mirror of
https://github.com/apple/pkl.git
synced 2026-07-09 22:52:44 +02:00
Remove lockfiles, manage Gradle dependencies with Dependabot (#1535)
Dependabot currently does not update lockfiles in multi-module projects (see https://github.com/dependabot/dependabot-core/issues/14633) To work around this issue, we will simply remove our lockfiles, and change our version catalog to use fully specified versions. The removal of lockfiles introduces two issues: 1. It is less visible what our dependency graph is 2. Our builds are potentially non-reproducible To work around this, two mitigations are in place: 1. Enable `failOnDynamicVersions()`, which causes Gradle to fail the build if any dependencies declare a version range 2. Enable GitHub dependency submission, which provides insight into the project SBOM
This commit is contained in:
@@ -74,9 +74,7 @@ gw wrapper --gradle-version [version] --gradle-distribution-sha256-sum [sha]
|
||||
|
||||
. (optional) Update _gradle/libs.version.toml_
|
||||
based on version information from https://search.maven.org, https://plugins.gradle.org, and GitHub repos
|
||||
. Run `gw updateDependencyLocks`
|
||||
. Validate changes with `gw build buildNative`
|
||||
. Review and commit the updated dependency lock files
|
||||
|
||||
== Code Generation
|
||||
|
||||
|
||||
Reference in New Issue
Block a user