search

spotbugs / spotbugs-gradle-plugin

https://plugins.gradle.org/plugin/com.github.spotbugs
Apache License 2.0
178 stars 67 forks source link

We do not need to release for project-used dependencies. #1193

Closed Goooler closed 2 months ago

Goooler commented 2 months ago

We do not need to release for project-used dependencies, things like this are just used to check and build this project, they are not the runtime needed.

Originally posted by @Goooler in https://github.com/spotbugs/spotbugs-gradle-plugin/issues/1192#issuecomment-2169382615

Goooler commented 2 months ago

I didn't see where we make these automatic releases, but it's too bothering to update some revision updates, there is nothing changed between them like:

diffuse diff --jar spotbugs-gradle-plugin-6.0.16.jar spotbugs-gradle-plugin-6.0.17.jar

OLD: spotbugs-gradle-plugin-6.0.16.jar
NEW: spotbugs-gradle-plugin-6.0.17.jar

 JAR   │ old       │ new       │ diff
───────┼───────────┼───────────┼──────
 class │ 171.2 KiB │ 171.2 KiB │  0 B
 other │     260 B │     260 B │  0 B
───────┼───────────┼───────────┼──────
 total │ 171.5 KiB │ 171.5 KiB │  0 B

 CLASSES │ old │ new │ diff
─────────┼─────┼─────┼───────────
 classes │  44 │  44 │ 0 (+0 -0)
 methods │ 592 │ 592 │ 0 (+0 -0)
  fields │  81 │  81 │ 0 (+0 -0)
Goooler commented 2 months ago

CC @KengoTODA

KengoTODA commented 2 months ago

Our release note does not include changes like dependency updates, so what is the core of the problem? I want to understand why we care the post in such dev-deps update PRs.

https://github.com/spotbugs/spotbugs-gradle-plugin/releases/tag/6.0.17

Goooler commented 2 months ago

As I described, some deps used by this project are just used for infra or building, they are not transitive deps that affect user sides, so we have no need to release them, it's so frequent.

And you can see the diff result above, nothing changed between these two versions.

KengoTODA commented 2 months ago

Ah, I understand. Thanks for your explanation!

In my understanding, this release is necessary to support Android Plugin v8.5.0. In this case, we luckily had no changes, but in some cases, we needed to change our code. #946 needed to change Java version and #552 needed to change dependency (not sure why #552 was handled as chore(deps)).

So for me, it is understandable that Dependabot used fix for #1192. Humans could change the commit comment manually only if no change is needed, but I think it's not so reasonable to ask contributors to do so.

If possible, I want to close this issue without any change, to keep the release procedure simple. How do you think? 🤔