search

sigstore / sigstore-java

java clients for sigstore
Apache License 2.0
39 stars 21 forks source link

Prevent sigstore-java from using "project" version when applied self #702

Open loosebazooka opened 4 months ago

loosebazooka commented 4 months ago

When we apply sigstore-gradle-sign-plugin in build logic the sigstoreClientClasspath always wants to use the project dependency instead of the expected sigstore-java dependency of the plugin.

$ ./gradlew sigstore-java:dependencies --configuration sigstoreClientClasspath

> Task :sigstore-java:dependencies

------------------------------------------------------------
Project ':sigstore-java' - A Java client for signing and verifying using Sigstore
------------------------------------------------------------

sigstoreClientClasspath - Resolves Sigstore dependencies
+--- dev.sigstore:sigstore-java:0.7.0 -> project :sigstore-java (*)

see +--- dev.sigstore:sigstore-java:0.7.0 -> project :sigstore-java (*)

This can cause incompatibilities. Especially since the sigstore-gradle-sign-plugin version is 0.7.0.

This wouldn't be an issue once we're 1.0 and api stable. But it is a bit strange.

loosebazooka commented 4 months ago

@vlsi not sure if you're aware of any workarounds, haven't been able to get any dependencyResolution to work here.