Features
Logging Parent aims to deliver the following features.
Parent POM
The provided parent POM features the following conveniences:
-
apache-rat-pluginintegration for license preamble verification -
log4j-changelog-maven-pluginintegration for changelog and release note management -
maven-enforcer-pluginchecks -
spotless-maven-pluginintegration for code formatting -
jacoco-maven-pluginintegration for test coverage analysis (optionalcoverageprofile) -
bnd-maven-pluginintegration for auto-generating OSGi and JPMS descriptors -
cyclonedx-maven-plugin integration for auto-generating Software Bill of Materials (SBOM)
-
Antora-based site generation
CycloneDX Software Bill of Materials (SBOM)
Logging Parent streamlines the generation of CycloneDX Software Bill of Materials (SBOM) using cyclonedx-maven-plugin.
Plugin execution is configured and activated to generate SBOM files for each module, including the root one.
Generated SBOM files are attached as artifacts with cyclonedx classifier and XML extensions, that is, <artifactId>-<version>-cyclonedx.xml.
Produced SBOMs are enriched with vulnerability-assertion references to a CycloneDX Vulnerability Disclosure Report (VDR) that Apache Logging Services uses for all projects it maintains.
This VDR is accessible through the following URL: https://logging.apache.org/cyclonedx/vdr.xml
Reusable GitHub Actions workflows
The provided reusable GitHub Actions workflows feature the following conveniences:
build-reusable.yaml-
-
Compiles using the specified Java compiler version
-
Verifies reproducibility
-
Submits build scans to the Develocity server
-
deploy-release-reusable.yaml-
-
Deploys release artifacts
-
Updates
revisionandproject.build.outputTimestampMaven properties -
Generates the distribution ZIP containing Git-tracked sources, binary attachments,
NOTICE.txt, etc. -
Generates the release vote & announcement emails
-
Uploads the distribution ZIP and emails to SVN
-
deploy-site-reusable.yaml-
-
Builds and deploys the website
-
deploy-snapshot-reusable.yaml-
-
Deploys SNAPSHOT artifacts
-
merge-dependabot-reusable.yaml-
-
Merges
dependabotPRs along with changelog entries
-
Develocity configuration
Gradle Develocity is a service that provides statistics and other improvements to the development experience.
Due to an
agreement between the ASF and Gradle,
it is available for all ASF projects as INFRA hosted ge.apache.org service.
Click for instructions to submit build scans to the ge.apache.org server
-
Add a
.mvn/develocity.xmlconfiguration file to the repository. See Develocity Maven Extension User Manual for detailed configuration options.You can use the following example as template:
<?xml version="1.0" encoding="UTF-8"?> <develocity> <projectId>logging-log4j2</projectId> <server> <url>https://ge.apache.org</url> </server> <buildScan> <obfuscation> <ipAddresses>0.0.0.0</ipAddresses> </obfuscation> <publishing> <onlyIf> <![CDATA[env['CI'] != null]]> </onlyIf> </publishing> <backgroundBuildScanUpload>false</backgroundBuildScanUpload> </buildScan> <buildCache> <local> <enabled>false</enabled> </local> <remote> <enabled>false</enabled> </remote> </buildCache> </develocity>Do not add any
.mvn/extensions.xmlfile to the repository. The file will be created by thereusable-buildworkflow. -
Modify the build workflow that should publish build scans:
-
Pass the
secrets.GE_ACCESS_TOKEN, which is defined in all ASF repos asDV_ACCESS_TOKENsecret of the workflow. -
Set the
develocity-enabledparameter totrue.
For example, you can use the snippet below:
build: uses: apache/logging-parent/.github/workflows/build-reusable.yaml@rel/11.3.0 secrets: DV_ACCESS_TOKEN: ${{ ! startsWith(github.refname, 'release/') && secrets.GE_ACCESS_TOKEN }} with: develocity-enabled: ${{ ! startsWith(github.refname, 'release/') }}The Maven Develocity Extension is a closed source extension, which requires a commercial Gradle Inc license to work. To guarantee the reproducibility of our builds and the security of our software suplly chain, please disable the extension in our release builds.
-