-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SimpleDependencyGraphPlugin does not capture plugin dependencies #138
Comments
Why do you believe these dependencies are not being captured? My testing indicates that they are. Can you please provide a project that allows me to reproduce this issue? |
Hi @bigdaz, thanks for responding. I'll put together a reproducer. |
@bigdaz here's a repo reproducing what I'm seeing and explaining what I think should be happening https://github.com/brianmcgee/github-dependency-graph-plugin-bug |
You might find it useful to add |
I updated my reproducer to include the report I'm generating, which matches what you listed above. I also added a second plugin to demonstrate the issue better. The report above shows an entry for com.diffplug.spotless:spotless-plugin-gradle:6.25.0 which is sourced from https://repo.maven.org. But it does not include an entry for com.diffplug.spotless:com.diffplug.spotless.gradle.plugin:6.25.0 which is sourced from https://plugins.gradle.org. Similarly, you will see in my updated example that Here is a scan report for the latest run: https://scans.gradle.com/s/iitusscge3aao |
The specific dependencies you mention are referred to as plugin marker dependencies. The don't contain any code, and simply help gradle resolve a plugin id to an actual plugin dependency artifact. These are deliberately and explicitly excluded from the report: #111 Is there a reason that you want to have these included in the report? Or were you just concerned that not all plugin dependencies are reported and weren't sure which ones were missing? |
Ah, that makes sense. Essentially, if you have a dependency of the form In answer to why I'm interested in these, I'm using the dependency report from the plugin to construct a lock file for use with Nix that allows me to construct a local maven repository containing all the build dependencies so the build can be run in offline mode within the Nix sandbox. This was the last piece of the puzzle and it looks like I have it working. Thanks for your help 🙏 |
Unfortunately, I don't think it's quite this straightforward. The plugin marker artifact has:
This can point to a jarfile dependency with arbitrary coordinates. For example you could publish a single jarfile with coordinates I don't think there's any way to determine the plugin id given the dependency coordinates. |
If it's important to you, I'd be open to a PR that made it possible to retain the plugin marker artifacts via some sort of env var. Lines 248 to 262 in 321383e
Any PR would require test coverage. |
I think my immediate use case is covered, but I'm happy to look at creating a PR to capture them properly. I'll try and find some time next week to give it a go. |
Following the example in the readme, when executing the following, plugin/buildscript dependencies are not being captured.
It would appear that support for this was added to the
GithubDependencyGraphPlugin
here.The text was updated successfully, but these errors were encountered: