apache-tika version stream and cve fix

[developer-guy]

Fixes:

Related:

Pre-review Checklist

For new package PRs only

• This PR is marked as fixing a pre-existing package request bug
  • Alternatively, the PR is marked as related to a pre-existing package request bug, such as a dependency
• REQUIRED - The package is available under an OSI-approved or FSF-approved license
• REQUIRED - The version of the package is still receiving security updates
• This PR links to the upstream project's support policy (e.g. endoflife.date)

For new version streams

• The upstream project actually supports multiple concurrent versions.
• Any subpackages include the version string in their package name (e.g. name: ${{package.name}}-compat)
• The package (and subpackages) provides: logical unversioned forms of the package (e.g. nodejs, nodejs-lts)
• If non-streamed package names no longer built, open PR to withdraw them (see WITHDRAWING PACKAGES)

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: git clone ... --branch=3.0.0 ... https://github.com/apache/tika
(implicit error: the clone operation failed because the tag doesn't exist in this format)

• Error Category: Version/Configuration

• Failure Point: git-checkout step in pipeline

• Root Cause Analysis: The tag format in the Apache Tika repository uses a 'v' prefix for version tags (e.g., 'v3.0.0' instead of '3.0.0')

• Suggested Fix:

  - uses: git-checkout
    with:
      repository: https://github.com/apache/tika
      tag: v${{package.version}}
      expected-commit: 9bcb38d6734ed9d5dcff617f316c535e844c68d1

• Explanation:
Apache Tika uses version tags prefixed with 'v' in their repository. The current configuration tries to checkout tag '3.0.0' but the actual tag in the repository is 'v3.0.0'. Adding the 'v' prefix will allow git to find and checkout the correct tag.

• Additional Notes:

• The expected-commit hash appears correct for v3.0.0
• The update.github.tag-filter should also be updated to match this pattern
• Recommend updating the update section to:

update:
  enabled: true
  github:
    identifier: apache/tika
    use-tag: true
    tag-filter: v3.0.

• References:

• Apache Tika GitHub tags: https://github.com/apache/tika/tags
• Melange git-checkout documentation: https://github.com/chainguard-dev/melange/blob/main/pkg/build/types/steps.go

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: The build log doesn't show an explicit error, but appears to stop after the git checkout step without proceeding to the Maven build steps.

• Error Category: Build Configuration

• Failure Point: After git checkout, before Maven build steps

• Root Cause Analysis:
The issue appears to be with the tag format in the git-checkout step. Apache Tika uses tags prefixed with 'v' (e.g., 'v3.0.0') while the YAML is trying to checkout '3.0.0'.

• Suggested Fix:
Modify the git-checkout section to use the correct tag format:

  - uses: git-checkout
    with:
      repository: https://github.com/apache/tika
      tag: v${{package.version}}
      expected-commit: 9bcb38d6734ed9d5dcff617f316c535e844c68d1

• Explanation:
Apache Tika's repository uses version tags prefixed with 'v' (e.g., v3.0.0). The current configuration tries to checkout tag '3.0.0' which doesn't exist, causing the build to fail silently. Adding the 'v' prefix will allow the checkout to find the correct tag.

• Additional Notes:

• The tag-filter in the update section is correct as it already includes 'v3.0.'
• The expected-commit hash appears correct for v3.0.0
• Consider adding error handling or verbose logging to catch checkout failures

• References:

• Apache Tika GitHub tags: https://github.com/apache/tika/tags
• Example v3.0.0 release: https://github.com/apache/tika/releases/tag/v3.0.0

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: "Error: no dependencies or properties provides, use --dependencies/--patch-file or --properties/properties-file"

• Error Category: Configuration

• Failure Point: maven/pombump step in the pipeline

• Root Cause Analysis: The pombump command is failing because it's missing required arguments for dependencies or properties. The pombump tool is used to modify Maven POM files but requires specific configuration.

• Suggested Fix:
Modify the maven/pombump step in the pipeline to include required parameters:

  - uses: maven/pombump
    with:
      file: pom.xml
      properties:
        project.version: ${{package.version}}
    working-directory: tika-parent

• Explanation:
The pombump tool requires either dependencies or properties to modify in the POM file. Since we're building a specific version, we need to set the project version property to match the package version. This ensures the Maven build uses the correct version number.

• Additional Notes:

• The current error occurs because pombump is called without any configuration
• The tool needs to know what to modify in the POM file
• Setting the project.version property is a common pattern for Maven builds
• The working-directory is correct, but the tool needs more configuration

• References:

• Melange pombump documentation: https://github.com/chainguard-dev/melange/blob/main/docs/reference/built-in-pipelines.md#mavenpombump
• Apache Tika build documentation: https://github.com/apache/tika/blob/main/BUILDING.txt