Make JAR, not WAR!

Switches from an executable WAR distribution to normal JAR one. Instead of shading dependencies, ships them as separate JARs in a lib directory. This is a better fit for container because it allows for more effective layer caching.

The build is faster because the expensive WAR overlays are no longer required.

The development setup also becomes less involved, as it removes the need to go through the Jetty Maven plugin.

Signed-off-by: nscuro <nscuro@protonmail.com>

Author: nscuro

.github/workflows/_meta-build.yaml

@@ -64,14 +64,20 @@ jobs:
 
       - name: Build with Maven
         run: |-
-          mvn -B -Pquick -Dservices.bom.merge.skip=false package
+          mvn -B -Pquick,dist -Dservices.bom.merge.skip=false package
 
-      - name: Upload Artifacts
+      - name: Upload Distribution Archive
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # tag=v6.0.0
         with:
-          name: assembled-wars
+          name: assembled-dist
+          path: |-
+            apiserver/target/dependency-track-apiserver-dist.tar.gz
+
+      - name: Upload BOM
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # tag=v6.0.0
+        with:
+          name: bom
           path: |-
-            apiserver/target/*.jar
             apiserver/target/bom.json
 
       - name: Upload OpenAPI Spec
@@ -95,9 +101,12 @@ jobs:
       - name: Download Artifacts
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # tag=v7.0.0
         with:
-          name: assembled-wars
+          name: assembled-dist
           path: apiserver/target
 
+      - name: Extract Distribution Archive
+        run: tar xzf apiserver/target/dependency-track-apiserver-dist.tar.gz -C apiserver/target
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # tag=v3.7.0
 

.github/workflows/ci-publish.yaml

@@ -71,21 +71,30 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
 
-      - name: Download Artifacts
+      - name: Download Distribution Archive
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # tag=v7.0.0
         with:
-          name: assembled-wars
+          name: assembled-dist
           path: target
 
-      - name: Create Checksums and SBOM
+      - name: Download BOM
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # tag=v7.0.0
+        with:
+          name: bom
+          path: target
+
+      - name: Create Checksums
         run: |-
           pushd target
           echo "# SHA1" >> checksums.txt
-          sha1sum dependency-track-apiserver.jar >> checksums.txt
+          sha1sum dependency-track-apiserver-dist.tar.gz >> checksums.txt
+          sha1sum bom.json >> checksums.txt
           echo "# SHA256" >> checksums.txt
-          sha256sum dependency-track-apiserver.jar >> checksums.txt
+          sha256sum dependency-track-apiserver-dist.tar.gz >> checksums.txt
+          sha256sum bom.json >> checksums.txt
           echo "# SHA512" >> checksums.txt
-          sha512sum dependency-track-apiserver.jar >> checksums.txt
+          sha512sum dependency-track-apiserver-dist.tar.gz >> checksums.txt
+          sha512sum bom.json >> checksums.txt
           popd
 
       - name: Update Release
@@ -94,6 +103,6 @@ jobs:
         run: |-
           gh release upload ${{ needs.read-version.outputs.version }} \
             --clobber \
-            target/dependency-track-apiserver.jar \
-            target/checksums.txt \
-            target/bom.json
+            target/dependency-track-apiserver-dist.tar.gz \
+            target/bom.json \
+            target/checksums.txt

.idea/runConfigurations/Jetty.xml

@@ -22,12 +22,6 @@
     <configuration>
         <enabled>true</enabled>
         <hashAlgorithm>XX</hashAlgorithm>
-        <attachedOutputs>
-            <dirNames>
-                <!-- Required by Jetty plugin. -->
-                <dirName>classes</dirName>
-            </dirNames>
-        </attachedOutputs>
     </configuration>
     <input>
         <global>
@@ -40,13 +34,9 @@
     <executionControl>
         <runAlways>
             <executions>
-                <execution artifactId="maven-antrun-plugin">
+                <execution artifactId="maven-dependency-plugin">
                     <execIds>
-                        <!--
-                          The build cache only restores the API server WAR file,
-                          but the JAR file is required for container image builds.
-                        -->
-                        <execId>rename-war-file</execId>
+                        <execId>copy-dependencies</execId>
                     </execIds>
                 </execution>
             </executions>
@@ -59,4 +49,4 @@
             </goalsLists>
         </runAlways>
     </executionControl>
-</cache>
+</cache>

.mvn/maven-build-cache-config.xml

@@ -35,6 +35,10 @@ build:
 	$(MVND) $(MVN_FLAGS) -q -Pquick package
 .PHONY: build
 
+build-dist:
+	$(MVND) $(MVN_FLAGS) -q -Pdist,quick package
+.PHONY: build-dist
+
 build-image: build
 	docker build \
 		-t ghcr.io/dependencytrack/hyades-apiserver:local \