Setup different repositories for different types of dependencies

scphantm · November 4, 2016, 1:57pm

We have a strict inventory policy here. I need to specify which repository certain things come from. something like this

repositories {
	legal_approved {
		maven {
			url 'https://myartifactory.com/approved'
		}
	}

	transitive {
		maven {
			url 'https://myartifactory.com/transitive'
		}
	}
}

dependencies {
	compile 'com.awesome:awesome-library:+'
}

so the way i need this to work is kinda odd, but not for us.

Since ‘awesome-library’ is directly requested, it must be approved for use by our technology council. If our council approves the library, it will be installed into our artifactory under approved. any transitive dependencies for ‘awesome-library’ (lets name one tran-B) are installed in the transitive repo of our artifactory. So, under the rules, the above would be just fine.
If a dev put a new line in the dependencies for tran-B, then that tran-b will have to come out of approved. If tran-b exists in myartifactory.com/transitive but not myartifactory.com/approved, the build must fail because the library did not go thru our legal and security review process.

simply put, anything in the dependencies block must come out of the artifactory repo “approved”, anything else comes out of “transitive”

How do i pull this one off?

st_oehme · November 4, 2016, 2:24pm

There is currently no way to force this through the dependencies/repositories API. What you could do is write a Gradle plugin that uses the Artifactory Rest API directly to query for each dependency that is explicitly defined. You can get those through Configuration#getDependencies().

scphantm · November 4, 2016, 2:39pm

thats what i was afraid of.

i already do something similar to that in my plugin that loads the dependencies into our artifactory. Problem with doing that for builds as well is i lose gradle’s ability to resolve transitive dependencies.

I think im going to be better off writing a task that executes after the dependency resolution phase that lists the listed dependencies and checks the against artifactory. i think thats what you are saying anyways.

if i do that, what would i set the 'AlwaysRunAfter(‘hu?’) value as? preferably at a point after dependency resolution and before compile.

eskatos · November 4, 2016, 2:50pm

You could use a dependency resolve rule to hook your checks.

Topic		Replies	Views
Transitive metadataSources configuration Help/Discuss	0	513	November 23, 2021
Help with gradle transitive dependency Help/Discuss	0	353	May 26, 2018
A way to redirect all the transivite dependencies to an Artifactory repository? Old Forum Archive	5	2520	January 31, 2013
Force all transitive dependencies use project repository Help/Discuss	0	377	April 16, 2019
Efficient way to find the origin of transitive dependencies? Help/Discuss	4	4517	November 18, 2022

Setup different repositories for different types of dependencies

Related topics