[com.gradle.plugin-publish] 0.19.0 uses deprecated configurations

[bjhargrave]

Expected Behavior

The com.gradle.plugin-publish plugin should not use deprecated configurations for any version of Gradle being used.

Current Behavior

The com.gradle.plugin-publish plugin uses deprecated configurations (as of Gradle 7.3) which emits warnings and, if --warning-mode=fail is in effect, fails the build.

Context

In my gradle plugin build, I use com.gradle.plugin-publish plugin in my gradle plugin project using Gradle 7.3. When updating the com.gradle.plugin-publish plugin version from 0.18.0 to 0.19.0, my build fails because the build uses --warning-mode=fail and the 0.19.0 plugin uses deprecated configurations.

See https://github.com/bndtools/bnd/runs/4668447723?check_suite_focus=true#step:5:447 for an example.

> Configure project :gradle-plugins:biz.aQute.bnd.gradle
The apiElements configuration has been deprecated for dependency declaration. This will fail with an error in Gradle 8.0. Please use the implementation or api or compileOnly configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/7.3.2/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations
The runtimeElements configuration has been deprecated for dependency declaration. This will fail with an error in Gradle 8.0. Please use the implementation or api or compileOnly or runtimeOnly configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/7.3.2/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations
The compileClasspath configuration has been deprecated for dependency declaration. This will fail with an error in Gradle 8.0. Please use the implementation or api or compileOnly configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/7.3.2/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations
The archives configuration has been deprecated for dependency declaration. This will fail with an error in Gradle 8.0. Please use the implementation or api configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/7.3.2/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations
The default configuration has been deprecated for dependency declaration. This will fail with an error in Gradle 8.0. Please use the implementation or api configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/7.3.2/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations
The dslCompileClasspath configuration has been deprecated for dependency declaration. This will fail with an error in Gradle 8.0. Please use the dslImplementation or dslCompileOnly configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/7.3.2/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations
The dslRuntimeClasspath configuration has been deprecated for dependency declaration. This will fail with an error in Gradle 8.0. Please use the dslImplementation or dslCompileOnly or dslRuntimeOnly configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/7.3.2/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations
The runtimeClasspath configuration has been deprecated for dependency declaration. This will fail with an error in Gradle 8.0. Please use the implementation or api or compileOnly or runtimeOnly configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/7.3.2/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations
The testCompileClasspath configuration has been deprecated for dependency declaration. This will fail with an error in Gradle 8.0. Please use the testImplementation or testCompileOnly configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/7.3.2/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations
The testRuntimeClasspath configuration has been deprecated for dependency declaration. This will fail with an error in Gradle 8.0. Please use the testImplementation or testCompileOnly or testRuntimeOnly configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/7.3.2/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations

Steps to Reproduce

Use version 0.19.0 of the com.gradle.plugin-publish plugin with Gradle 7.3 (and optionally --warning-mode=fail to fail the build).

Your Environment

Build scan URL: https://scans.gradle.com/s/lt2reuzn4x62q

[jjohannes]

Looks like the plugin is now adding a constraint to all (!) configurations which is quite bold. It's not only giving these false warning. It's also adding this to the metadata (.module file) of the plugin you are publishing. Which is wrong.

"dependencyConstraints": [
  {
    "group": "org.apache.logging.log4j",
    "module": "log4j-core",
    "version": {
      "rejects": [
        "[2.+,2.17.1)"
      ]
    },
    "reason": "Cannot publish a plugin which resolves a vulnerable Log4j version (https://blog.gradle.org/log4j-vulnerability). Make sure to update your configuration so it does not happen."
  }
],

A plugin should not add dependency constraints like that.

This can probably be solved by adding the constraint only to the runtimeClasspath and compileClasspath. Or use other means to analyses the result after dependencies have been resolved.

[jjohannes]

This should be resolved, before you enforce what you wrote in the blog post:

We have released version 0.19.0 of the Plugin Publish Plugin which automatically detects vulnerable Log4j plugin dependencies and, if any are found, blocks the plugin publication by failing the build. There is no automated upgrade as normally a Gradle plugin does not need Log4j since the Gradle runtime does not do its logging with this library. It is the job of the plugin author to fix the problem by removing the dependency or upgrading it.
Using this version of the Plugin Publish Plugin will become mandatory in the near future, by having the Plugin Portal reject any publications done with older versions of the plugin.

0.19.0 is not a version you should force folks to use (due to the wrong metadata).

[jbartok]

Issue moved to gradle/gradlecom #856 via ZenHub

[jbartok]

Version 0.20.0 of the Plugin Publish plugin is now released, should fix these issues. Pls. confirm, if you can and if you see any other problems, pls. let us know.

[bjhargrave]

Version 0.20.0 of the Plugin Publish plugin is now released, should fix these issues. Pls. confirm

The 0.20.0 release has fixed the deprecated configurations issues in this bug. Thanks.

if you see any other problems, pls. let us know.

But there are still issues with the operation of the publishPluginMavenPublicationTo* tasks of the maven-publish plugin when the build task is part of the same gradle execution. (Note I am not using the publishPlugins task of the com.gradle.plugin-publish plugin to publish to the Gradle Plugin Portal here.)

➜  bnd git:(master) ✗ gradle :gradle-plugins:biz.aQute.bnd.gradle:build :gradle-plugins:biz.aQute.bnd.gradle:publish
executing gradlew instead of gradle

> Task :gradle-plugins:biz.aQute.bnd.gradle:publishPluginMavenPublicationToDistRepository
Execution optimizations have been disabled for task ':gradle-plugins:biz.aQute.bnd.gradle:publishPluginMavenPublicationToDistRepository' to ensure correctness due to the following reasons:
  - Gradle detected a problem with the following location: '/Users/hargrave/git/bnd/gradle-plugins/biz.aQute.bnd.gradle/build/libs/biz.aQute.bnd.gradle-6.2.0-SNAPSHOT-javadoc.jar'. Reason: Task ':gradle-plugins:biz.aQute.bnd.gradle:publishPluginMavenPublicationToDistRepository' uses this output of task ':gradle-plugins:biz.aQute.bnd.gradle:publishPluginJavaDocsJar' without declaring an explicit or implicit dependency. This can lead to incorrect results being produced, depending on what order the tasks are executed. Please refer to https://docs.gradle.org/7.3.3/userguide/validation_problems.html#implicit_dependency for more details about this problem.
  - Gradle detected a problem with the following location: '/Users/hargrave/git/bnd/gradle-plugins/biz.aQute.bnd.gradle/build/libs/biz.aQute.bnd.gradle-6.2.0-SNAPSHOT-sources.jar'. Reason: Task ':gradle-plugins:biz.aQute.bnd.gradle:publishPluginMavenPublicationToDistRepository' uses this output of task ':gradle-plugins:biz.aQute.bnd.gradle:publishPluginJar' without declaring an explicit or implicit dependency. This can lead to incorrect results being produced, depending on what order the tasks are executed. Please refer to https://docs.gradle.org/7.3.3/userguide/validation_problems.html#implicit_dependency for more details about this problem.

Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

See https://docs.gradle.org/7.3.3/userguide/command_line_interface.html#sec:command_line_warnings

Execution optimizations have been disabled for 1 invalid unit(s) of work during this build to ensure correctness.
Please consult deprecation warnings for more details.

BUILD SUCCESSFUL in 1m 30s
25 actionable tasks: 19 executed, 6 up-to-date

Should this be a new issue?

[jbartok]

Yes, pls. file a new issue. Thank you.
We will most likely address it in the upcoming version 1.0 of the plugin.