fix Reproducible Builds issues introduced during release process

[hboutemy]

Environment Details

• GlassFish Version (and build number): 7.0.9

---

Problem Description

release binaries cannot be reproduced: see https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/glassfish/main/README.md

Steps to reproduce

if you want to rebuild, you can clone https://github.com/jvm-repo-rebuild/reproducible-central and run

./rebuild.sh content/org/glassfish/main/glassfish-7.0.9.buildspec

Impact of Issue

• cannot get the same binaries
• current binaries are inconsistent: module info of 7.0.9 release contains 7.0.9-SNAPSHOT version

how to solve

1. in the release script run by https://ci.eclipse.org/glassfish/view/GlassFish/job/glassfish_1-build-and-stage/ , in the second phase, clean before deploy:

mvn -B -U -q -Poss-release,release-phase2 -DskipTests -Ddoclint=none -DstagingProfileId=1c0c18a0fc339 -Dmaven.javadoc.failOnError=false deploy

s/deploy/clean deploy/

2. release hk2 3.0.5 that includes https://github.com/eclipse-ee4j/glassfish-hk2/pull/821 and upgrade in Glassfish

3. eventually, in the release script, when cloning the Git repository, remove the setguid bit that brings unusual permissions

With these 3 steps done, next release should be near fully reproducible (we'll probably find a few remaining issues, given the size of the build)

[arjantijms]

Thanks for the issue! HK2 3.0.5 is long overdue. I'll take a look at releasing it soon. I'll take a look at the release script as well.

[hboutemy]

Hi @arjantijms , IIUC, next Glassfish release is happening soon: can you make sure that the release scripts have been updated, please? This is what is causing the most issues Of course, HK2 3.0.5 release and use in Glassfish would also be great, but to me, release script is first priority

[arjantijms]

Of course, HK2 3.0.5 release and use in Glassfish would also be great, but to me, release script is first priority

HK2 3.0.5 has been released and will be used in the next release of GF (7.0.10):

https://repo1.maven.org/maven2/org/glassfish/hk2/hk2-bom/3.0.5/

[arjantijms]

in the second phase, clean before deploy:

This was done a while ago, it's now:

 mvn -B -U -q -Poss-release,release-phase2 ${MVN_STAGING} \
     -DskipTests -Ddoclint=none -Dmaven.javadoc.failOnError=false \
     -DstagingProfileId=1c0c18a0fc339 \
     clean deploy

[hboutemy]

FYI, HK2 3.0.5 release itself is reproducible https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/glassfish/hk2/README.md (README will be updated in 24h) you'll see in the buildspec that I had to tweak directory permissions to add setgid flag, which is not ideal, but works