-
Notifications
You must be signed in to change notification settings - Fork 2k
BOM Guidelines
A "bill of materials" (BOM) is a customer-focused POM that contains a set of modules that are known to share a common set of dependencies. This reduces the need for consumers to handle dependency management for the Azure SDKs included in the BOM and allows more focus on the bigger picture.
azure-sdk-bom
may contain modules that haven't reached generally availability (GA), unlike in generally available modules this is allowed as the modules are contained in the dependencyManagement
section. Artifacts listed in the management section aren't included as a dependency
until listed in the dependencies
section of the POM that is including azure-sdk-bom.
To consume the BOM, add it as an artifact in the dependency management section of the POM consuming it.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-sdk-bom</artifactId>
<version>1.0.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
After including the BOM, all artifacts included in the BOM are now able to be added as a dependency without listing the version.
<dependencies>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-storage-blob</artifactId>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-security-keyvault-secrets</artifactId>
</dependency>
</dependencies>
A BOM is released to Maven in the same way as an artifact.
The release cadence for azure-sdk-bom may not match the cadence which the individual artifacts contained in it are released.
The version change for azure-sdk-bom is based on the version changes for the artifacts it contains. The common version update for the BOM will be a patch release, this will occur if the artifacts contained in the BOM only have minor or patch releases. When an artifact contained in the BOM has a major version release the BOM will have a minor version update.
Example
Given the version for azure-sdk-bom is 1.0.0
.
Artifact Update | Resulting azure-sdk-bom Version |
---|---|
Major | 1.1.0 |
Minor | 1.0.1 |
Patch | 1.0.1 |
The validation process for azure-sdk-bom is different from other artifacts where linting and test cases must pass and the dependencies are released to Maven.
Dependency Checker
A BOM must ensure that the artifacts it contains share a common set of dependencies, this is determined by running a dependency checker and validating that no artifacts have conflicting dependencies. The dependency checker is a custom tool, below are the steps to run the tool.
- Clone the repository:
git clone https://github.com/JonathanGiles/DependencyChecker.git
- Create an
input
directory in the root directory of the repository. - Copy
dependencies.json
for azure-sdk-bom into the input folder. - Run the checker:
mvn -f pom.xml clean package exec:java -Dexex.args="-showall -analysebom"
- Verify the output from the dependency checker run.
The dependency checker output has three output levels:
Output Level | Color | Explanation |
---|---|---|
Success | Green | All artifacts share a common dependency and the latest version of the dependency is being used. |
Warning | Orange | All artifacts share a common dependency but the version of the dependency isn't the latest released to Maven. |
Error | Red | Two or more artifacts conflict on the version of a common dependency. |
A release candidate for azure-sdk-bom CANNOT have any errors in the output from running the dependency checker.
- Frequently Asked Questions
- Azure Identity Examples
- Configuration
- Performance Tuning
- Android Support
- Unit Testing
- Test Proxy Migration
- Azure Json Migration
- New Checkstyle and Spotbugs pattern migration
- Protocol Methods
- TypeSpec-Java Quickstart
- Getting Started Guidance
- Adding a Module
- Building
- Writing Performance Tests
- Working with AutoRest
- Deprecation
- BOM guidelines
- Release process
- Access helpers