Martin
11/07/2024, 3:19 PMpom.license.url
in addition to pom.license.name
?
We're considering removing the url from our poms because they duplicate information and make the pom validation somewhat harder: url can take many forms while license.name
can point to a well defined SPDX id. Are we breaking someone's workflow by doing this?Daymon
11/11/2024, 4:28 PMeb4c1bfd4f042f6dddccec917721f63bd38b4796
on the ubuntu keyserver, we'd have to manually add a <trusted-key>
entry per subkey.
I can see the value in doing this, since subkeys are usually rotated- but from a consumer standpoint, this seems verbose. I guess a better question would be, is there a way to have gradle automatically add subkeys of a trusted key to the metadata xml file? I understand you can run ./gradlew --write-verification-metadata pgp,sha256
to automatically populate the metadata, but that can potentially introduce excessive positives for untrusted artifacts. Ideally, we want to automatically update the metadata file, but only for updating trusted keys per remote key servers.
Am I missing some feature or misunderstanding something about the process here?Martin
11/21/2024, 4:16 PMIvan CLOVIS Canet
12/06/2024, 2:18 PMIvan CLOVIS Canet
12/15/2024, 4:57 PMefemoney
12/18/2024, 2:23 PMDependencyCollector
& DependencyModifier
etc APIs? Its been incubating for a while & entire ecosystem is in shambles regarding dependencies (*_stares directly at KGP_ 👀), Any blockers to stabilizing these APIs?Dmitry Lapshin
01/08/2025, 7:23 PMConfiguration.getResolvedConfiguration()
to Configuration.getIncoming()
?
I've found an observable behaviour change, even though it's a bit small: if one adds file dependencies (like implementation(files("libs/a.jar"))
):
• Old API wouldn't return them from ResolvedConfiguration.getResolvedArtifacts()
but would return them in ResolvedConfiguration.getFiles()
,
• But new one will return both from ResolvableConfiguration.getArtifacts()
, but for standalone files their ResolvedArtifactResult.getId()
would be (at 8.12 at least) of org.gradle.internal.component.local.model.OpaqueComponentArtifactIdentifier
, and the only things accessible without using the internal class are `toString`/`displayName` and friends, and they aren't fully informative, for me they only contain file name.
On older API I've run through ResolvedConfiguration.getFiles()
and for all files not found in .getResolvedArtifacts()
I'd mark them down for my usage by their path, but in new API those are in artifacts, and the component name lacks full path.Martin
01/10/2025, 6:11 PMMartin
01/15/2025, 4:11 PMIncluded build 'apollo-kotlin' not found in build 'apollo-kotlin'
Moving away from pluginManagement { includeBuild() }
/`plugins { id() }` to includeBuild()
/`buildscript { dependencies {} }` fixes the issue but it feels really weird. Does anyone have any clue what could have gone wrong here?Jacob Skillin
01/20/2025, 4:03 PMfailOnVersionConflict
resolution strategy, and dependency locking lockAllConfigurations
turned on, ends up requiring also the exact same version of Gradle to reproduce the same build. This appears to be because the kotlin-dsl plugin aggressively writes the stdlib and other dependencies into the graph:
* What went wrong:
Execution failed for task ':dependencies'.
> Could not resolve all dependencies for configuration ':compileClasspath'.
> Conflicts found for the following modules:
- org.jetbrains.kotlin:kotlin-stdlib between versions 1.9.24 and 1.9.22
- org.jetbrains.kotlin:kotlin-reflect between versions 1.9.24 and 1.9.22
In order to correctly reproduce a Gradle build that uses Kotlin, is it also required that I use the exact same version of Gradle to invoke the exact same Kotlin compiler as well? Or is it possible to ask Kotlin to use different dependencies in my project?Robert Elliot
02/11/2025, 4:01 PM:app
, which has the spring boot plugin applied, so it generates a runnable jar artifact from tasks.bootJar
into layout.buildDirectory.dir("libs")
- in practice, app/build/libs/app-boot.jar
. It also has the application
plugin so it generates app/build/libs/app-plain.jar
(which does not contain all the other deps).
I would like the parent project to copy app-boot.jar
into is build dir - layout.buildDirectory.dir("artifacts")
, in practice build/artifacts/app-boot.jar
.
