Avoid failures on removal of published artifacts #416
Conversation
ljacomet
force-pushed
the
gradle-artifact-removal
branch
from
e7607cd
to
de2e29e
Compare
| @@ -14,7 +14,7 @@ val localRepoElements by configurations.creating { | |||
| } | |||
| } | |||
|
|
|||
| val localRepoDir = layout.buildDirectory.dir("local-maven-repo") | |||
| val localRepoDir = rootProject.layout.buildDirectory.dir("local-maven-repo") | |||
There was a problem hiding this comment.
That would break multi-module concurrent execution. There's cleanLocalRepository to wipe the repo, and every module would run it at random, so you'll end up with half-empty local-maven-repo.
There was a problem hiding this comment.
Oh, you are saying that folks run ./gradlew cleanLocalRepository publishAllPublicationsToTmp-mavenRepository in a single invocation?
I did not think of that indeed.
Let me see about figuring it out. Because the current setup really is messy for testing changes that require new versions of the whole stack.
There was a problem hiding this comment.
Let me see about figuring it out. Because the current setup really is messy for testing changes that require new versions of the whole stack.
Could you clarify "messy"?
running with composite builds or publishToMavenLocal should work if you mean testing the changes for external project.
I would say the current setup is just fine for testing changes.
The only required bit is to add a PGP key and pass it to the existing test SigstorePublishSignTest
There was a problem hiding this comment.
Ok, I missed that the publication depends on the clean up task always.
Accidentally, the problem you describe cannot happen right now: Gradle marks all subsequent runs of the clean task as up-to-date. I believe this is because for Gradle the fingerprint of those tasks is a single value. But that is brittle anyway.
Looking for a better solution.
There was a problem hiding this comment.
publishToMavenLocal and unicorns die 馃槈
I really want Gradle to get rid of that option and instead recommend usage of local repositories. That's my attempt in tweaking this.
But I see that you have a different perspective. I'll back out this change for now as it is unrelated.
There was a problem hiding this comment.
(thank you GH for not showing me the update when I replied on my before last message)
There was a problem hiding this comment.
I really want Gradle to get rid of that option and instead recommend usage of local repositories
I do not like publishToMavenLocal either, however, I think it would be nice if Gradle provided something like publishToRootProjectRepo.
| // Ignore artifacts that we have not added a signature for | ||
| artifacts.remove(publishableArtifact)?.also { | ||
| signTask.configure { | ||
| signatures.findByName(publishableArtifact.file.name) | ||
| ?.takeIf { publishableArtifact in it.builtBy } | ||
| ?.let { | ||
| signatures.remove(it) | ||
| return@configure | ||
| } | ||
| // Slow path just in case | ||
| signatures.removeIf { publishableArtifact in it.builtBy } | ||
| } | ||
| publication.removeDerivedArtifact(it) |
There was a problem hiding this comment.
| // Ignore artifacts that we have not added a signature for | |
| artifacts.remove(publishableArtifact)?.also { | |
| signTask.configure { | |
| signatures.findByName(publishableArtifact.file.name) | |
| ?.takeIf { publishableArtifact in it.builtBy } | |
| ?.let { | |
| signatures.remove(it) | |
| return@configure | |
| } | |
| // Slow path just in case | |
| signatures.removeIf { publishableArtifact in it.builtBy } | |
| } | |
| publication.removeDerivedArtifact(it) | |
| val artifact = artifacts.remove(publishableArtifact) ?: return@whenPublishableArtifactRemoved | |
| publication.removeDerivedArtifact(artifact) | |
| signTask.configure { | |
| signatures.findByName(file.name) | |
| ?.takeIf { publishableArtifact in it.builtBy } | |
| ?.let { | |
| signatures.remove(it) | |
| return@configure | |
| } | |
| // Slow path just in case | |
| signatures.removeIf { publishableArtifact in it.builtBy } | |
| } |
There was a problem hiding this comment.
I am not a proficient Kotlin user. But from a personal perspective, I find following the flow with different return@ a bit harder.
Do you have a strong preference for your version @vlsi ?
There was a problem hiding this comment.
Early exit allows reducing the nesting of the blocks, and it enables easier reasoning.
In this case, we check the artifact, and skip everything if the artifact is unknown. The code like if (..) { if (...) { ...} } else {... } is hard to read.
There was a problem hiding this comment.
I had an if based version at first and I agree that the less likable of all. The also method feels more natural to me. But that's a style thing effectively.
Will move to your proposal.
|
Testing would indeed require adding PGP key and signing with that (see I wonder if we should exclude pgp-signing |
Only handle them when they are artifacts sigstore created a signature for. Fixes sigstore#414 Signed-off-by: Louis Jacomet <louis@gradle.com>
ljacomet
force-pushed
the
gradle-artifact-removal
branch
from
de2e29e
to
63585cd
Compare
|
@vlsi I have updated the PR to focus on the issue only and applied your suggestion. Would it be an option to release a |
vlsi
changed the title
|
@ljacomet , I've pushed the plugin as 0.4.1: https://plugins.gradle.org/plugin/dev.sigstore.sign |
Summary
In the Gradle sigstore plugin:
Unfortunately, testing this is quite messy as it would require a dual signing setup: sigstore + pgp. If required, I can add such a test. Ideally in a follow up PR as getting a version of the plugin released with this fix would be awesome. Conference driven development 馃槈
Result with the 0.4.0 sigstore version can be seen in this GH action run.
I have tested locally that the fix here allows to skip GPG signing of
*.sigstoreartifactsRelease Note
Documentation
NONE