Skip to content

Fix Java SDK RC2 blockers: source packaging, jar LICENSE/NOTICE, BOM gap#69582

Merged
jason810496 merged 8 commits into
apache:mainfrom
jason810496:verify/java-sdk-rc3-integration
Jul 8, 2026
Merged

Fix Java SDK RC2 blockers: source packaging, jar LICENSE/NOTICE, BOM gap#69582
jason810496 merged 8 commits into
apache:mainfrom
jason810496:verify/java-sdk-rc3-integration

Conversation

@jason810496

Copy link
Copy Markdown
Member

Why

RC2 of the Java SDK 1.0.0-beta1 vote cannot pass: Jarek cast a binding -1 because
the Gradle wrapper still ships in the source-release tarball, and RC2
verification separately found the staged convenience-binary jars are missing
META-INF/LICENSE/NOTICE, builds aren't byte-reproducible, and the BOM
doesn't manage the jpl artifact's version. All three must land before RC3.

What

  • Source release packaging: exclude gradlew, gradlew.bat, and
    gradle/wrapper from the git archive-based source tarball via
    .gitattributes export-ignore (the wrapper stays tracked in git — only the
    release tarball omits it). Document both extracted-source build paths, and
    add "Verifying a release" and vote-email template sections to
    java-sdk/README.md.
  • Convenience-binary compliance: inject META-INF/LICENSE/NOTICE into
    every published jar and make archives byte-reproducible (fixed timestamps,
    file ordering, permissions), centralized once in the airflow-jvm-conventions
    convention plugin so it covers every jar-producing module.
  • BOM completeness: add airflow-sdk-jpl to the BOM's dependency
    constraints so consumers can depend on it without pinning a version
    explicitly.

Verification

Each change was implemented and verified independently (source-archive content
checks, jar inspection plus reproducibility hash diffs, and a BOM resolution
smoke test) and passed its own review pass before being combined here; see
commits 5a03a02, 0231511, and 1f400a8 for per-change detail.


Was generative AI tooling used to co-author this PR?

Only gradle-wrapper.jar was excluded from the sourceRelease tarball
(LEGAL-570), but gradlew, gradlew.bat, and gradle-wrapper.properties
still shipped, drawing a binding -1 in the 1.0.0-beta1 RC2 vote. The
wrapper stays tracked in git; only the git-archive output used by
sourceRelease now omits it. Document both ways to build an extracted
source package without the wrapper, add a release-verification
checklist, and add a vote-email template with the full 8-artifact
staged list so future RCs don't repeat the RC2 feedback.
Staged convenience-binary jars (main, sources, javadoc, test-fixtures)
were missing META-INF/LICENSE and META-INF/NOTICE, violating ASF
release policy for distributed binaries. Builds were also not
byte-reproducible: jar entries carried wall-clock timestamps, blocking
GitHub-driven publishing. Centralizing both fixes in the
airflow-jvm-conventions plugin, applied by every jar-producing module
(sdk, jul, log4j2, slf4j, jpl, processor, plugin), covers all modules
without per-module duplication.
The BOM constrained sdk, jul, log4j2, processor, and slf4j but not
jpl, even though jpl is published to Nexus and the bundled example
module depends on it. Consumers pulling in jpl via the BOM alone had
no version constraint to resolve against.
airflow-sdk-gradle-plugin publishes under the same org.apache.airflow
Maven coordinate convention as the other SDK artifacts, but was left
out of the BOM's constraints when airflow-sdk-jpl was added — the same
gap the jpl fix was closing. Consumers importing airflow-sdk-bom still
got no version pin for the plugin artifact.
Comment thread java-sdk/README.md Outdated
@uranusjr uranusjr force-pushed the verify/java-sdk-rc3-integration branch from 092a209 to 96299bf Compare July 8, 2026 07:03
}
}

tasks.named("check") { dependsOn(verifyBomCoverage) }

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

verifyBomCoverage runs as a dependency of check, but the Java SDK CI job runs ./gradlew test (ci-amd.yml / ci-arm.yml), and test doesn't trigger check.

So this guard won't fire on a PR that adds a published module and forgets the BOM ,but CI stays green. It does still catch it on ./gradlew build locally and at the release "Build from source" step, so the release itself is protected.

If we want the earlier signal, switching the CI job to ./gradlew check (or adding verifyBomCoverage to the test job) would close the gap.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, but I will do this in follow-up as this is non-blocking and Jarek approve the PR so I think we can start the RC3.

@jason810496 jason810496 merged commit 162952b into apache:main Jul 8, 2026
86 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants