-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support pinning artifacts with checksums and downloading artifacts with Bazel #169
Conversation
Awesome, this is a really good step into the right direction imo. Would it be also possible to expose a new Also I might try and look at adding the json file capability to |
@Globegitter is this use case covered by https://github.com/bazelbuild/rules_jvm_external#repository-aliases already? |
@jin that only changes the way one can import deps but because they still rely on the same single external repository so all deps will be downloaded the first time. The use case discussed in #146, of just downloading the deps actually needed for the current build, is just possible by having independent repository rules that call ctx.download for one external dependency each. |
I have tried it out and it's heading to the direction we hope for, thanks for taking care of these two issues. Few concerns I have so far:
Thanks. |
@Globegitter This is true. Let me play around with this idea instead of ctx.download.
I suppose we can do a simple string replacement for colons when converting back into URLs.
Yes it's doing that, it seems that
This is what |
What are your opinions about the API? Option 1:
Option 2
|
@borkaehw @Globegitter I've switched |
@borkaehw I made some changes to improve the first-time experience. You don't need to create an empty |
It works great, thanks. |
I am interested in to know how far are we from merging this PR? |
@borkaehw Waiting on a review from either @laurentlb or @aehlig. |
# load("@maven//:defs.bzl", "pinned_maven_install") | ||
# pinned_maven_install() | ||
http_files = [ | ||
"load(\"@bazel_tools//tools/build_defs/repo:http.bzl\", \"http_file\")", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we have a comment at the very top of this file to remind users that this is a generated file which shouldn't be modified manually?
The message could be like # Do not edit. rules_jvm_external autogenerates this file from maven_install Please run ... command to update this file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's JSON, so no comments :-)
I can turn it into a "private" field in the JSON object, through.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I totally forget json has not comment. Thinking of a better way to remind users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about changing maven_install.json
to something more obvious that implies we shouldn't modify it manually? Like maven_autogenerated.json
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that still doesn't imply that you shouldn't modify it manually. Do you think users will end up modifying this manually often enough that it becomes a user experience problem?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am thinking of a scenario that someone may think changing the artifacts version is as simple as modifying maven_install.json
, but it may break other artifacts which have the dependency on the changed artifact.
Since I am going to introduce rules_jvm_external
to the entire organization, there is a chance someone doesn't notice the proper way of using it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps we can hash the contents of the dependencies
list, and add that as a field to the generated object? Then pinned_coursier_maven
would compare the hash before generating the http_file
targets and see if it was modified manually, and ask the user to not do that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It sounds like a good idea to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll add this in a follow up PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally looks good, but please fix the reconstruction of the URL to not depend on the absence of magic names in the URL itself.
This PR adds a new
maven_install_json
attribute that accepts a label to a JSON file,maven_install.json
. This file contains the pinned / locked state of amaven_install
fetch.This feature improves artifact resolution and fetch speed, since it uses Bazel's download mechanism which caches files on their sha256 checksums. It also improves resiliency and security by encoding the sha256 checksums and original artifact urls into the JSON file.
Fixes #125
Fixes #146
Fixes #170
To get started with pinning artifacts, run the following command:
This generates a
maven_install.json
(oryour_maven_install_name_install.json
) in the root of your Bazel workspace.Then, specify
maven_install_json
inmaven_install
and loadpinned_maven_install
from@maven//:defs.bzl
:Whenever you make a change to the list of
artifacts
orrepositories
and want to updatemaven_install.json
, run this command to re-pin the unpinned@maven
repository:By specifying
maven_install_json
, an additional@unpinned_maven
(orunpinned_<your_maven_install_name>
) repo will be created. For example, if yourmaven_install
is named@foo
,@unpinned_foo
will be created.The contents of
maven_install.json
will look something like this:Since all artifacts are checksummed with sha256, it means that fully offline builds are possible even with
bazel clean --expunge
after performing onebazel fetch @maven//...
.Whenever a change is made to the list of
artifacts
orrepositories
, you will need to rerunto update the pinned artifacts.
This change adds a dependency on system Python for two things: platform independent sha256 tool from
@bazel_tools
and pretty printing ofmaven_install.json
.