Enforcing Standards for Deployment and Promotion with Rulesets
Nexus Repository Manager Pro has the ability to define staging rules that must be satisfied to allow successful deployment or before a staging repository can be promoted.
Managing Staging Rulesets
Staging rulesets are customizable groups of rules that are validated against the components in a staging repository when the repository is closed or promoted. If any rules cannot be validated, closing or promoting the repository will fail.
A staging repository associated with a staging ruleset, configured in the staging profile, cannot be closed or promoted until all of the rules associated with the rulesets have been satisfied. This allows you to set standards for your own hosted repositories, and it is the mechanism that is used to guarantee the consistency of components stored in the Central Repository.
To create a Staging Ruleset, click on the Staging Ruleset item in the Build Promotion menu. This will load the interface shown in Figure 11.22, “Creating a Staging Ruleset". The Staging Ruleset panel is used to define sets of rules that can be applied to staging profiles.
Figure 11.22. Creating a Staging Ruleset
Nexus Repository Manager Pro contains the following rules:
Archives must not contain insecure paths
This rule verifies that the staging repository does not contain any archive files, which contain path entries that may traverse outside of the desired unpack location, by using any number of "../" strings in the path.
Artifact Uniqueness Validation
This rule checks to see that the component being released, promoted, or staged is unique in a particular repository manager instance.
This rule validates that file checksum files are present and correct for the published components.
The Javadoc Validation rule willverify that every project has a component with the javadoc classifier. If you attempt to promote a staging repository that contains components not accompanied by "-javadoc.jar" components, this validation rule will fail.
No promote action allowed
This rule can be used to prevent the promotion of a staging repository to a build promotion profile. It can be used enforce a choice between releasing and dropping a staging repository only.
No release action allowed
This rule can be used to prevent the direct release of a staging repository. It can be used enforce a choice between promoting and dropping a staging repository only.
The Staging POM Validation rule will verify Project URL - project/url, Project Licenses - project/licenses and Project SCM Information - project/scm. Any of these POM elements cannot be missing or empty.
POM must not contain system scoped dependencies
Ensures that no dependency is using the scope system. This allows for a path definition ultimately making the component rely on a specific relative path and using it is considered bad practice and violates the idea of having all necessary components available in repositories.
POM must not contain release repository
This rule can ensure that no release repository is defined in the repositories element in the POM. This is important since it potentially would circumvent the usage of the repository manager and could point to other repositories that are not actually available to a user of the component.
Profile target matcher
This rule verifies the staging repository content against the repository target configured in the staging profile for this staging repository. This enforces that only components using the correct repository path as a result of the groupId.
The Signature Validation rule verifies that every item in the repository has a valid PGP signature. If you attempt to promote a staging repository that contains components not accompanied by valid PGP signature, this validation will fail.
The Sources Validation rule will verify that every project has a component with the sources classifier. If you attempt to promote a staging repository that contains components not accompanied by "-sources.jar" components, this validation rule will fail.
Defining Rulesets for Promotion
To define a ruleset to be used for closing or promotion, edit the staging profile by selecting it in the staging profile list. Scroll down to the sections Close Repository Staging Rulesets and Promote Repository Staging Rulesets as shown in Figure 11.23, “Associating a Staging Ruleset with a Staging Profile” and add the desired available rulesets to the left-hand list of activated rulesets for the current staging profile.
Figure 11.23. Associating a Staging Ruleset with a Staging Profile
The next time you attempt to close or promote a staging repository that was created with this profile, Nexus Repository Manager Pro will check that all of the rules in the associated rulesets are being followed.