starred/pkl - pkl - Gitea: Git with a cup of tea

starred/pkl

Fork 0

mirror of https://github.com/apple/pkl.git synced 2026-05-02 21:24:18 +02:00

Commit Graph

Author	SHA1	Message	Date
Daniel Chao	07c68239b9	Remove lockfiles, manage Gradle dependencies with Dependabot (#1535 ) Dependabot currently does not update lockfiles in multi-module projects (see https://github.com/dependabot/dependabot-core/issues/14633) To work around this issue, we will simply remove our lockfiles, and change our version catalog to use fully specified versions. The removal of lockfiles introduces two issues: 1. It is less visible what our dependency graph is 2. Our builds are potentially non-reproducible To work around this, two mitigations are in place: 1. Enable `failOnDynamicVersions()`, which causes Gradle to fail the build if any dependencies declare a version range 2. Enable GitHub dependency submission, which provides insight into the project SBOM	2026-04-20 09:29:33 -07:00
odenix	4faf35a66a	Gradle: Replace legacy buildSrc mechanism with included build (#1524 ) Motivation: buildSrc is a special-case legacy mechanism. Gradle recommends using an included build named build-logic instead: https://docs.gradle.org/current/userguide/best_practices_structuring_builds.html#favor_composite_builds Changes: - Rename buildSrc/ to build-logic/ - triggers reformatting - Replace occurrences of "buildSrc" with "build-logic" - Include the build-logic build in the main build (via settings.gradle.kts) - Apply convention plugins via plugin IDs instead of type-safe accessors - small tradeoff compared to buildSrc Result: - Faster and more isolated builds - Build logic behaves like a normal build, making it easier to evolve and reason about --------- Co-authored-by: Daniel Chao <dan.chao@apple.com>	2026-04-15 21:37:10 -07:00

Author

SHA1

Message

Date

Daniel Chao

07c68239b9

Remove lockfiles, manage Gradle dependencies with Dependabot (#1535 )

Dependabot currently does not update lockfiles in multi-module projects
(see https://github.com/dependabot/dependabot-core/issues/14633)

To work around this issue, we will simply remove our lockfiles, and
change our version catalog to use fully specified versions.
The removal of lockfiles introduces two issues:

1. It is less visible what our dependency graph is
2. Our builds are potentially non-reproducible

To work around this, two mitigations are in place:

1. Enable `failOnDynamicVersions()`, which causes Gradle to fail the
build if any dependencies declare a version range
2. Enable GitHub dependency submission, which provides insight into the
project SBOM

2026-04-20 09:29:33 -07:00

odenix

4faf35a66a

Gradle: Replace legacy buildSrc mechanism with included build (#1524 )

Motivation:
buildSrc is a special-case legacy mechanism.
Gradle recommends using an included build named build-logic instead:

https://docs.gradle.org/current/userguide/best_practices_structuring_builds.html#favor_composite_builds

Changes:
- Rename buildSrc/ to build-logic/
  - triggers reformatting
- Replace occurrences of "buildSrc" with "build-logic"
- Include the build-logic build in the main build (via
settings.gradle.kts)
- Apply convention plugins via plugin IDs instead of type-safe accessors
  - small tradeoff compared to buildSrc

Result:
- Faster and more isolated builds
- Build logic behaves like a normal build, making it easier to evolve
and reason about

---------

Co-authored-by: Daniel Chao <dan.chao@apple.com>

2026-04-15 21:37:10 -07:00

2 Commits