Egothor/Radixor
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: harden Gradle dependency reproducibility

Browse Source 
feat: enable Gradle dependency locking for all configurations
feat: enforce strict lock-state usage in the build
feat: centralize repository declaration in settings.gradle
feat: enable strict Gradle dependency verification via gradle.properties
feat: add committed dependency lock state and verification metadata
fix: defer mockito agent resolution to test execution phase for locked builds
ci: validate reproducibility inputs before workflow builds
ci: include lock and verification inputs in workflow change detection
docs: establish explicit dependency update workflow for locks and verification metadata
This commit is contained in:
Leo Galambos
2026-04-15 22:33:48 +02:00
parent 2288852300
commit 558707d78e
10 changed files with 1830 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.github/workflows/benchmarks.yml vendored
View File

@@ -11,6 +11,9 @@ on:
- 'src/main/**' - 'src/main/**'
- 'src/jmh/**' - 'src/jmh/**'
- 'build.gradle' - 'build.gradle'
- 'gradle.properties'
- 'gradle.lockfile'
- 'settings.gradle'
- 'gradle/**' - 'gradle/**'
- 'gradlew' - 'gradlew'
- 'gradlew.bat' - 'gradlew.bat'
@@ -38,6 +41,14 @@ jobs:
- name: Make Gradle executable - name: Make Gradle executable
run: chmod +x ./gradlew run: chmod +x ./gradlew
- name: Verify reproducibility inputs
shell: bash
run: |
set -euo pipefail
test -f gradle.lockfile
test -f gradle.properties
test -f gradle/verification-metadata.xml
- name: Run JMH benchmarks - name: Run JMH benchmarks
run: ./gradlew clean jmh --no-daemon run: ./gradlew clean jmh --no-daemon

16
.github/workflows/build.yml vendored
View File

@@ -42,6 +42,14 @@ jobs:
- name: Set up Gradle caching and instrumentation - name: Set up Gradle caching and instrumentation
uses: gradle/actions/setup-gradle@v4 uses: gradle/actions/setup-gradle@v4
- name: Verify reproducibility inputs
shell: bash
run: |
set -euo pipefail
test -f gradle.lockfile
test -f gradle.properties
test -f gradle/verification-metadata.xml
- name: Execute build, tests, PMD, coverage, Javadoc, distribution packaging, and SBOM generation - name: Execute build, tests, PMD, coverage, Javadoc, distribution packaging, and SBOM generation
run: ./gradlew --no-daemon clean build pmdMain javadoc jacocoTestReport distZip cyclonedxBom run: ./gradlew --no-daemon clean build pmdMain javadoc jacocoTestReport distZip cyclonedxBom
@@ -140,6 +148,14 @@ jobs:
- name: Set up Gradle caching and instrumentation - name: Set up Gradle caching and instrumentation
uses: gradle/actions/setup-gradle@v4 uses: gradle/actions/setup-gradle@v4
- name: Verify reproducibility inputs
shell: bash
run: |
set -euo pipefail
test -f gradle.lockfile
test -f gradle.properties
test -f gradle/verification-metadata.xml
- name: Build release distribution and SBOM - name: Build release distribution and SBOM
run: ./gradlew --no-daemon clean build pmdMain javadoc jacocoTestReport distZip cyclonedxBom run: ./gradlew --no-daemon clean build pmdMain javadoc jacocoTestReport distZip cyclonedxBom

10
.github/workflows/pages.yml vendored
View File

@@ -9,6 +9,8 @@ on:
- 'src/test/**' - 'src/test/**'
- 'src/jmh/**' - 'src/jmh/**'
- 'build.gradle' - 'build.gradle'
- 'gradle.properties'
- 'gradle.lockfile'
- 'settings.gradle' - 'settings.gradle'
- 'gradle/**' - 'gradle/**'
- 'dependency-suppression.xml' - 'dependency-suppression.xml'
@@ -46,6 +48,14 @@ jobs:
- name: Set up Gradle caching and instrumentation - name: Set up Gradle caching and instrumentation
uses: gradle/actions/setup-gradle@v4 uses: gradle/actions/setup-gradle@v4
- name: Verify reproducibility inputs
shell: bash
run: |
set -euo pipefail
test -f gradle.lockfile
test -f gradle.properties
test -f gradle/verification-metadata.xml
- name: Build reports for publication - name: Build reports for publication
run: ./gradlew --no-daemon clean build pmdMain javadoc jacocoTestReport pitest jmh cyclonedxBom run: ./gradlew --no-daemon clean build pmdMain javadoc jacocoTestReport pitest jmh cyclonedxBom

15
build.gradle
View File

@@ -41,8 +41,10 @@ tasks.withType(JavaCompile).configureEach {
options.release = 21 options.release = 21
} }
repositories { dependencyLocking {
mavenCentral() lockAllConfigurations()
lockMode = LockMode.STRICT
} }
dependencies { dependencies {
@@ -94,10 +96,13 @@ dependencyCheck {
tasks.withType(Test).configureEach { tasks.withType(Test).configureEach {
useJUnitPlatform() useJUnitPlatform()
jvmArgs += "-javaagent:${configurations.mockitoAgent.singleFile}"
doFirst {
jvmArgs "-javaagent:${configurations.mockitoAgent.singleFile}"
}
finalizedBy(tasks.named('jacocoTestReport')) finalizedBy(tasks.named('jacocoTestReport'))
reports { reports {
junitXml.required = true junitXml.required = true
html.required = true html.required = true

