mirror of
https://github.com/apple/pkl.git
synced 2026-07-10 23:22:46 +02:00
Remove lockfiles, manage Gradle dependencies with Dependabot (#1535)
Dependabot currently does not update lockfiles in multi-module projects (see https://github.com/dependabot/dependabot-core/issues/14633) To work around this issue, we will simply remove our lockfiles, and change our version catalog to use fully specified versions. The removal of lockfiles introduces two issues: 1. It is less visible what our dependency graph is 2. Our builds are potentially non-reproducible To work around this, two mitigations are in place: 1. Enable `failOnDynamicVersions()`, which causes Gradle to fail the build if any dependencies declare a version range 2. Enable GitHub dependency submission, which provides insight into the project SBOM
This commit is contained in:
@@ -68,13 +68,6 @@ plugins { id("org.gradle.toolchains.foojay-resolver-convention") version ("1.0.0
|
||||
|
||||
@Suppress("UnstableApiUsage") dependencyResolutionManagement { repositories { mavenCentral() } }
|
||||
|
||||
if (
|
||||
gradle.startParameter.taskNames.contains("updateDependencyLocks") ||
|
||||
gradle.startParameter.taskNames.contains("uDL")
|
||||
) {
|
||||
gradle.startParameter.isWriteDependencyLocks = true
|
||||
}
|
||||
|
||||
for (prj in rootProject.children) {
|
||||
prj.buildFileName = "${prj.name}.gradle.kts"
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user