I believe we have a general problem of traceability for the artifacts that we produce. The version numbers of our jars (both library jars and executable production jars) are generated by jenkins, and this gives a poor indication of the source code that they contain.
In order to address this problem, I have written two plugins, one for sbt and one for gradle. These plugins make a small change to the artifact generation stage so that both the pom.xml and the jar’s manifest get additional metadata indicating the git repo and git hash against which they were built.
This repo contains build tool plugins that will do two things:
- include the following tags in the Jar META-INF/MANIFEST.MF
Git-Origin: [email protected]:coolproject
Git-Repo-Is-Clean: false
Git-Branch: master
Git-Head-Rev: b178b10c259bb1442bcf27012c305a50c26796a2
- include the following section in the pom.xml
<scm>
<url>[email protected]:coolproject</url>
<tag>b178b10c259bb1442bcf27012c305a50c26796a2</tag>
</scm>
Once we add the plugins to our builds, we will start to build up a record of which commits make it into which artifacts. With this information available consistently, in a machine-readable way, we can start to build tools that will improve transparency.
Add the “apply plugin” line to the top of your build.gradle, and add the dependency to the section at the bottom of your build.gradle.
apply plugin: 'jarmangit'
dependencies {
classpath group: 'com.timgroup', name: 'gradle-jarmangit', version: "1.0.+"
}
Create a new file (sbt-jarmangit.sbt) in the project directory, with the following content:
addSbtPlugin("com.timgroup" % "sbt-jarmangit" % "1.0.14")