ci: GraalVM CI uses existing Truststore if configured (#1914)

lqiu96 · lqiu96 · commit d2abcd607757 · 2026-04-13T12:01:15.000-04:00
* chore: Enable SSL debug logs for GraalVM image * chore: Pass SSL debug config to the native image * chore: Unset the tool options * chore: Set the native image truststore directly * chore: Test runtime args for graalvm * chore: Use the execution-id * chore: latest runs * chore: Add comments to explain Original-PR: googleapis/google-auth-library-java#1914
diff --git a/google-auth-library-java/.kokoro/build.sh b/google-auth-library-java/.kokoro/build.sh
@@ -0,0 +1,159 @@
+#!/bin/bash
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -eo pipefail
+
+## Get the directory of the build script
+scriptDir=$(realpath $(dirname "${BASH_SOURCE[0]}"))
+## cd to the parent directory, i.e. the root of the git repo
+cd ${scriptDir}/..
+
+# include common functions
+source ${scriptDir}/common.sh
+
+# Print out Maven & Java version
+mvn -version
+echo ${JOB_TYPE}
+
+# attempt to install 3 times with exponential backoff (starting with 10 seconds)
+retry_with_backoff 3 10 \
+  mvn install -B -V -ntp \
+    -DskipTests=true \
+    -Dclirr.skip=true \
+    -Denforcer.skip=true \
+    -Dmaven.javadoc.skip=true \
+    -Dgcloud.download.skip=true \
+    -T 1C
+
+# if GOOGLE_APPLICATION_CREDENTIALS is specified as a relative path, prepend Kokoro root directory onto it
+if [[ ! -z "${GOOGLE_APPLICATION_CREDENTIALS}" && "${GOOGLE_APPLICATION_CREDENTIALS}" != /* ]]; then
+    export GOOGLE_APPLICATION_CREDENTIALS=$(realpath ${KOKORO_GFILE_DIR}/${GOOGLE_APPLICATION_CREDENTIALS})
+fi
+
+RETURN_CODE=0
+set +e
+
+case ${JOB_TYPE} in
+test)
+    echo "SUREFIRE_JVM_OPT: ${SUREFIRE_JVM_OPT}"
+    mvn test -B -ntp -Dclirr.skip=true -Denforcer.skip=true ${SUREFIRE_JVM_OPT}
+    RETURN_CODE=$?
+    ;;
+test-logging)
+    echo "SUREFIRE_JVM_OPT: ${SUREFIRE_JVM_OPT}"
+    mvn clean test -P '!slf4j2x,slf4j2x-test' -B -ntp -Dclirr.skip=true -Denforcer.skip=true ${SUREFIRE_JVM_OPT}
+    RETURN_CODE=$?
+    ;;
+lint)
+    mvn com.spotify.fmt:fmt-maven-plugin:check -B -ntp
+    RETURN_CODE=$?
+    ;;
+javadoc)
+    mvn javadoc:javadoc javadoc:test-javadoc -B -ntp
+    RETURN_CODE=$?
+    ;;
+integration)
+    mvn -B ${INTEGRATION_TEST_ARGS} \
+      -ntp \
+      -Penable-integration-tests \
+      -DtrimStackTrace=false \
+      -Dclirr.skip=true \
+      -Denforcer.skip=true \
+      -Djacoco.skip=true  \
+      -fae \
+      verify
+    RETURN_CODE=$?
+    ;;
+graalvm)
+    # Run Unit and Integration Tests with Native Image
+    bash .kokoro/populate-secrets.sh
+    export GOOGLE_APPLICATION_CREDENTIALS="${KOKORO_GFILE_DIR}/secret_manager/java-it-service-account"
+    
+    # GraalVM Native Image ignores JAVA_TOOL_OPTIONS at runtime. If the CI environment
+    # injects a custom truststore (e.g., for a proxy) via JAVA_TOOL_OPTIONS, we need to
+    # extract it and pass it explicitly to the native executable.
+    TRUST_STORE=""
+    if [[ "${JAVA_TOOL_OPTIONS}" =~ -Djavax.net.ssl.trustStore=([^ ]+) ]]; then
+        TRUST_STORE="${BASH_REMATCH[1]}"
+    fi
+    
+    # We use 'package' instead of 'test' to build the native image without automatically
+    # running it via the Maven plugin. This allows us to run it manually with the
+    # extracted truststore argument in the next step, avoiding complex Maven XML overrides.
+    mvn -B ${INTEGRATION_TEST_ARGS} -ntp -Pnative -Pnative-test -Pslf4j2x package -pl 'oauth2_http'
+    
+    # Run the native tests manually with the truststore
+    CMD="./oauth2_http/target/native-tests --xml-output-dir ./oauth2_http/target/native-test-reports"
+    if [ -n "$TRUST_STORE" ]; then
+        CMD="$CMD -Djavax.net.ssl.trustStore=$TRUST_STORE"
+    fi
+    
+    echo "Executing: $CMD"
+    $CMD
+    RETURN_CODE=$?
+    ;;
+samples)
+    SAMPLES_DIR=samples
+    # only run ITs in snapshot/ on presubmit PRs. run ITs in all 3 samples/ subdirectories otherwise.
+    if [[ ! -z ${KOKORO_GITHUB_PULL_REQUEST_NUMBER} ]]
+    then
+      SAMPLES_DIR=samples/snapshot
+    fi
+
+    if [[ -f ${SAMPLES_DIR}/pom.xml ]]
+    then
+        for FILE in ${KOKORO_GFILE_DIR}/secret_manager/*-samples-secrets; do
+          [[ -f "$FILE" ]] || continue
+          source "$FILE"
+        done
+
+        pushd ${SAMPLES_DIR}
+        mvn -B \
+          -ntp \
+          -DtrimStackTrace=false \
+          -Dclirr.skip=true \
+          -Denforcer.skip=true \
+          -fae \
+          verify
+        RETURN_CODE=$?
+        popd
+    else
+        echo "no sample pom.xml found - skipping sample tests"
+    fi
+    ;;
+clirr)
+    mvn -B -ntp -Denforcer.skip=true clirr:check
+    RETURN_CODE=$?
+    ;;
+*)
+    ;;
+esac
+
+if [ "${REPORT_COVERAGE}" == "true" ]
+then
+  bash ${KOKORO_GFILE_DIR}/codecov.sh
+fi
+
+# fix output location of logs
+bash .kokoro/coerce_logs.sh
+
+if [[ "${ENABLE_FLAKYBOT}" == "true" ]]
+then
+    chmod +x ${KOKORO_GFILE_DIR}/linux_amd64/flakybot
+    ${KOKORO_GFILE_DIR}/linux_amd64/flakybot -repo=googleapis/google-auth-library-java
+fi
+
+echo "exiting with ${RETURN_CODE}"
+exit ${RETURN_CODE}
