query rebuild results and renovate pr integration

[PhilippHeuer]

Hi,

I'm a big fan of the work that is done in reproducible-central and the idea of reproducible builds in general.
I created a small project for an initial integration of reproducible-central into Renovate PRs.

Link: https://github.com/PhilippHeuer/jvm-repo-rebuild-index (written in Go)
Example PR: PhilippHeuer/renovate-test#8

Configuration:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "packageRules": [
    {
      "matchDatasources": ["maven"],
      "prBodyDefinitions": {
        "Reproducible": "{{#if newVersion}}[![Reproducible Builds](https://img.shields.io/endpoint?url=https://jvm-rebuild.philippheuer.de/v1/badge/reproducible/maven/{{depName}}/{{{newVersion}}}?theme=renovate)](https://jvm-rebuild.philippheuer.de/v1/redirect/reproducible/maven/{{depName}}/{{{newVersion}}}){{/if}}"
      },
      "prBodyColumns": [
        "Package",
        "Change",
        "Adoption",
        "Passing",
        "Reproducible"
      ]
    }
  ]
}

Note: This is the first beta and the format of the json files on gh pages may be changed, but the api endpoints used in the PRs will remain stable.

---

The objective of this project was to:

• provide a way to query the reproducibility status of maven artifacts by group/artifact/version (by maven coordinates)
• show a dynamic badge with the result for specific dependency versions (project missing, verification pending, reproducible, not reproducible)
• redirect from the PR badge to the project readme in the reproducible-central

This first version generates static json files for all projects in reproducible-central and serves them via GitHub pages.
Additionally, it contains a few api endpoints for the dynamic PR badge. (selfhosted, requires logic so static json doesn't work)

---

I think it would be awesome to have an official API to integrate jvm-repo-rebuild results into Renovate, Dependabot, ... (this could enable a native integrations in the future)

Maybe this project can serve as a starting point for that (either as reference or to mature into something official), I would love to hear your thoughts on this project / idea.

[hboutemy]

great job, I like what you did, we need to work together further
buildspec is natively at project build level = why current output (buildinfo, buildcompare, badge) is also at project build level
but yes, providing output data at gav level has been identified as an enabler to many new ways to use data: I just did not have time to do it yet
I'm happy you did it and I can review and discuss: I'll dive into it and give more precise feedback later, as it deserves serious look
I definitively want to integrate such gav-level output and let wider community use that data in as many new ways as they can

[hboutemy]

first try at providing a reporting on dependencies: https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/reproducible-central.html , tracked as https://issues.apache.org/jira/browse/MARTIFACT-81

on the pure API front, I did an initial try by generating .txt files, but this will require more work to define the precise expected API
see https://github.com/jvm-repo-rebuild/reproducible-central/tree/gh-pages/api
generated by https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/bin/update_api.java

[hboutemy]

shields.io badge now available: https://shields.io/badges/reproducible-central-artifact

and used by report https://maven.apache.org/plugins/maven-artifact-plugin/reproducible-central-mojo.html
=> for example https://cyclonedx.github.io/cyclonedx-maven-plugin/reproducible-central.html