-
Notifications
You must be signed in to change notification settings - Fork 565
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deploy flattened POM for consumer modules #8716
Comments
I like this approach, I used it successfully before. I recommend using |
Can you expand a little on why you would recommend these? And the BOM is good point, I do expect people to include the BOM in their projects for dependency management so we should add it. Speaking of the BOM, I'm starting to think it might make more sense to have the BOM only contains those modules which we expect to be included in other projects, and to keep our internal modules in either a separate BOM-equivalent module, or just have them in the parent module's dependency management section. This would reinforce the idea for external users that only a certain subset of modules are actually public. |
The |
I would propose the following:
My goal is to have it in 1.4.0-alpha2 like this so that we can test it internally at Camunda with the other teams depending on these modules. Let me know before end of next week if you object. |
Why would we flatten only these modules instead of all? Doing it for all modules has some advantages in my opinion:
|
Makes sense, we can flatten all of them, I don't see any downsides to that. |
8833: Deploy flattened POMs and reduce BOM to "public" modules r=oleschoenburg a=npepinpe ## Description This PR introduces the `flatten-maven-plugin`, which will flatten any hierarchy in a module's POM before it's deployed somewhere. The original POM will remain intact. The goal here is to simplify the integration of the modules in other people's projects, by making it more explicit which dependencies are pulled by the module, and which version they should be. Additionally, the BOM is now reduced to only including these modules which were tailor explicitly to be consumed by third party projects. The goal with that is to make it explicit to users which modules they can safely rely on in their projects, and all the rest, so called internal modules, which may be renamed, changed, dropped, etc., and are only expected to be used in Zeebe. Note that they can still be imported in third party projects, but that is then at the user's risks. ## Related issues closes #8716 Co-authored-by: Nicolas Pepin-Perreault <nicolas.pepin-perreault@camunda.com> Co-authored-by: Nico Korthout <nico.korthout@camunda.com>
8856: [Backport release-1.4.0-alpha2] Deploy flattened POMs and reduce BOM to "public" modules r=oleschoenburg a=github-actions[bot] # Description Backport of #8833 to `release-1.4.0-alpha2`. relates to #8716 Co-authored-by: Nicolas Pepin-Perreault <nicolas.pepin-perreault@camunda.com> Co-authored-by: Nico Korthout <nico.korthout@camunda.com>
Is your feature request related to a problem? Please describe.
There are a few modules in the Zeebe project which are meant to be consumed by user's projects:
io.camunda:zeebe-client-java
io.camunda:zeebe-bpmn-model
io.camunda:zeebe-exporter-api
io.camunda:zeebe-gateway-protocol-impl
io.camunda:zeebe-protocol-jackson
The projects are deployed as is, with their "development" POM - this POM includes development specific profiles, plugins, and relies on the centralized dependency management in
io.camunda:zeebe-parent
as well as properties substitution.This causes a few problems:
io.camunda:zeebe-parent
, and thus assume there are no vulnerabilities. When a user introduces the library (such asio.camunda:zeebe-client-java
) in their own project, however, without specifying versions for the transitive dependencies, these will get resolved based on the shortest path, which may be a version with security issues. While users should be expected to scan their own projects and fix vulnerability issues, this can still places an undue burden on them, and negates any effort we, the Zeebe team, did on that front.For both issues above, it's perfectly fine if these occur when the user has explicitly overridden one of the dependency's versions. But when that's not the case, then no such issues should appear in their projects.
Describe the solution you'd like
Use the
flatten-maven-plugin
to generate flat POMs for the projects above, and any other projects which is explicitly meant to be included in another project. This will not only trim down the POM to its minimum, making it often more readable, but it will solve both of the issues above.Describe alternatives you've considered
We could fix the dependencies ourselves manually in the POM when security issues arise, however this sort of negates the benefits we gain from centralized dependency management and creates more busy work for the team.
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: