Enforcing Standards for Deployment and Promotion with Rulesets (Nexus Repository 2)

Staging rulesets are customizable groups of rules that are validated against the components in a staging repository when the repository is closed or promoted. If any rules cannot be validated, closing or promoting the repository will fail.

A staging repository associated with a staging ruleset, configured in the staging profile, cannot be closed or promoted until all of the rules associated with the rulesets have been satisfied. This allows you to set standards for your own hosted repositories, and it is the mechanism that is used to guarantee the consistency of components stored in the Central Repository.

To create a Staging Ruleset, click on the Staging Ruleset item in the Build Promotion menu. This will load the interface shown in Figure 11.22, “Creating a Staging Ruleset". The Staging Ruleset panel is used to define sets of rules that can be applied to staging profiles.

Figure 11.22. Creating a Staging Ruleset

Nexus Repository Manager Pro contains the following rules:

Archives must not contain insecure paths

This rule verifies that the staging repository does not contain any archive files, which contain path entries that may traverse outside of the desired unpack location, by using any number of "../" strings in the path.

Artifact Uniqueness Validation

This rule checks to see that the component being released, promoted, or staged is unique in a particular repository manager instance.

Checksum Validation

This rule validates that file checksum files are present and correct for the published components.

Javadoc Validation

The Javadoc Validation rule willverify that every project has a component with the javadoc classifier. If you attempt to promote a staging repository that contains components not accompanied by "-javadoc.jar" components, this validation rule will fail.

No promote action allowed

This rule can be used to prevent the promotion of a staging repository to a build promotion profile. It can be used enforce a choice between releasing and dropping a staging repository only.

No release action allowed

This rule can be used to prevent the direct release of a staging repository. It can be used enforce a choice between promoting and dropping a staging repository only.

POM Validation

The Staging POM Validation rule will verify Project URL - project/url, Project Licenses - project/licenses and Project SCM Information - project/scm. Any of these POM elements cannot be missing or empty.

POM must not contain system scoped dependencies

Ensures that no dependency is using the scope system. This allows for a path definition ultimately making the component rely on a specific relative path and using it is considered bad practice and violates the idea of having all necessary components available in repositories.

POM must not contain release repository

This rule can ensure that no release repository is defined in the repositories element in the POM. This is important since it potentially would circumvent the usage of the repository manager and could point to other repositories that are not actually available to a user of the component.

Profile target matcher

This rule verifies the staging repository content against the repository target configured in the staging profile for this staging repository. This enforces that only components using the correct repository path as a result of the groupId.

Signature Validation

The Signature Validation rule verifies that every item in the repository has a valid PGP signature. If you attempt to promote a staging repository that contains components not accompanied by valid PGP signature, this validation will fail.

Sources Validation

The Sources Validation rule will verify that every project has a component with the sources classifier. If you attempt to promote a staging repository that contains components not accompanied by "-sources.jar" components, this validation rule will fail.

To define a ruleset to be used for closing or promotion, edit the staging profile by selecting it in the staging profile list. Scroll down to the sections Close Repository Staging Rulesets and Promote Repository Staging Rulesets as shown in Figure 11.23, “Associating a Staging Ruleset with a Staging Profile” and add the desired available rulesets to the left-hand list of activated rulesets for the current staging profile.

Figure 11.23. Associating a Staging Ruleset with a Staging Profile

The next time you attempt to close or promote a staging repository that was created with this profile, Nexus Repository Manager Pro will check that all of the rules in the associated rulesets are being followed.