47
gradle.lockfile Normal file
View File

@@ -0,0 +1,47 @@
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
com.github.oowekyala.ooxml:nice-xml-messages:3.1=pmd
com.google.code.gson:gson:2.13.2=pmd
com.google.errorprone:error_prone_annotations:2.41.0=pmd
net.bytebuddy:byte-buddy-agent:1.17.7=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
net.bytebuddy:byte-buddy:1.17.7=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
net.sf.jopt-simple:jopt-simple:5.0.4=jmh,jmhCompileClasspath,jmhRuntimeClasspath
net.sf.saxon:Saxon-HE:12.9=pmd
net.sourceforge.pmd:pmd-ant:7.20.0=pmd
net.sourceforge.pmd:pmd-core:7.20.0=pmd
net.sourceforge.pmd:pmd-java:7.20.0=pmd
org.antlr:antlr4-runtime:4.9.3=pmd
org.apache.commons:commons-lang3:3.20.0=pmd
org.apache.commons:commons-math3:3.6.1=jmh,jmhCompileClasspath,jmhRuntimeClasspath
org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
org.checkerframework:checker-qual:3.52.1=pmd
org.jacoco:org.jacoco.agent:0.8.14=jacocoAgent,jacocoAnt
org.jacoco:org.jacoco.ant:0.8.14=jacocoAnt
org.jacoco:org.jacoco.core:0.8.14=jacocoAnt
org.jacoco:org.jacoco.report:0.8.14=jacocoAnt
org.junit.jupiter:junit-jupiter-api:5.14.3=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
org.junit.jupiter:junit-jupiter-engine:5.14.3=jmhRuntimeClasspath,testRuntimeClasspath
org.junit.jupiter:junit-jupiter-params:5.14.3=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
org.junit.jupiter:junit-jupiter:5.14.3=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
org.junit.platform:junit-platform-commons:1.14.3=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
org.junit.platform:junit-platform-engine:1.14.3=jmhRuntimeClasspath,testRuntimeClasspath
org.junit.platform:junit-platform-launcher:1.14.3=jmhRuntimeClasspath,testRuntimeClasspath
org.junit:junit-bom:5.14.3=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
org.mockito:mockito-core:5.23.0=jmhRuntimeClasspath,mockitoAgent,testCompileClasspath,testRuntimeClasspath
org.mockito:mockito-junit-jupiter:5.23.0=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
org.objenesis:objenesis:3.3=jmhRuntimeClasspath,testRuntimeClasspath
org.openjdk.jmh:jmh-core:1.37=jmh,jmhCompileClasspath,jmhRuntimeClasspath
org.openjdk.jmh:jmh-generator-asm:1.37=jmh,jmhCompileClasspath,jmhRuntimeClasspath
org.openjdk.jmh:jmh-generator-bytecode:1.37=jmh,jmhCompileClasspath,jmhRuntimeClasspath
org.openjdk.jmh:jmh-generator-reflection:1.37=jmh,jmhCompileClasspath,jmhRuntimeClasspath
org.opentest4j:opentest4j:1.3.0=jmhRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
org.ow2.asm:asm-commons:9.9=jacocoAnt
org.ow2.asm:asm-tree:9.9=jacocoAnt
org.ow2.asm:asm:9.0=jmh,jmhCompileClasspath,jmhRuntimeClasspath
org.ow2.asm:asm:9.9=jacocoAnt
org.ow2.asm:asm:9.9.1=pmd
org.pcollections:pcollections:4.0.2=pmd
org.slf4j:jul-to-slf4j:1.7.36=pmd
org.xmlresolver:xmlresolver:5.3.3=pmd
empty=annotationProcessor,compileClasspath,cyclonedxBom,jmhAnnotationProcessor,mainPmdAuxClasspath,runtimeClasspath,testAnnotationProcessor

1
gradle.properties Normal file
View File

@@ -0,0 +1 @@
org.gradle.dependency.verification=strict

21
gradle/libs.versions.toml
View File

@@ -1,3 +1,23 @@
#
# After changing dependency versions:
#
# run:
# ./gradlew --write-locks classes testClasses jmh distZip cyclonedxBom
#
# if needed, refresh verification metadata:
# ./gradlew --write-verification-metadata sha256 test jmh distZip cyclonedxBom
#
# (optional - for Eclipse IDE)
# insert trusted-artifacts into gradle/verification-metadata.xml/verification-metadata/configuration:
# <trusted-artifacts>
# <trust file=".*-javadoc[.]jar" regex="true"/>
# <trust file=".*-sources[.]jar" regex="true"/>
# </trusted-artifacts>
#
# commit:
# gradle.lockfile
# gradle/verification-metadata.xml
#
[versions] [versions]
junit = "5.14.3" junit = "5.14.3"
mockito = "5.23.0" mockito = "5.23.0"
@@ -9,4 +29,3 @@ junit-platform-launcher = { module = "org.junit.platform:junit-platform-launcher
mockito-core = { module = "org.mockito:mockito-core", version.ref = "mockito" } mockito-core = { module = "org.mockito:mockito-core", version.ref = "mockito" }
mockito-junit-jupiter = { module = "org.mockito:mockito-junit-jupiter", version.ref = "mockito" } mockito-junit-jupiter = { module = "org.mockito:mockito-junit-jupiter", version.ref = "mockito" }

1704
gradle/verification-metadata.xml Normal file
View File

File diff suppressed because it is too large Load Diff

4
settings-gradle.lockfile Normal file
View File

@@ -0,0 +1,4 @@
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
empty=incomingCatalogForLibs0

7
settings.gradle
View File

@@ -1 +1,8 @@
rootProject.name = 'Radixor' rootProject.name = 'Radixor'
dependencyResolutionManagement {
repositoriesMode = RepositoriesMode.FAIL_ON_PROJECT_REPOS
repositories {
mavenCentral()
}
}