gautamworah96 opened a new pull request #108: URL: https://github.com/apache/lucene/pull/108
Remove custom checksum generation logic from our gradle build. We can now use gradle to both generate checksums and verify our dependencies to check that they match that checksum. Additionally, gradle generates checksums for all artifacts (not just JARs). These checksums are stored in verification-metadata.xml <!-- _(If you are a project committer then you may remove some/all of the following template.)_ Before creating a pull request, please file an issue in the ASF Jira system for Lucene: * https://issues.apache.org/jira/projects/LUCENE You will need to create an account in Jira in order to create an issue. The title of the PR should reference the Jira issue number in the form: * LUCENE-####: <short description of problem or changes> LUCENE must be fully capitalized. A short description helps people scanning pull requests for items they can work on. Properly referencing the issue in the title ensures that Jira is correctly updated with code review comments and commits. --> # Description I've followed the JIRA recommended method of solving the issue by using [gradle based metadata verification](https://docs.gradle.org/6.8.1/userguide/dependency_verification.html#sub:enabling-verification). This solution uses SHA256 over the previously used SHA1 used in the repo. We also generate checksums of all transitive artifacts now (pom files etc). It is possible to disable this feature if needed. # Solution We add a [basic file first](https://docs.gradle.org/6.8.1/userguide/dependency_verification.html#sub:enabling-verification) and then use `./gradlew --write-verification-metadata sha256 help ` to regenerate the checksum file. I've also updated the instructions with ways to regenerate the checksum file once we add a new dependency. The build will now automatically fail if you add a dependency (that is imported by gradle) and is not added to the metadata file. The error log prints a helpful error stating that the verification-metdata.xml file has to be regenerated. I could not find a way to run this command automatically everytime we run `./gradlew assemble` (this would've removed the need for a developer to manually run a command and update checksum metadata). # Tests Run `./gradlew assemble`. Modified the SHA256 checksums and runnning `./gradlew assemble` fails. Verified that using SHA1 produced the same checksums as the one in the previous checksum files (that were in the repo and this PR removes) However, `./gradlew check` fails with an error for the `spotlessInternalRegisterDependencies` task: ``` > Task :spotlessInternalRegisterDependencies FAILED You probably need to add a repository containing the '[com.google.googlejavaformat:google-java-format:1.9]' artifact in the 'build.gradle' of your root project. E.g.: 'buildscript { repositories { mavenCentral() }}' org.gradle.api.InvalidUserDataException: Dependency verification failed for configuration ':detachedConfiguration1' 15 artifacts failed verification: - animal-sniffer-annotations-1.18.jar (org.codehaus.mojo:animal-sniffer-annotations:1.18) from repository Gradle Central Plugin Repository - animal-sniffer-annotations-1.18.pom (org.codehaus.mojo:animal-sniffer-annotations:1.18) from repository Gradle Central Plugin Repository - animal-sniffer-parent-1.18.pom (org.codehaus.mojo:animal-sniffer-parent:1.18) from repository Gradle Central Plugin Repository - checker-qual-2.8.1.jar (org.checkerframework:checker-qual:2.8.1) from repository Gradle Central Plugin Repository - checker-qual-2.8.1.pom (org.checkerframework:checker-qual:2.8.1) from repository Gradle Central Plugin Repository - error_prone_annotations-2.3.2.jar (com.google.errorprone:error_prone_annotations:2.3.2) from repository Gradle Central Plugin Repository - error_prone_annotations-2.3.2.pom (com.google.errorprone:error_prone_annotations:2.3.2) from repository Gradle Central Plugin Repository - error_prone_parent-2.3.2.pom (com.google.errorprone:error_prone_parent:2.3.2) from repository Gradle Central Plugin Repository - google-java-format-1.9.jar (com.google.googlejavaformat:google-java-format:1.9) from repository Gradle Central Plugin Repository - google-java-format-1.9.pom (com.google.googlejavaformat:google-java-format:1.9) from repository Gradle Central Plugin Repository - google-java-format-parent-1.9.pom (com.google.googlejavaformat:google-java-format-parent:1.9) from repository Gradle Central Plugin Repository - guava-28.1-jre.jar (com.google.guava:guava:28.1-jre) from repository Gradle Central Plugin Repository - guava-28.1-jre.pom (com.google.guava:guava:28.1-jre) from repository Gradle Central Plugin Repository - guava-parent-28.1-jre.pom (com.google.guava:guava-parent:28.1-jre) from repository Gradle Central Plugin Repository - mojo-parent-50.pom (org.codehaus.mojo:mojo-parent:50) from repository Gradle Central Plugin Repository If the artifacts are trustworthy, you will need to update the gradle/verification-metadata.xml file by following the instructions at https://docs.gradle.org/6.8.3/userguide/dependency_verification.html#sec:troubleshooting-verification ``` These dependencies should've ideally been added automatically by gradle. I was hoping that someone with better understanding of the Lucene gradle system could comment here? # Checklist Please review the following and check all that apply: - [x] I have reviewed the guidelines for [How to Contribute](https://wiki.apache.org/lucene/HowToContribute) and my code conforms to the standards described there to the best of my ability. - [x] I have created a Jira issue and added the issue ID to my pull request title. - [x] I have given Lucene maintainers [access](https://help.github.com/en/articles/allowing-changes-to-a-pull-request-branch-created-from-a-fork) to contribute to my PR branch. (optional but recommended) - [x] I have developed this patch against the `main` branch. - [ ] I have run `./gradlew check`. - [x] I have added tests for my changes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
