diff --git a/pkg/build/pipelines/maven/README.md b/pkg/build/pipelines/maven/README.md index 5407bdd19..ef8bb6d99 100755 --- a/pkg/build/pipelines/maven/README.md +++ b/pkg/build/pipelines/maven/README.md @@ -16,18 +16,28 @@ Configure GCP Maven Central mirror for faster downloads ## maven/pombump -Run pombump tool to update versions and properties in a Maven POM file +Run pombump tool to analyze and update versions and properties in a Maven POM file ### Inputs | Name | Required | Description | Default | | ---- | -------- | ----------- | ------- | -| debug | false | Enable debug mode, which will print out the diffs of the pom.xml file after running pombump | false | +| analyze-patch-file | false | Patch file to analyze for recommendations | | +| analyze-patches | false | Space-separated list of patches to analyze (groupID@artifactID@version) for recommendations | | +| debug | false | Enable debug mode, which will print out the diffs of the pom.xml file after running pombump (patch mode) or detailed analysis (analyze mode) | false | | dependencies | false | Dependencies to be used for updating the POM file via command line flag | | +| fail-on-bom-conflicts | false | Fail if attempting to patch dependencies controlled by BOMs (analyze mode). Only use for strict BOM enforcement. | false | +| generate-patch-files | false | Generate recommended patch files from analysis (creates pombump-deps.yaml and pombump-properties.yaml) | false | +| json-output-file | false | File to save JSON analysis output (analyze mode only) | | +| mode | false | Mode of operation: 'patch' to apply changes, 'analyze' to analyze POM and get recommendations | patch | +| output-deps | false | Output file for recommended dependency patches (analyze mode) | ./pombump-deps.yaml | +| output-format | false | Output format for analysis: human, json, or yaml | human | +| output-properties | false | Output file for recommended property patches (analyze mode) | ./pombump-properties.yaml | | patch-file | false | Patches file to use for updating the POM file | ./pombump-deps.yaml | | pom | false | Path to pom.xml | pom.xml | | properties | false | Properties to update / add the POM file via command line flag | | | properties-file | false | Properties file to be used for updating the POM file | ./pombump-properties.yaml | +| search-properties | false | Search for properties in parent POMs and modules (analyze mode only) | false | | show-dependency-tree | false | Display a dependency tree for the existing pom.xml file | false | diff --git a/pkg/build/pipelines/maven/pombump.yaml b/pkg/build/pipelines/maven/pombump.yaml index 32c122f12..bcadcf325 100644 --- a/pkg/build/pipelines/maven/pombump.yaml +++ b/pkg/build/pipelines/maven/pombump.yaml @@ -1,10 +1,46 @@ -name: Run pombump tool to update versions and properties in a Maven POM file +name: Run pombump tool to analyze and update versions and properties in a Maven POM file needs: packages: - busybox - pombump + - jq inputs: + # Mode selection + mode: + description: | + Mode of operation: 'patch' to apply changes, 'analyze' to analyze POM and get recommendations + default: patch + + # Analysis inputs + analyze-patches: + description: | + Space-separated list of patches to analyze (groupID@artifactID@version) for recommendations + analyze-patch-file: + description: | + Patch file to analyze for recommendations + output-format: + description: | + Output format for analysis: human, json, or yaml + default: human + search-properties: + description: | + Search for properties in parent POMs and modules (analyze mode only) + default: false + generate-patch-files: + description: | + Generate recommended patch files from analysis (creates pombump-deps.yaml and pombump-properties.yaml) + default: false + output-deps: + description: | + Output file for recommended dependency patches (analyze mode) + default: ./pombump-deps.yaml + output-properties: + description: | + Output file for recommended property patches (analyze mode) + default: ./pombump-properties.yaml + + # Patching inputs patch-file: description: | Patches file to use for updating the POM file @@ -19,50 +55,109 @@ inputs: properties: description: | Properties to update / add the POM file via command line flag + + # Common inputs pom: description: | Path to pom.xml default: pom.xml debug: description: | - Enable debug mode, which will print out the diffs of the pom.xml file after running pombump + Enable debug mode, which will print out the diffs of the pom.xml file after running pombump (patch mode) or detailed analysis (analyze mode) default: false show-dependency-tree: default: