F-Droid can't build

[licaon-kter]

this maven repo https://github.com/owntracks/android/blob/v2.5.2/project/build.gradle.kts#L6 is not on the small trusted list: https://gitlab.com/fdroid/fdroidserver/-/blob/fe1c6b5149f8b014e6105a54396bace9a806db63/fdroidserver/scanner.py#L506-L527

ref: https://monitor.f-droid.org/builds/log/org.owntracks.android/420502019#site-footer

/LE: fyi https://gitlab.com/fdroid/fdroiddata/-/commit/ac608aa49242a82cf0f47daff4eba47c657e1e1e

[growse]

Seems confusing that f-droid happily built 2.5.0 not that long ago, which had the same dep.

[licaon-kter]

not really as it had https://github.com/owntracks/android/blob/v2.5.0/project/gradle/libs.versions.toml#L47 from this repo https://mvnrepository.com/artifact/com.android.tools/r8/8.3.37

and your current https://github.com/owntracks/android/blob/v2.5.2/project/gradle/libs.versions.toml#L47 is available only from the untrusted repo

fyi that repo will never be used as we remove it from the code https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/org.owntracks.android.yml#L24

[growse]

Aha, that makes sense. Will revert it.

[growse]

Is there an fdroid command that I can use to catch this in CI?

fdroid scanner on the OSS apk reports zero problems.

[licaon-kter]

remove other maven repos that are not on this list: https://gitlab.com/fdroid/fdroidserver/-/blob/02f005280654e733ffc176b80d6119b5d5f55d50/fdroidserver/scanner.py#L506-L526

then try to build :shrug: :smile:

[growse]

Looks like there was a historical reason we were depending on a version of r8 from Google, but now can probably rely on the one that's shipped as part of AGP.

remove other maven repos that are not on this list: https://gitlab.com/fdroid/fdroidserver/-/blob/02f005280654e733ffc176b80d6119b5d5f55d50/fdroidserver/scanner.py#L506-L526

then try to build 🤷 😄

Yeah, I see that. Be nice if there was some lint we could run so we don't fall over these issues inadvertently at publish-time.

[licaon-kter]

fdroid scanner appid does this already, for your metadata/appid.yml file

[growse]

Hmm. Can't seem to get that to work here:

$  docker run --rm -it --entrypoint /bin/bash registry.gitlab.com/fdroid/docker-executable-fdroidserver:master
$ mkdir -p metadata &&  curl -o metadata/org.owntracks.android.yml https://gitlab.com/fdroid/fdroiddata/-/raw/master/metadata/org.owntracks.android.yml
$ mkdir -p /root/.gradle && touch /root/.gradle/gradle.properties
$ sed -i "s/disable: .*//" metadata/org.owntracks.android.yml
$ /home/vagrant/fdroidserver/fdroid scanner org.owntracks.android:420502019
2024-09-21 09:43:52,330 INFO: Processing org.owntracks.android
2024-09-21 09:43:52,330 INFO: ...scanning version 2.5.2
2024-09-21 09:43:52,330 INFO: Getting source for revision v2.5.2
2024-09-21 09:43:57,454 INFO: Creating local.properties file at build/org.owntracks.android/local.properties
2024-09-21 09:43:57,456 INFO: Creating local.properties file at build/org.owntracks.android/project/local.properties
2024-09-21 09:43:57,456 INFO: Creating local.properties file at build/org.owntracks.android/project/app/local.properties
2024-09-21 09:43:57,482 INFO: Cleaned build.gradle.kts of keysigning configs at build/org.owntracks.android/project/app/build.gradle.kts
2024-09-21 09:43:57,492 INFO: Running 'prebuild' commands in build/org.owntracks.android/project/app
2024-09-21 09:43:57,700 INFO: Removing gradlew at project/gradlew
2024-09-21 09:43:57,700 INFO: Removing gradlew.bat at project/gradlew.bat
2024-09-21 09:43:57,770 INFO: Removing gradle-wrapper.jar at project/gradle/wrapper/gradle-wrapper.jar
2024-09-21 09:43:57,771 INFO: Finished
0 problems found

I can see scanner is doing the prebuild, but then it's not validating that the resulting project can resolve its dependencies (which it won't be able to without that google repo).

edit fdroid build fails as expected:

$ /home/vagrant/fdroidserver/fdroid build org.owntracks.android:420502019
...
* What went wrong:
A problem occurred configuring root project 'owntracks-android'.
> Could not resolve all artifacts for configuration ':classpath'.
   > Could not find com.android.tools:r8:8.6.17.
     Searched in the following locations:
       - https://repo.maven.apache.org/maven2/com/android/tools/r8/8.6.17/r8-8.6.17.pom
       - https://jitpack.io/com/android/tools/r8/8.6.17/r8-8.6.17.pom
       - https://plugins.gradle.org/m2/com/android/tools/r8/8.6.17/r8-8.6.17.pom
       - https://dl.google.com/dl/android/maven2/com/android/tools/r8/8.6.17/r8-8.6.17.pom
     Required by:
         root project :

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.

BUILD FAILED in 3s
4 actionable tasks: 4 executed

[licaon-kter]

Look in the recipe, there's a sed that removes the offending repo ;)

[growse]

I see that - I don't think that's something we added?

My point is that F-Droid could (in theory) change the recipe in the future, and the f-droid scan stop won't necessarily alert us that build will fail.

Maybe the easiest thing here is to actually do an f-droid build as part of the CI.

[licaon-kter]

Depends on how you want to continue.

If the repo is not there anymore, we'll remove the sed anyway, as not needed.

Hence, if you readd it in the future, the scanner will alert us.

[growse]

I've taken the repo out, so the sed step is now probably unnecessary.

I'll change our f-droid CI job to do a scanner & build. Is there a trivial way to get fdroidserver to scan and build from pwd rather than a specific git ref?

[licaon-kter]

It scans the current folder state, you can trigger whenever you want.

[growse]

It scans the current folder for metadata, yes, but I'll need it to build off the HEAD of master. I guess I can just generate my own metadatafile for that run, and then run build against that. Will experiment.

[licaon-kter]

You can update versionCode, versionName and commit in the .yml, then trigger the scan fdroid scanner --verbose appid:versionCode