Adam Farley

Hmm, looks like the "workspace/target" addition is now universal, across all sha256.txt files for the latest builds of temurin. This is not just for the jre installer now. It's for...

Ok, it looks like we normally generate the sha256.txt files during the build/pipeline (build for windows, pipeline for Linux), and that they all have extra path before the file name...

Note to self: figure out if this needs a doc update. If there is a "How to release manually" doc, or if we need one.

Tasks: - [x] Add code to generate a sha256 file for each jar. - [x] Test that. - [x] Add code to generate a version file for each jar. -...

> 1. Why can't we retain the version number from the download? Deliberately removing it then holding a separate version file seems oddly complex. Because it seemed simpler to me...

> Also do we have a solution for being able to pull an old version when required (for example when doing a reproducible build of an older release which may...

> I'd personally feel more comfortable with pulling it out on the live system if we can. Either one works for me. Not fussed about adding parsing in. Will add...

Update: Currently [testing](https://ci.adoptium.net/job/build-scripts/job/jobs/job/jdk21u/job/jdk21u-linux-x64-temurin/147/) the set of code changes relating to sbom generation, (documentation updates pending). We now keep the cyclonedx dependency SHAs and version strings in a single location, making...

TLDR: The first step here is to centralise the SBOM dependency SHAs and version numbers in specific files. [PR here.](https://github.com/adoptium/temurin-build/pull/3709) This makes it easy for users to specify new versions...

Note: The fix for the bugged dependency SHAs in the sbom has been separated out into a new PR for the sake of the March 2024 release (expedited review). Master...