test: BOM validation via dependency tree (#5937)

* bom validation via dependency tree

* test for validate-bom

.github/workflows/ci-validate-bom.yaml

@@ -0,0 +1,46 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# Github action job to test core java library features on
+# downstream client libraries before they are released.
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+name: test for tests/validate-bom logic
+jobs:
+  test-invalid-bom:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Fetch the bad protobuf-bom version 3.22.1
+      shell: bash
+      # 3.22.1 had a issue in their pom.xml
+      # https://github.com/protocolbuffers/protobuf/issues/12170
+      run: |
+        mkdir -p bad-protobuf-bom
+        curl https://repo1.maven.org/maven2/com/google/protobuf/protobuf-bom/3.22.1/protobuf-bom-3.22.1.pom \
+            --output bad-protobuf-bom/pom.xml
+    - name: Check the bad BOM
+      uses: ./tests/validate-bom
+      id: validate-bom
+      with:
+        bom-path: bad-protobuf-bom/pom.xml
+      continue-on-error: true
+    - name: Ensure the validate-bom invalidated the bad BOM
+      shell: bash
+      if: steps.validate-bom.outcome != 'failure'
+      run: |
+        echo "The validate-bom check should have invalidated the bad BOM"
+        exit 1

libraries-bom/pom.xml

@@ -143,4 +143,4 @@
       </build>
     </profile>
   </profiles>
-</project>
+</project>

tests/validate-bom/action.yml

@@ -44,4 +44,19 @@ runs:
     run: |
       echo "working directory: $(pwd)"
       mvn -ntp -B install
+  - name: Examine dependency tree for any error
+    shell: bash
+    working-directory: /tmp/bom-validation
+    run: |
+      echo "working directory: $(pwd)"
+      # This dependency tree check can detect errors that pass "mvn install".
+      # For example, an invalid group ID in one of pom.xml files:
+      # [ERROR] 'dependencies.dependency.groupId' for $com.google.protobuf:protobuf-java:jar with value '$com.google.protobuf' does not match a valid id pattern.
+      # https://github.com/googleapis/java-cloud-bom/issues/5936
+      ERROR_MESSAGE=$(mvn dependency:tree -X |grep "ERROR" || true)
+      echo "ERROR_MESSAGE: ${ERROR_MESSAGE}"
+      if [ -n "${ERROR_MESSAGE}" ]; then
+        echo "${ERROR_MESSAGE}"
+        exit 1
+      fi
 

tests/validate-bom/src/main/resources/template.pom.xml

@@ -8,6 +8,12 @@
   <!-- This project is never get released to Maven Central -->
   <version>0.0.1-SNAPSHOT</version>
 
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <maven.compiler.source>11</maven.compiler.source>
+    <maven.compiler.target>11</maven.compiler.target>
+  </properties>
+
 DEPENDENCY_MANAGEMENT
 
 DEPENDENCIES