Inconsistent Reproducibility Verification Due to Shared Maven Cache

[ppkarwasz]

Description

On Windows, many Maven plugins—including the CycloneDX Maven Plugin—emit files with CRLF line endings. Despite this, the verify-reproducibility-reusable workflow sometimes reports successful reproduction of binaries that were originally built on UNIX (with LF line endings).

For example, see workflow run #15108310068.

This inconsistency strongly suggests that the workflow is unintentionally reusing a contaminated Maven cache shared with the build-* and deploy-* workflows. This shared cache may contain previously built artifacts, which can mask actual reproducibility issues and produce false positives.

Proposed Solutions

To eliminate these false positives and ensure true reproducibility verification, we can consider the following options:

1. Avoid using the Maven local repository cache in the verify-reproducibility-reusable workflow.
2. Use a dedicated Maven cache specifically for the verify-reproducibility-reusable workflow, separate from the one used by build and deploy workflows.
3. Adopt Mimir to cache only immutable artifacts from Maven Central. I've successfully integrated Mimir into the SBOM Enforcer workflows, and it has proven effective in improving build reliability and reproducibility.