Clone Tools
  • last updated a few seconds ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Make forced dependency deprecation message consistent with the rest

    • -3
    • +3
    ./resolve/ForcedModulesIntegrationTest.groovy
  1. … 4 more files in changeset.
Temporarily ignore failing test due to revert

    • -0
    • +1
    ./resolve/VersionConflictResolutionIntegrationTest.groovy
Merge remote-tracking branch 'origin/release'

* origin/release:

Update to RC3

Revert reselection on selector removal

    • -0
    • +4
    ./resolve/VersionConflictResolutionIntegrationTest.groovy
Add opt-out to the duplicate project name detection

This commit reworks the project with duplicate names cycle

detection fix by adding an opt-out: because the new behavior

may force existing users to set both the artifactId and groupId

to publications even if they don't publish all projects, this

could be a potential breaking change.

    • -0
    • +35
    ./resolve/ProjectDependencyResolveIntegrationTest.groovy
  1. … 6 more files in changeset.
Revert reselection on selector removal

The change is causing instability and will need more complete testing

and feedback from large builds.

Issue #6567

    • -0
    • +4
    ./resolve/VersionConflictResolutionIntegrationTest.groovy
  1. … 1 more file in changeset.
Tests showing the issue with legacy artifact selection

Issue #11825

    • -0
    • +120
    ./resolve/compatibility/ArtifactAndClassifierCompatibilityIntegrationTest.groovy
Fix circular dependencies when project have the same name

Before this commit, during dependency resolution, a synthetic

module version identifier was generated by project, using the

group and name of the project. However, it's possible for a

project in gradle to have the same name as another in the

same build, leading to duplicates. In this case the projects

were mixed together and lead to a circular dependency.

This commit fixes the problem by making sure we generate

distinct module version identifiers for such projects, by

using the full project path as the name instead of the short

name.

This also makes it possible to publish valid publications

when using the maven or ivy publish plugins. However, we detect

this problem early and warn the user that they should overwrite

the project identity in this case.

    • -0
    • +45
    ./resolve/ProjectDependencyResolveIntegrationTest.groovy
  1. … 14 more files in changeset.
Make some error messages clearer

    • -0
    • +5
    ./resolve/verification/AbstractDependencyVerificationIntegTest.groovy
    • -7
    • +3
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
    • -7
    • +7
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 2 more files in changeset.
Break erroneous cycle if a component depending on itself is evicted (#11811)

    • -0
    • +34
    ./resolve/VersionConflictResolutionIntegrationTest.groovy
  1. … 1 more file in changeset.
Add test that reproduces #11844

    • -0
    • +35
    ./resolve/VersionConflictResolutionIntegrationTest.groovy
Fix verification of dependencies resolved in buildFinished

Previously it was possible that a user hook (buildFinished)

was executed _after_ the verification code was done. With

this commit this is no longer possible.

    • -0
    • +36
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
    • -2
    • +47
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
    • -3
    • +3
    ./resolve/verification/DependencyVerificationWritingIntegTest.groovy
  1. … 8 more files in changeset.
Rework error message in case verification loading fails

As #11775 shows that dependency verification initialization

may fail for a different reason than not being able to parse

the file, the exception is more generic and the cause will

give the details.

    • -2
    • +3
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
  1. … 2 more files in changeset.
Add support for key fingerprints

In order to provide maximum security, it's now possible to use full key

fingerprints, in addition to long (64-bit) key ids, in trusted or ignored

keys.

It doesn't matter what format is used: if a trusted key uses a long id,

then it's possible that if there's a key collision, an artifact would be

trusted even if it shouldn't. If a fingerprint is used instead, then we

would use the full fingerprint for verification.

It's worth nothing that PGP doesn't provide the full fingerprint in signatures

for the key issuer. This means that when we're going to download keys, we

will still use the long ids.

Fixes #11770

    • -2
    • +3
    ./resolve/verification/AbstractSignatureVerificationIntegrationTest.groovy
    • -23
    • +131
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
    • -6
    • +5
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
  1. … 17 more files in changeset.
Serialize the artifact metadata for an `ArtifactCollection` instance to the instant execution cache.

    • -10
    • +8
    ./resolve/transform/ArtifactTransformParallelIntegrationTest.groovy
    • -21
    • +16
    ./resolve/transform/TransformationLoggingIntegrationTest.groovy
  1. … 9 more files in changeset.
Fix the serialization of `ArtifactCollection` instances that contain the output of artifact transforms to the instant execution cache.

Use a similar strategy to that used to capture the contents of a `FileCollection` that contains the output of artifact transforms.

    • -13
    • +12
    ./resolve/api/ArtifactCollectionIntegrationTest.groovy
    • -68
    • +63
    ./resolve/transform/ArtifactTransformCachingIntegrationTest.groovy
  1. … 6 more files in changeset.
Make it possible to declare a group of repositories for exclusive content

This should address the case where an artifact can be found in a specific

group of repositories, not in a single one. This is for example the case

when an artifact can be found either in the 'release' or 'snapshot'

repository of a company, but not on the public repositories.