Non-working attempt in thread...Barteks2x
02/17/2025, 7:44 PMBarteks2x
02/17/2025, 9:40 PMChris Doré
02/18/2025, 9:09 PMplatform(<dep>)
(Gradle 2.8 to be precise), did Gradle properly work with importing boms? I'm working with an old build that I cannot upgrade. The POM of one of the deps contains:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>my.group</groupId>
<artifactId>myPlatform</artifactId>
<version>1.2.3</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
That platform contains a dependencyManagement
element as expected, however the versions listed appear to have no influence on the resolved dep tree.
I cannot recall whether such an old Gradle version fully resolves dep management sections or not, and I'm not sure if I've got something broken in the build or if it's just the Gradle version.pablozki
02/24/2025, 8:31 PMMichal Klusák
03/03/2025, 11:00 AM// include(":A") // Commented out
// include(":B") // Commented out
build.gradle.kts:
kotlin.sourceSets {
if (isABEnabled()) { // false
val commonMain by getting {
dependencies {
implementation(projects.A) // Gradle sync fails
implementation(projects.B) // Gradle sync fails
}
}
}
}
The old dependency declaration works, but I would like to use type-safe access everywhere:
kotlin.sourceSets {
if (isABEnabled()) { // false
val commonMain by getting {
dependencies {
implementation(":A") // Gradle sync works
implementation(":B") // Gradle sync works
}
}
}
}
kris
04/02/2025, 12:10 AMtesting {
suites {
// Configure the default test suite (unit tests)
val test by getting(JvmTestSuite::class) {
useJUnitJupiter()
}
// Register an integration test suite
register<JvmTestSuite>("testGraphql") {
// Define test sources directories
sources {
kotlin {
srcDir("src/testGraphql/kotlin")
}
resources {
srcDir("src/testGraphql/resources")
}
}
dependencies {
implementation(project())
}
// Configure the implementation configuration to extend from the main implementation
configurations {
// Make testGraphqlImplementation extend from implementation
named(sources.implementationConfigurationName) {
extendsFrom(configurations["implementation"])
// Also extend from testImplementation to get all test dependencies
extendsFrom(configurations["testImplementation"])
}
// Make testGraphqlRuntimeOnly extend from runtimeOnly
named(sources.runtimeOnlyConfigurationName) {
extendsFrom(configurations["runtimeOnly"])
extendsFrom(configurations["testRuntimeOnly"])
}
}
// Test framework
useJUnitJupiter()
targets {
all {
testTask.configure {
// Make integration tests run after unit tests
shouldRunAfter(test)
// Only run tests if they've changed
outputs.upToDateWhen { false }
}
}
}
}
}
}
tasks.named("check") {
dependsOn(testing.suites.named("testGraphql"))
}
tasks.withType<Test> {
useJUnitPlatform()
}
Also I was having an issue where I have some duplicate test resources, I have solved it with this. but ideally I wouldn't need a duplicate strategy, it would just not put the the resources from a different jvmtestsuite on the classpath, that way they are seperate but can exist in the same project, but I don't know how to arrange this.
tasks.named<ProcessResources>("processTestResources") {
duplicatesStrategy = DuplicatesStrategy.INCLUDE // Options: INCLUDE, WARN, EXCLUDE
}
tasks.named<ProcessResources>("processTestGraphqlResources") {
duplicatesStrategy = DuplicatesStrategy.INCLUDE // Options: INCLUDE, WARN, EXCLUDE
}
Satyarth Sampath
04/24/2025, 8:08 AMVampire
05/12/2025, 10:02 AM> Could not resolve all files for configuration ':foo:compileClasspath'.
> Could not resolve commons-io:commons-io:{strictly 2.11.0}.
