+#  end_task
+#
+#  start_task "Copying the manifest files"
+#  cp "${TEMP_DIR}/manifest.tar.gz" "${MANIFEST_PATH}/${GITHUB_SHA}.tar.gz" || fail "COPY ERROR (Exit Code: ${?})" "${?}"
+#  cp "${TEMP_DIR}/libraries.sha256" "${MANIFEST_PATH}/libraries.sha256" || fail "COPY ERROR (Exit Code: ${?})" "${?}"
+#  cp "${TEMP_DIR}/applications.sha256" "${MANIFEST_PATH}/applications.sha256" || fail "COPY ERROR (Exit Code: ${?})" "${?}"
+#  end_task "DONE (Path: ${MANIFEST_PATH}/${GITHUB_SHA}.tar.gz)"
+#
+#  start_task "Setting Step Outputs"
+#    {
+#      printf "path=%s\n" "${MANIFEST_PATH}"
+#      printf "file=%s\n" "${MANIFEST_PATH}/${GITHUB_SHA}.tar.gz"
+#      printf "name=%s\n" "${GITHUB_SHA}.tar.gz"
+#      printf "applications=%s\n" "${MANIFEST_PATH}/applications.sha256"
+#      printf "libraries=%s\n" "${MANIFEST_PATH}/libraries.sha256"
+#    } >> "${GITHUB_OUTPUT}"
+#  end_task
+#end_group
diff --git a/.github/workflows/zxc-verify-gradle-build-determinism.yaml b/.github/workflows/zxc-verify-gradle-build-determinism.yaml
@@ -0,0 +1,62 @@
+##
+# Copyright (C) 2023-2024 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+name: "ZXC: Verify Gradle Build Determinism"
+# Here, the ZXC prefix:
+# Z - Ensures sort order such that this script appears at the bottom of the UI
+# X - Indicates it's not for direct user consumption
+# C - Indicates this is a 'workflow_call' based reusable workflow
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        description: "The branch, tag, or commit to checkout:"
+        type: string
+        required: false
+        default: ""
+      java-distribution:
+        description: "Java JDK Distribution:"
+        type: string
+        required: false
+        default: "temurin"
+      java-version:
+        description: "Java JDK Version:"
+        type: string
+        required: false
+        default: "21.0.4"
+
+#  workflow_dispatch:
+#    inputs:
+#      version:
+#        description: 'Release tag:'
+#        type: string
+#        required: false
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  generate-baseline:
+    name: Generate Baseline
+    runs-on: network-node-linux-medium
+    steps:
+      - name: Print
+        run: echo "Hello, baseline!"