Features

Logging Parent aims to deliver the following features.

Parent POM

The provided parent POM features the following conveniences:

apache-rat-plugin integration for license preamble verification
log4j-changelog-maven-plugin integration for changelog and release note management
maven-enforcer-plugin checks
spotless-maven-plugin integration for code formatting
jacoco-maven-plugin integration for test coverage analysis (optional coverage profile)
bnd-maven-plugin integration for auto-generating OSGi and JPMS descriptors
cyclonedx-maven-plugin integration for auto-generating Software Bill of Materials (SBOM)
Antora-based site generation

CycloneDX Software Bill of Materials (SBOM)

Logging Parent streamlines the generation of CycloneDX Software Bill of Materials (SBOM) using cyclonedx-maven-plugin. Plugin execution is configured and activated to generate SBOM files for each module, including the root one. Generated SBOM files are attached as artifacts with cyclonedx classifier and XML extensions, that is, <artifactId>-<version>-cyclonedx.xml.

Produced SBOMs are enriched with vulnerability-assertion references to a CycloneDX Vulnerability Disclosure Report (VDR) that Apache Logging Services uses for all projects it maintains. This VDR is accessible through the following URL: https://logging.apache.org/cyclonedx/vdr.xml

Reusable GitHub Actions workflows

Logging Parent publishes several reusable workflows that can be used from other repositories.

See Reusable GitHub Actions workflows for details.

Release instructions

See following guides for projects employing Logging Parent to cut releases:

Develocity configuration

Gradle Develocity is a service that provides statistics and other improvements to the development experience. Due to an agreement between the ASF and Gradle, it is available for all ASF projects as INFRA hosted develocity.apache.org service.

Click for instructions to submit build scans to the develocity.apache.org server

Add a .mvn/develocity.xml configuration file to the repository. See Develocity Maven Extension User Manual for detailed configuration options.

You can use the following example as template:

<?xml version="1.0" encoding="UTF-8"?>
<develocity>
  <projectId>logging-log4j2</projectId>
  <server>
    <url>https://develocity.apache.org</url>
  </server>
  <buildScan>
    <obfuscation>
      <ipAddresses>0.0.0.0</ipAddresses>
    </obfuscation>
    <publishing>
      <onlyIf>
        <![CDATA[env['CI'] != null]]>
      </onlyIf>
    </publishing>
    <backgroundBuildScanUpload>false</backgroundBuildScanUpload>
  </buildScan>
  <buildCache>
    <local>
      <enabled>false</enabled>
    </local>
    <remote>
      <enabled>false</enabled>
    </remote>
  </buildCache>
</develocity>

Do not add any .mvn/extensions.xml file to the repository. The file will be created by the reusable-build workflow.

Modify the build workflow that should publish build scans:

Pass the secrets.DEVELOCITY_ACCESS_KEY, which is defined in all ASF repos as DV_ACCESS_TOKEN secret of the workflow.
Set the develocity-enabled parameter to true.

For example, you can use the snippet below:

build:
  uses: apache/logging-parent/.github/workflows/build-reusable.yaml@rel/12.1.1
  secrets:
    DV_ACCESS_TOKEN: ${{ ! startsWith(github.refname, 'release/') && secrets.DEVELOCITY_ACCESS_KEY }}
  with:
    develocity-enabled: ${{ ! startsWith(github.refname, 'release/') }}

The Maven Develocity Extension is a closed source extension, which requires a commercial Gradle Inc license to work. To guarantee the reproducibility of our builds and the security of our software suplly chain, please disable the extension in our release builds.