Required by:
project :foo > project :bar
> Cannot find a version of 'commons-io:commons-io' that satisfies the version constraints:
Dependency path 'my.group:foo:1' --> 'my.group:bar:1' (apiElements) --> 'commons-io:commons-io:{strictly 2.11.0}'
Dependency path 'my.group:foo:1' --> 'my.group:bar:1' (apiElements) --> 'org.apache.poi:poi-ooxml:5.4.1' (compile) --> 'commons-io:commons-io:2.18.0'
Dependency path 'my.group:foo:1' --> 'my.group:bar:1' (apiElements) --> 'org.apache.poi:poi:5.4.1' (compile) --> 'commons-io:commons-io:2.18.0'
Dependency path 'my.group:foo:1' --> 'my.group:bar:1' (apiElements) --> 'org.apache.poi:poi-ooxml:5.4.1' (compile) --> 'org.apache.commons:commons-compress:1.27.1' (compile) --> 'commons-io:commons-io:2.16.1'
Dependency path 'my.group:foo:1' --> 'my.group:bar:1' (apiElements) --> 'org.apache.xmlgraphics:batik-svg-dom:1.18' (compile) --> 'org.apache.xmlgraphics:batik-awt-util:1.18' (compile) --> 'org.apache.xmlgraphics:xmlgraphics-commons:2.10' (compile) --> 'commons-io:commons-io:2.11.0'
Eug
05/13/2025, 7:32 AMritesh singh
05/15/2025, 7:57 AMThomas Broyer
06/25/2025, 12:45 PMVladimir Sitnikov
07/22/2025, 4:33 PMtrusted-keys
and then it might have component/artifact/pgp
below. How do they differ?
<trusted-key id="0D35D3F60078655126908E8AF3D1600878E85A3D" group="io.netty" name="netty-bom" version="4.1.104.Final"/>
<component group="io.netty" name="netty-bom" version="4.1.101.Final">
<artifact name="netty-bom-4.1.101.Final.pom">
<pgp value="0D35D3F60078655126908E8AF3D1600878E85A3D"/>
</artifact>
</component>
What is the reason Gradle adds a component-related record while there’s trusted-key
for it?
2. It looks like trusted-key
and component
duplicate information.
3. The entries in trusted-key
are not consistent. Sometimes they include only group, sometimes they include component, and sometimes they include the version as well:
<trusted-key id="187366A3FFE6BF8F94B9136A9987B20C8F6A3064" group="com.google.protobuf"/>
<trusted-key id="190D5A957FF22273E601F7A7C92C5FEC70161C62" group="org.apache" name="apache" version="18"/>
<trusted-key id="19BEAB2D799C020F17C69126B16698A4ADF4D638" group="org.checkerframework" name="checker-qual"/>
Frankly, I find it quite surprising. Should it rather be configured with a setting like “trust PGP for group/group+artifact/group+artifact+version”?
4. It is strange --write-verification-metadata
requires pgp,sha256
arguments. Should it rather be included into the verification-metadata.xml
? My understanding is that verification-metadata.xml
should be self-sufficient to specify what it actually verifies. Then --write-verificaiton-metadata
should be idempotent.
I’m using Gradle 8.14.3 if that mattersRené
08/27/2025, 7:38 AMDependencyHandler#addProvider(String,Provider<Object)
also support sth like DependencyHandler#addProvider(String,Provider<Collection<Object>>)
We try to be good citicen using the provider api where possible but often we break at certain gradle api boundaries. E.g. we have a Provider<Collection<String>>
representing a set of dependencies. what I now end up doing is mapping this explicitly to a dependencySet "early" and do
myConfiguration.defaultDependencies(t -> {
psService.get()
myDepsProvider.get()
.forEach(path -> t.add(depsHandler.project(Map.of("path", path))));
});
which feels just wrong and a misuse of defaultDependencies. Ideally I'd be able to do
dependencyHandler.addProvider("myConfiguration", myDeps.map(deps -> deps.collect(d -> dependencyHandler.project(Map.of("path", d)))))
Or do i miss something here to make that simpler?René
09/02/2025, 7:40 AMcheckstyle
and spotless
. I wonder if there's a way or if I would need a different approach like using a specific variant for those configurations or something like that.Jacob Skillin
09/03/2025, 3:19 PMJames Kyle
09/05/2025, 6:33 PMimplementation(platform(project(':path:to-platform')))
Is there a way, other than enabling allowDependencies
, to enforce a verison across all subpackages for another project without specifying each one individually? Like take jackson suite of packages or awssdk? Something similar to the bom constraint pattern you can use implementation(platform('com.fasterxml.jackson:jackson-bom:2.15.2'))
Tapchicoma
09/08/2025, 8:30 AMConfiguration
?Eug
09/11/2025, 7:09 AMEdwin Jakobs
09/11/2025, 4:04 PM