    • -0
    • +104
    ./resolve/ExclusiveRepositoryContentFilteringIntegrationTest.groovy
  1. … 3 more files in changeset.
Add a way to declare exclusive content for each repository

Before this change, if a repository declared contents using

`repository.content { include "...." }`, it was required to

also declare that the _other_ repositories excluded it in

order to be mutually exclusive.

There's now an API which allows to declare exclusive content:

```

repositories {

exclusiveContent {

forRepository {

maven { url "https://my-company-repo.com" }

}

filter { includeGroup("com.mycompany") }

}

mavenCentral()

}

```

    • -0
    • +144
    ./resolve/ExclusiveRepositoryContentFilteringIntegrationTest.groovy
  1. … 6 more files in changeset.
Do not fail when writing an artifact transform that takes the upstream dependencies of the artifact to the instant execution cache.

In this change, the result will be incorrect because an empty set of dependencies is passed to the transform action when it is loaded from the cache.

    • -2
    • +0
    ./resolve/transform/ArtifactTransformValuesInjectionIntegrationTest.groovy
    • -4
    • +3
    ./resolve/transform/ArtifactTransformWithDependenciesIntegrationTest.groovy
  1. … 8 more files in changeset.
Serialize the parameters of an artifact transform to the instant execution cache, rather than attempting to isolate the parameters and then serializing the result.

This allows the parameters to include files and other inputs that may need to be built before they can be queried, for example when the output of some transform is used as an input parameter to another transform (which is something different to chaining of several transforms to produce an output). An implication of this change is that the artifact parameter isolation now happens every time the cache is reused, whereas previously the isolation happened once on write. This can be improved later.

    • -3
    • +0
    ./resolve/transform/ArtifactTransformValuesInjectionIntegrationTest.groovy
    • -4
    • +0
    ./resolve/transform/ArtifactTransformWithFileInputsIntegrationTest.groovy
  1. … 10 more files in changeset.
Treat single version ranges as "required"

This commit changes the way Gradle handles single version

ranges to treat them like Maven does: they are effectively

"exact" version selectors (not strictly).

Fixes #11185

    • -9
    • +0
    ./resolve/ivy/IvyDynamicRevisionResolveIntegrationTest.groovy
    • -1
    • +1
    ./resolve/maven/MavenVersionRangeResolveIntegrationTest.groovy
  1. … 5 more files in changeset.
Mark tests as failing with instant execution

    • -0
    • +1
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
    • -0
    • +1
    ./resolve/verification/DependencyVerificationWritingIntegTest.groovy
Add API to disable dependency verification

This commit adds an API to disable verification on a specific

configuration (using `resolutionStrategy.disableDependencyVerification`.

This would let tasks which perform special dependency resolution (like

checking newer versions of dependencies) to pass even if dependency

verification is enabled.

    • -0
    • +71
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
    • -0
    • +35
    ./resolve/verification/DependencyVerificationWritingIntegTest.groovy
  1. … 10 more files in changeset.
Add ignore key test coverage and bump wrapper

    • -0
    • +75
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 1 more file in changeset.
Allow various Gradle services to be injected into artifact transform actions.

    • -1
    • +89
    ./resolve/transform/ArtifactTransformValuesInjectionIntegrationTest.groovy
  1. … 14 more files in changeset.
Update the error message to link to the docs

    • -2
    • +7
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
  1. … 5 more files in changeset.
Verify checksums for artifacts which declare them even if signature passes

This is done because signatures are done on the hash of artifacts and

not on the artifact contents itself, so if you want to ensure both

integrity and provenance, you need to check both.

    • -0
    • +33
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 1 more file in changeset.
Add information about paths to dependencies when failing verification

When dependency verification fails, it's often necessary to actually

look at the artifacts which were downloaded. Gradle will not display

the paths to the artifacts which were involved in a verification

failure, so that the user can check if they are the ones they expect

or something else.

This also gives the ability to actually delete the file from the

local cache if it makes sense.

    • -1
    • +11
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
    • -0
    • +17
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 12 more files in changeset.
Avoid verifying the same artifact multiple times

and make sure that signature files are downloaded concurrently. This

commit adds several improvements, in particular by avoiding making

the same network requests multiple times just because we use the same

PGP key but in a different context.

    • -0
    • +86
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 9 more files in changeset.
Fix ignored keys not written for failed verifications

In order to generate a file which can _immediately_ be used

despite verification failures (because we fallback on checksum

verification), we need to add the ignored keys at the artifact

level.

    • -0
    • +3
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
  1. … 1 more file in changeset.
Add local keyring file

Fetching remote keys can be quite expensive. In order to avoid lookups,

this commits introduces the ability to use a local keyrings file, found

alongside the verification metadata.

This file can either be generated using regular tools like GPG, or via

command-line by adding the `--export-keys` flag when generating the

verification metadata.

    • -0
    • +34
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
    • -0
    • +56
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
  1. … 18 more files in changeset.