search

gradle / gradle-build-action

Execute your Gradle build and trigger dependency submission
https://github.com/marketplace/actions/gradle-build-action
MIT License
671 stars 97 forks source link

Dependency Graph submission init script hard codes the `"https://plugins.gradle.org/m2/"` URL #933

Closed yogurtearl closed 9 months ago

yogurtearl commented 11 months ago

The init script adds this URL with might not be accessible: "https://plugins.gradle.org/m2/"

https://github.com/gradle/gradle-build-action/blob/62cce3c597efd445cd71ee868887b8b1117703a7/src/resources/init-scripts/gradle-build-action.github-dependency-graph-gradle-plugin-apply.groovy#L3

I am requesting a way to configure that repo URL.

For example, if I have an internal proxy called https://gradle-plugins-proxy.mycorp.com/ that proxies https://plugins.gradle.org/m2/, I need a way to configure that.

Also, this could pollute the buildscript repos for other plugins, so it should use exclusiveContent to limit the scope.

Instead, would be good to have something like: 

    exclusiveContent {
        forRepository {
            providers.environmentVariable("GRADLE_BUILD_ACTION_PLUGINS_REPO").orNull
                ?.let { maven(it) }
                ?: gradlePluginPortal()
        }
        filter {
            includeModule("org.gradle.github-dependency-graph-gradle-plugin", "org.gradle.github-dependency-graph-gradle-plugin.gradle.plugin")
        }
    }
jb-2020 commented 10 months ago

Also bumping into this one, would be great to support more enterprise use cases. I've forked this action with the following: 

  repositories {
    maven { 
      url "<private gradle plugin repository>
      credentials {
        username = System.getenv("USERNAME")
        password = System.getenv("PASSWORD")
      }
    }
  }

Unclear if it's user error but I also had trouble configuring the maven credentials. Assuming this is because this is an init script? Using env vars rather than gradle properties seems to be a work around.

jb-2020 commented 9 months ago

@bigdaz thanks for the fix, but there may be scenarios where users need maven credentials for this URL. Any suggestions?

bigdaz commented 9 months ago

@bigdaz thanks for the fix, but there may be scenarios where users need maven credentials for this URL. Any suggestions?

No. We have provided similar functionality with all of our Develocity CI integrations, and while PLUGIN_REPOSITORY_URL is part of each, nobody has asked for authentication.

Can you please raise a separate issue for this, with your specific use case?

bigdaz commented 9 months ago

@yogurtearl I considered adding the exclusiveContent restriction, but from my understanding the buildscript block only applies to the current script, which is applied from an init-script, and won't impact dependency resolution in other scripts.

Have you seen evidence of this sort of repository leakage?