Skip to content

refactor(oss-licenses): replace eager dependency resolution with lazy ArtifactView providers#381

Merged
timothyfroehlich merged 1 commit intomainfrom
refactor-lazy-provider
Apr 21, 2026
Merged

refactor(oss-licenses): replace eager dependency resolution with lazy ArtifactView providers#381
timothyfroehlich merged 1 commit intomainfrom
refactor-lazy-provider

Conversation

@timothyfroehlich
Copy link
Copy Markdown
Member

@timothyfroehlich timothyfroehlich commented Mar 10, 2026

Summary

This PR refactors the oss-licenses-plugin to fully support the Gradle Configuration Cache by replacing eager configuration-phase dependency resolution with lazy ArtifactView providers. It also introduces SHA-256 hashing for -SNAPSHOT dependencies to ensure license data remains fresh during active development.

Key Changes

  • Lazy ArtifactView Resolution: Moved dependency resolution from the configuration phase to the execution phase using lazy ArtifactView and resolvedArtifacts providers.
  • Configuration Cache Support:
    • Removed DependencyUtil and ArtifactFiles.
    • Rewrote property mapping to avoid capturing the Project object in closures.
  • Snapshot Integrity: Added SHA-256 hashing for dependencies with -SNAPSHOT versions in DependencyTask to trigger downstream task re-runs.
  • Ratchet pins: Bumped abcxyz/actions/lint-github-actions and sethvargo/ratchet pins on main.yml (both track @main and had drifted).

@timothyfroehlich timothyfroehlich self-assigned this Mar 10, 2026
@timothyfroehlich timothyfroehlich force-pushed the refactor-lazy-provider branch 3 times, most recently from dff5638 to d84b4a3 Compare March 11, 2026 19:27
@timothyfroehlich timothyfroehlich force-pushed the refactor-lazy-provider branch 2 times, most recently from 66c7d5d to 64a11e5 Compare March 16, 2026 00:26
@timothyfroehlich timothyfroehlich changed the title refactor: return lazy Provider from DependencyUtil.resolveArtifacts refactor(oss-licenses): replace eager dependency resolution with lazy ArtifactView providers Mar 16, 2026
@timothyfroehlich
Copy link
Copy Markdown
Member Author

@liutikas I did a full rewrite to get things right and managed to significantly simplify things in the process. The Licenses task now separate arguments consisting of the runtimeConfiguration's resolvedArtifacts provider, with artifact resolution happening within the .map lambda. I also added a check in the configuration cache test to make sure we aren't resolving anything during configuration time.

I did use Gemini to help me get it straight, and had it add comments to help me (or other maintainers) remember for next time. I'm running an extra --scan now to double check things, but it should be pretty clean.

@liutikas
Copy link
Copy Markdown
Collaborator

I'm out of office for a week. I'll review this when I get back

@timothyfroehlich timothyfroehlich marked this pull request as draft March 17, 2026 19:48
@timothyfroehlich timothyfroehlich changed the base branch from main to testapp March 17, 2026 21:55
@timothyfroehlich timothyfroehlich changed the base branch from testapp to main April 15, 2026 21:06
…shot hashing

## Summary
This PR refactors the `oss-licenses-plugin` to fully support the **Gradle Configuration Cache** by replacing eager configuration-phase dependency resolution with lazy `ArtifactView` providers. It also introduces SHA-256 hashing for `-SNAPSHOT` dependencies to ensure license data remains fresh during active development.

### Key Changes
- **Lazy ArtifactView Resolution**: Moved dependency resolution from the configuration phase to the execution phase using lazy `ArtifactView` and `resolvedArtifacts` providers.
- **Configuration Cache Support**:
    - Removed `DependencyUtil` and `ArtifactFiles`.
    - Rewrote property mapping to avoid capturing the `Project` object in closures.
- **Snapshot Integrity**: Added SHA-256 hashing for dependencies with `-SNAPSHOT` versions in `DependencyTask` to trigger downstream task re-runs.
- **Ratchet pins**: Bumped `abcxyz/actions/lint-github-actions` and `sethvargo/ratchet` pins on `main.yml` (both track `@main` and had drifted).
@timothyfroehlich timothyfroehlich marked this pull request as ready for review April 21, 2026 18:00
Copy link
Copy Markdown
Collaborator

@liutikas liutikas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks reasoanble.

// We look up the POM file using the pre-resolved map provided during configuration.
ArtifactFiles files = getArtifactFiles().get().get(artifactInfo.toString())
addLicensesFromPom(files?.pomFile, artifactInfo.group, artifactInfo.name)
protected void addLicensesFromPom(Map<String, File> pomMap, ArtifactInfo artifactInfo) {
Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to be protected? As far as I can tell it is only used within the same file.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've had issues with Gradle's Groovy handling managing to get at the plugin from some code path that wasn't in the right namespace to access private members. Would love to convert to Kotlin, but I don't have enough testing coverage yet to feel comfortable doing so.

protected void addLicensesFromPom(File pomFile, String group, String name) {
if (pomFile == null || !pomFile.exists()) {
logger.error("POM file $pomFile for $group:$name does not exist.")
logger.info("POM file $pomFile for $group:$name does not exist. This is expected for some libraries from androidx and org.jetbrains")
Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would we be ok missing pom files? That sounds like a bug. Which AndroidX libraries are missing pom files?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is a preexisting issue and I'm tracking it in #387. Will want to work on it soon when I have time. I believe the new test app shows missing licenses, but I'm out of the office so can't grab logs atm.

@timothyfroehlich timothyfroehlich merged commit bbc19d9 into main Apr 21, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants