Updates to Maven, Gradle

[sgammon]

NOTE - ignore the version bumps in the commit. They've already been done through dependabot. NOTE - Get the stuff on SecurityStep into the "shift security left page" as an option to folks.

Summary

Updates to Gradle build, and new build caching added for Maven, Gradle, and Earthly. After a refactor of CI, one can now see all builds via a single reusable workflow, which simplifies review. Gradle Build Scans are also enabled, which allow deep inspection of the build (helpful for diagnosis and performance optimization).

Solved Issues

• 431

• 430

• 358

Focus: Performance

Build caching is conducted through Buildless for both Gradle and Maven, using the corresponding build plugins and the setup action.

Earthly caching is configured against Github Packages as a registry. Github Actions caching has also been optimized for Gradle and Maven (for example, such caches are now shared with Batect).

Typical build times on this PR:

• Build (Java 17) / Gradle = 2m 54s
• Build (Java 21) / Gradle = 2m 12s
• Build (Java 17) / Gradle + Batect = 1m 58s
• Build (Java 21) / Gradle + Batect = 2m 35s
• Build (Java 17) / Gradle + Earthly = 1m 3s
• Build (Java 21) / Gradle + Earthly = 5m 34s
• Build (Java 17) / Maven = 43s
• Build (Java 21) / Maven = 38s
• Build (Java 17) / Maven + Batect = 44s
• Build (Java 21) / Maven + Batect = 48s
• Build (Java 17) / Maven + Earthly = 52s
• Build (Java 21) / Maven + Earthly = 34s

Focus: Supply chain security

The runner for each step has been hardened to observe network traffic via StepSecurity. It's operating in audit mode, so that downstream users can observe their own traffic and lock it down later.

Gradle now uses locked and verified dependencies (both likewise in audit/lenient mode). SLSA, Sigstore, and SPDX are also now supported in the release flow.

Focus: Latest JVM

The latest features are adopted now including a JVM21 toolchain for building the app (supported as of Gradle 8.5, which this PR upgrades to). Support for JPMS has also been added to get users started with modular Java builds.

---

Constituent PRs

These appear closed, but that's because they've been cherry-picked on to this PR.

• sgammon/modern-java-practices#1
• sgammon/modern-java-practices#9
• sgammon/modern-java-practices#10
• sgammon/modern-java-practices#11
• sgammon/modern-java-practices#12
• sgammon/modern-java-practices#13
• sgammon/modern-java-practices#15
• sgammon/modern-java-practices#16
• sgammon/modern-java-practices#17
• sgammon/modern-java-practices#18
• sgammon/modern-java-practices#20
• sgammon/modern-java-practices#21

Changelog

• feat: add testlogger to show test results
• feat: ship SPDX SBOMs with JARs
• feat: SLSA provenance support
• feat: support JPMS (Java Modules)
• feat: enable parallel gradle builds
• feat: gradle build caching
• feat: gradle configuration cache
• feat: gradle integration with buildless
• feat: maven integration with buildless
• feat: accelerated downloads with pkgst
• feat: refactor for reusable workflows in ci
• feat: CodeQL scanner for java
• feat: github dependency review
• feat: OSSF scorecard action
• feat: remote caching with earthly, via github packages
• feat: coverage reporting with codecov
• feat: github actions scanner for sonarcloud
• fix: duplicate github actions builds for PRs
• fix: workflow permissions
• fix: align javac args between maven and gradle
• docs: initial readme updates for gradle changes
• chore: update gradle → 8.5
• chore: update jvm toolchain → 21
• chore: javax → jakarta
• chore: dependency updates
• chore: convert to version catalog
• chore: add dependency locking
• chore: add dependency verification

[sgammon]

@binkley I realize this looks huge, but don't worry; most of that is verification metadata from Gradle. I'm working on this in a draft PR on my fork, where I can iterate quickly without noise here. Stay tuned, I still need to update the README with a lot more docs, and do some other setup.

I also need to explore some of these tools. I had never seen Earthly before! Very cool stuff. I actually think we can integrate with that via Buildless. We already have a line of work going for regular Docker caching, so I think if we support that registry API, we can easily support Earthly, too.

[sgammon]

Here's a preview video of how fast the testsuite can be on Gradle with these settings active:

https://github.com/binkley/modern-java-practices/assets/171897/88d12665-2f2b-412f-90d1-c1279f7a079a

[sgammon]

@binkley I think this is ready for early feedback. I would encourage just downloading the project and trying it -- despite the largeness of the PR, you should feel right at home.

Things are very fast, using both Gradle and Maven. Caching in Earthly is also working really well with Github Packages.

You are entirely within your rights not to merge this, or not to review, even, given how big it is. But I think if you do, you will like it. I've tried to keep everything consistent with the current style of the codebase.

[sgammon]

Hey @binkley, friendly ping :) sorry if this is huge. Should I split it up? What do you think? I'm curious what your experience will be when you play with it.

[boxleytw]

Wow! Thais is fantastic, thank you! @sgammon I can look at this over the weekend.

I've gotten behind on the Dependabot PRs, mostly from trying to keep Gradle & Maven on the same tooling versions (the Gradle side gives the most trouble).

[sgammon]

@boxleytw Awesome! I realize the PR is big, so I could split it up, or do other work to make it easier to review. I wanted to pause to make sure my direction here was worth preserving. Take your time, let me know if I can adjust anything 😄

[sgammon]

Looks like secrets are failing the workflows:

Secret BUILDLESS_APIKEY is required, but not provided while calling.

I'll fix that up.

[binkley]

@sgammon I took a break from working on this repository to focus more time on my work commitments. Thank you.

I'd like to pick this up again. I'll try things out locally, and merge the PR if all is good.

[sgammon]

@binkley No worries 😄 I'd be happy to rebase or clean it up if you want me to. Just tag!

@sgammon I'm getting back into building out this repo to be helpful for everyone. I had pulled away because of work commitments.

Ultimately I would like to turn it into an open source book.

[binkley]

@sgammon I now have the free time I need to look into this. Thank you again!

I'm also working to break the huge README.md into separate parts, and moving them to the GitHub wiki for this repo.

[binkley]

@sgammon I sent a GitHub invite to you. You should be able to make changes as make sense.

[sgammon]

@binkley Accepted :) I'm happy to give this repo a (smaller, byte-size PR) refresh again soon. I'll tag you for review of course. I appreciate the invite but I would of course make sure you approve before merging new code.

[binkley]

These points are addressed: https://github.com/binkley/modern-java-practices/issues/430 - JDK 21 https://github.com/binkley/modern-java-practices/issues/358 - Gradle 8