How might we enhance validation on BOMs? #5922
Description
There were problems in the entries in the gapic-libraries-bom ( googleapis/google-cloud-java#9304) protobuf-bom (protocolbuffers/protobuf#12170). The challenge is that Maven's build lifecycle does not invalidate bad entries in a BOM.
How might we enhance validation on BOMs? Especially those that are in different location than this java-cloud-bom repository.
Create Github Actions (a composite action)
In GitHub Actions, we can easily reference a check in another repository.
https://github.com/googleapis/google-api-java-client-services/blob/main/.github/workflows/codegen.yaml#L48
A composite action (https://docs.github.com/en/actions/creating-actions/creating-a-composite-action) is a good fit for the tasks below.
Implementation: a composite action
Before running the composite action the caller (gapic-generator-java or google-cloud-java repository) needs to make the BOM and its contents available in Maven Central or local Maven repository.
The action takes BOM coordinates as an argument.
The action does the followings:
- It reads the BOM and get all artifacts.
- It may filter out "testlib" artifacts if they cause problems in subsequent steps
- It creates a Maven project (a directory with a pom.xml file) with the artifacts as the dependencies. The project uses the BOM
- This output project is actually beneficial for scanning security advisories.
- It runs
mvn installin the project to confirm the project is built.