Clone Tools
  • last updated a few seconds ago
Constraints: committers
Constraints: files
Constraints: dates
Serialize the artifact dependencies for each artifact transform node to the instant execution cache, if the node requires them.

Do not fail when writing an artifact transform that takes the upstream dependencies of the artifact to the instant execution cache.

In this change, the result will be incorrect because an empty set of dependencies is passed to the transform action when it is loaded from the cache.

Serialize the parameters of an artifact transform to the instant execution cache, rather than attempting to isolate the parameters and then serializing the result.

This allows the parameters to include files and other inputs that may need to be built before they can be queried, for example when the output of some transform is used as an input parameter to another transform (which is something different to chaining of several transforms to produce an output). An implication of this change is that the artifact parameter isolation now happens every time the cache is reused, whereas previously the isolation happened once on write. This can be improved later.

Use an import instead of qualified names.

Publish 6.1-20191227000026+0000

Upgrade to JMH plugin 0.5.0

Add ignore key test coverage and bump wrapper

    • -1
    • +1
Publish 6.1-20191226000043+0000

Ignore signature for j2objc

Publish 6.1-20191225000018+0000

Allow various Gradle services to be injected into artifact transform actions.

Add some test coverage that services are available for injection into various types of objects.

Improve wording of verification docs

Mention that the GPG file must be considered binary

Rework how the keyring file is written

For some reason the previous version is not always

fully re-readable...

Update the error message to link to the docs

    • -1
    • +1
Add note about key expiration

Fix duplicate verification when using force realize

Tweak grammar

Fix review comments

Verify checksums for artifacts which declare them even if signature passes

This is done because signatures are done on the hash of artifacts and

not on the artifact contents itself, so if you want to ensure both

integrity and provenance, you need to check both.

Add an XML schema for the verification file

Publish 6.1-20191224000054+0000

Add safety around reading of keyring file

Regroup trusted keys for readability

If a single key is trusted multiple times for different artifacts, we

now regroup the artifact coordinates under the `trusted-key` tag.

Do not create multiple execution service instances in the Groovy compiler worker.

Upgradle to latest nightly

For more VFS retention fixes.

    • -1
    • +1
Add a section explaining how to manually check artifacts

This is based on a real debugging session on the Gradle build


Add information about paths to dependencies when failing verification

When dependency verification fails, it's often necessary to actually

look at the artifacts which were downloaded. Gradle will not display

the paths to the artifacts which were involved in a verification

failure, so that the user can check if they are the ones they expect

or something else.

This also gives the ability to actually delete the file from the

local cache if it makes sense.

Dogfood signature verification

This commit introduces dependency signature verification to

the Gradle build. Checksum verification is still used as

a fallback.

    • binary
    • -5476
    • +895