false description: Display a dependency tree for the existing pom.xml file + + fail-on-bom-conflicts: + description: | + Fail if attempting to patch dependencies controlled by BOMs (analyze mode). + Only use for strict BOM enforcement. + default: false + json-output-file: + description: | + File to save JSON analysis output (analyze mode only) pipeline: - runs: | - PATCH_FILE_FLAG="" - PROPERTIES_FILE_FLAG="" - DEPENDENCIES_FLAG="" - PROPERTIES_FLAG="" - - if [ -f "${{inputs.patch-file}}" ]; then - PATCH_FILE_FLAG="--patch-file ${{inputs.patch-file}}" - fi - - if [ -f "${{inputs.properties-file}}" ]; then - PROPERTIES_FILE_FLAG="--properties-file ${{inputs.properties-file}}" - fi - - if [ -n "${{inputs.dependencies}}" ]; then - DEPENDENCIES_FLAG="--dependencies ${{inputs.dependencies}}" - fi - - if [ -n "${{inputs.properties}}" ]; then - PROPERTIES_FLAG="--properties ${{inputs.properties}}" - fi - + # Show dependency tree if requested if [ "${{inputs.show-dependency-tree}}" = "true" ]; then - mvn dependency:tree + mvn dependency:tree || echo "Note: Maven dependency tree failed, continuing..." fi - pombump ${{inputs.pom}} $PATCH_FILE_FLAG $PROPERTIES_FILE_FLAG $DEPENDENCIES_FLAG $PROPERTIES_FLAG > "${{inputs.pom}}.new" + if [ "${{inputs.mode}}" = "analyze" ]; then + echo "Running pombump in analyze mode..." + + # Build analyze command + CMD="pombump analyze ${{inputs.pom}}" + + [ -n "${{inputs.output-format}}" ] && CMD="$CMD --output ${{inputs.output-format}}" + [ "${{inputs.search-properties}}" = "true" ] && CMD="$CMD --search-properties" + [ -f "${{inputs.analyze-patch-file}}" ] && CMD="$CMD --patch-file ${{inputs.analyze-patch-file}}" + + if [ "${{inputs.generate-patch-files}}" = "true" ]; then + CMD="$CMD --output-deps ${{inputs.output-deps}} --output-properties ${{inputs.output-properties}}" + fi + + # Handle analyze-patches separately due to quoting needs + if [ -n "${{inputs.analyze-patches}}" ]; then + CMD="$CMD --patches \"${{inputs.analyze-patches}}\"" + fi + + # Execute analyze command + if [ -n "${{inputs.json-output-file}}" ]; then + eval "$CMD" > "${{inputs.json-output-file}}" + echo "Analysis saved to ${{inputs.json-output-file}}" + + if [ "${{inputs.debug}}" = "true" ]; then + echo "=== Analysis Summary ===" + jq -r ' + "Dependencies: \(.dependencies.total) total, \(.dependencies.direct) direct", + "Using properties: \(.dependencies.using_properties)", + "From BOMs: \(.dependencies.from_boms // 0)", + "BOMs detected: \(.boms | length // 0)", + "Recommended property updates: \(.property_updates | length // 0)", + "Recommended direct patches: \(.patches | length // 0)" + ' "${{inputs.json-output-file}}" || true + fi + + # Check for BOM conflicts + if [ "${{inputs.fail-on-bom-conflicts}}" = "true" ]; then + if jq -e '.warnings | map(select(contains("BOM"))) | length > 0' "${{inputs.json-output-file}}" > /dev/null 2>&1; then + echo "ERROR: BOM conflicts detected. Dependencies are controlled by imported BOMs." + echo "Please update the BOM version instead of individual dependencies." + jq -r '.warnings[]' "${{inputs.json-output-file}}" 2>/dev/null || true + exit 1 + fi + fi + else + eval "$CMD" + fi + + # Show generated patch files + if [ "${{inputs.generate-patch-files}}" = "true" ] && [ "${{inputs.debug}}" = "true" ]; then + echo "=== Generated Patch Files ===" + [ -f "${{inputs.output-deps}}" ] && echo "Dependency patches: ${{inputs.output-deps}}" && cat "${{inputs.output-deps}}" + [ -f "${{inputs.output-properties}}" ] && echo "Property patches: ${{inputs.output-properties}}" && cat "${{inputs.output-properties}}" + fi + + else + echo "Running pombump in patch mode..." + + # Build patch command + CMD="pombump \"${{inputs.pom}}\"" + + [ -f "${{inputs.patch-file}}" ] && CMD="$CMD --patch-file \"${{inputs.patch-file}}\"" + [ -f "${{inputs.properties-file}}" ] && CMD="$CMD --properties-file \"${{inputs.properties-file}}\"" + [ -n "${{inputs.dependencies}}" ] && CMD="$CMD --dependencies \"${{inputs.dependencies}}\"" + [ -n "${{inputs.properties}}" ] && CMD="$CMD --properties \"${{inputs.properties}}\"" + + eval "$CMD" > "${{inputs.pom}}.new" - if [ "${{inputs.debug}}" = "true" ]; then - # If there are any differences, it will return a non-zero exit code, so we use `|| true` to ignore that - diff -w "${{inputs.pom}}" "${{inputs.pom}}.new" || true - fi + if [ "${{inputs.debug}}" = "true" ]; then + echo "=== POM Changes ===" + diff -w "${{inputs.pom}}" "${{inputs.pom}}.new" || true + fi - mv "${{inputs.pom}}.new" ${{inputs.pom}} \ No newline at end of file + mv "${{inputs.pom}}.new" "${{inputs.pom}}" + fi \ No newline at end of file