Hi, I am the author of srcdeps, a source dependencies implementation primarily for Maven [1] but I also created rather a hacky PoC for Gradle [2]. Having seen your announcement [3] I am experimenting with your implementations and try to figure our where its limitations are. Here are my questions:
(1) There is no way to depend on a specific commit sha1, right? Are there any plans to add this?
(2) Is there a way to depend on a Maven/Ant/sbt project?
(3) Knowing that source dependencies use composite builds under the hood, I am trying to figure out if the use of the artifacts produced by source dependencies is somehow limited. E.g. if I can include the dependency jar into a war. Or if I can get the jar and unzip it. I tried something like the following:
...
Caused by: java.lang.IllegalStateException: Resolving configuration 'implementation' directly is not allowed
at org.gradle.api.internal.artifacts.configurations.DefaultConfiguration.assertResolvingAllowed(DefaultConfiguration.java:1060)
at org.gradle.api.internal.artifacts.configurations.DefaultConfiguration.access$1500(DefaultConfiguration.java:123)
Is there a way to get the jar somehow? Or is this not possible due to how composite build works?
Thanks @ppalaga for those great question and your contribution to the community with a solution for source dependencies. Here are the answer to your questions:
(1) There is no way to depend on a specific commit sha1, right? Are there any plans to add this?
At the moment, this is not possible. I created an issue to track this feature. It should be quite easy to add as a feature. What requires more thinking is how such feature will look in the user-facing DSL.
(2) Is there a way to depend on a Maven/Ant/sbt project?
You can add dependencies to any project Maven/Ant/sbt/etc. However, you need to provide a Settings plugin that bridges the project to Gradle. This sample shows how it can be achieved in the native world. The same applies to the JVM world.
(3) Knowing that source dependencies use composite builds under the hood, I am trying to figure out if the use of the artifacts produced by source dependencies is somehow limited. E.g. if I can include the dependency jar into a war. Or if I can get the jar and unzip it.
The implementation configuration cannot be resolved. For this purpose, you need to use either compileClasspath or runtimeClasspath depending on your intention. See this section of the user guide. The code would become:
(4) Is there a way to define in the dependent project which gradle tasks should (or should not) be invoked to build the dependency?
The Gradle tasks invoked to build the dependency are the one used when declaring the âexportedâ artifact. In the case of a Java project, the jar task and any of its dependencies will be executed. Any included build features should also work as expected.
This is correct, but builds wouldnât normally do this and I would recommend people to not do this. Regular multi-project builds behave in the same way.
At the moment, this isnât really configurable. How do you access the private repo now? If itâs with SSH, I think this may work out of the box.
as a library developer I canât force everyone to go on SSH route.
You cannot, but I think it is still still the best way to do that both for you and for the users or your lib.
I can use source dependency as a mechanism for distributing my private libraries. Do you think this is a valid use case for that?
It can work, but note that source dependencies work well only inside a Gradle build. They do not work well when there is a need to release the dependent project into a public Maven repository such as Maven Central. I hapen to have a picture for that. In the picture your userâs project is dependent-a and your lib is dependency-2.3.4-srcdeps. If dependent-a is released to a Maven repo, the dependency-2.3.4-srcdeps is not resolvable for any dependent-b that depends on your userâs project is dependent-a.
@sterling thanks for suggestion.
I changed it to gitRepository("ssh://git@my.gitserver/user/project.git") and it still doesnât work. But now I have different exception:
Caused by: com.jcraft.jsch.JSchException: USERAUTH fail
at com.jcraft.jsch.UserAuthPublicKey.start(UserAuthPublicKey.java:119)
at com.jcraft.jsch.Session.connect(Session.java:470)
At the same time my git clone works perfectly. How can I tell jgit to get key from ~/.ssh/id_rsa?
From the blog post: âNow, when Gradle needs to find a version of the âutilitiesâ library, it will look for a matching tag in the Git repository.â
Iâve always created tags that look like v1.1.0 (notice the âvâ). Am I right to assume that for repositories that work with source dependencies, I would need to start tagging instead with 1.1.0?
Gradle downloads external repo into the folder like
â.gradle\vcs-1\EXTERNAL_REPO_3gn1livbki1bt2w83rtyfejwwâ
which is not in the sub-project folder but in the root.
For the future plugin development it would be great that the dependent module will be copied into âsource-dependencyâ folder) under âbuildâ folder of the sub-project (or it could be configured) and instead of commit hash in the folder name a tag name will be used.
In that case it would have been convenient to configure and to add it to projectâs âsourceSetsâ config.
Or maybe there is a way to configure it somehow event now?
Ideally, the download location should be in the Gradle user home, right next to the artifact cache and cached wrapper distributions. It should also be subject to cleanup policies.
Also, may be worth making it clear that source dependencies must not be edited manually (this allows to share them). If one needs to edit the external code they can check it out in their preferred location and set up a composite build.
Sounds good, the only problem for now is that IDEs do not support it properly.
Gradle builds the Jar with all dependencies inside and it runs properly but within an editor all code from source dependency repo is in red
