Setup different repositories for different types of dependencies


(Willie) #1

We have a strict inventory policy here. I need to specify which repository certain things come from. something like this

repositories {
	legal_approved {
		maven {
			url 'https://myartifactory.com/approved'
		}
	}

	transitive {
		maven {
			url 'https://myartifactory.com/transitive'
		}
	}
}

dependencies {
	compile 'com.awesome:awesome-library:+'
}

so the way i need this to work is kinda odd, but not for us.

  1. Since ‘awesome-library’ is directly requested, it must be approved for use by our technology council. If our council approves the library, it will be installed into our artifactory under approved. any transitive dependencies for ‘awesome-library’ (lets name one tran-B) are installed in the transitive repo of our artifactory. So, under the rules, the above would be just fine.
  2. If a dev put a new line in the dependencies for tran-B, then that tran-b will have to come out of approved. If tran-b exists in myartifactory.com/transitive but not myartifactory.com/approved, the build must fail because the library did not go thru our legal and security review process.

simply put, anything in the dependencies block must come out of the artifactory repo “approved”, anything else comes out of “transitive”

How do i pull this one off?


(Stefan Oehme) #2

There is currently no way to force this through the dependencies/repositories API. What you could do is write a Gradle plugin that uses the Artifactory Rest API directly to query for each dependency that is explicitly defined. You can get those through Configuration#getDependencies().


(Willie) #3

thats what i was afraid of.

i already do something similar to that in my plugin that loads the dependencies into our artifactory. Problem with doing that for builds as well is i lose gradle’s ability to resolve transitive dependencies.

I think im going to be better off writing a task that executes after the dependency resolution phase that lists the listed dependencies and checks the against artifactory. i think thats what you are saying anyways.

if i do that, what would i set the 'AlwaysRunAfter(‘hu?’) value as? preferably at a point after dependency resolution and before compile.


(Paul Merlin) #4

You could use a dependency resolve rule to hook your checks.