I do publish an open source library to Maven Central. In order to do that the gradle.build file contains variable references to a gradle.properties file which contains secret information like usernames and passwords.
Of course the build.gradle needs to be published to the public git repository, the gradle.properties should not be published, due to containing all the personal information but without the properties file the build.gradle is not valid.
How are open source projects handling those sensitive data?
Here is a solution based on this answer, with the use of findProperty method to allow users to build your project without providing the publishing credentials (issue you mentioned in your comment above)
move credentials outside the project's gradle.properties and put them to your local user /.gradle/gradle.properties configuration file
in your publish task definition, use:
authentication(userName: findProperty('mavenUser'), password: findProperty('mavenPassword'))
Related
I have a project that adopts Spring Vault to fetch credential. Dependencies of the project are as following and build.gradle file is generated automatically afterwards.
When I build the project I got the error
Could not resolve
org.springframework.vault:spring-vault-core:2.2.2.RELEASE.
Possible solution:
Declare repository providing the artifact, see the documentation at https://docs.gradle.org/current/userguide/declaring_repositories.html
I have checked the libraries by going to the Project Structures and got the weird thing
The weird thing I mean here is about the path of the jar file. It should be something like
%GRADLE_HOME%\caches\modules-2\files-2.1\org.springframework.cloud\spring-cloud-vault-config\2.2.3.RELEASE\5fd5a06deb01db77eb3e9b8e723ccc1e0790c420
How can I fix this issue in IntelliJ?
When you get an error about could not resolve dependencies in gradle, then there are several things you need to check.
Proxy settings (should be inside gradle.properties)
Permission for creating directories (particularly in %GRADLE_HOME%\caches\modules-2\files-2.1)
For the problem of proxy setting, simply set values for the following fields inside gradle.properties
systemProp.http.proxyHost=
systemProp.http.proxyPort=
systemProp.http.nonProxyHosts=
systemProp.https.proxyHost=
systemProp.https.proxyPort=
systemProp.https.nonProxyHosts=
For the problem of permission, try creating directories with the name of dependencies cannot be resolved, for example, org.springframework.vault at %GRADLE_HOME%\caches\modules-2\files-2.1. If you got permission denied or simply cannot create, then please contact your IT support!
How can I access a gradle.properties from another project?
project1/gradle.properties
project2
Project2 uses the same gradle.properties as Project1. The gradle.properties is in source control, so it is not good idea to put it in user home directory.
The gradle.properties of Project1 contains some credentials I would like to reuse in Project2.
Is there a way to tell Gradle the location of gradle.properties?
I don't think its a very good idea to put username & password into a version control system. Your user home is the place to store your credentials.
Make sure the users home gradle.properties can only be read by your user processes. On a Unix like operating system this would be:
chmod 600 ~/.gradle/gradle.properties
Furthermore creating dependency between repositories sharing a gradle.properties feels like the wrong approach. This is why Gradle introduced the user home gradle.properties.
But if you still think it is a good idea and/or you don't have any other choice you can set -Dgradle.user.home=project1 and it will pick up the gradle.properties from Project1.
I am following the instructions at http://central.sonatype.org/pages/gradle.html to use Gradle to upload artifacts to the Maven Central Repository. The instructions work. Examples appear at https://github.com/plume-lib/options/blob/master/build.gradle and https://github.com/plume-lib/bcel-util/blob/master/build.gradle .
My problem is that it results in a buildfile that other developers cannot use.
The Gradle signing plugin (https://docs.gradle.org/current/userguide/signing_plugin.html) requires a gradle.properties file with signing.keyId, signing.password, and signing.secretKeyRingFile, where the latter points to a valid GPG keyring. The plugin terminates the build with an error if the file doesn't exist or is not valid.
But signing is only needed when uploading artifacts to Maven Central.
I want any user to be able to run the gradle buildfile (except for actually uploading to Maven Central), even if they do not have a GPG keyring.
How can I achieve this?
Here are some things I have tried:
Split the gradle file into parts. (This is what is shown in the linked examples.) This requires two changes.
Change the main buildfile into a build script. (It can still be invoked from the command line). One gross thing about this is that only a gradle buildfile can contain a plugins { ... } block, and referring to a plugin outside the plugins { ... } block is verbose and ugly, as at the bottom of (say) https://plugins.gradle.org/plugin/com.github.sherter.google-java-format or
Create another buildfile, used only for signing, that uses apply from: to include the main one.
Question: Is there a way to do this without the ugly buildscript block?
Commit a dummy keyring to the repository, refer to it in the local gradle.properties, and the user's ~/gradle.properties can override it for any user who wants to upload to Maven Central. A problem is that using a local pathname yields a gradle warning.
Question: Is there a way to do this without a gradle warning?
Use conditional signing (https://docs.gradle.org/current/userguide/signing_plugin.html). In my experiments, this does not help. Even on a gradle execution where the artifacts are not signed, the signing plugin still requires the GPG keyring to exist.
Question: Can conditional signing be used to avoid the need for a GPG keyring?
Question: Is there a better way to achieve my goals than the above possibilities?
The documentation has a section on "Conditional Signing" which is exactly what you need here.
And you can even make that condition check that the required properties are indeed available to the build.
In order to bootstrap Gradle-Wrapper, I need to pull the Gradle distribution from an Artifactory which requires HTTP Basic-Auth. There's no way for my build environment to access the outside world - this is blocked by the corporate proxy. My problem is how to provide the credentials so that Gradle can bootstrap.
The Gradle documentation suggests putting the username & password into gradle-werapper.properties.
If I put gradle-wrapper.properties into my project then anybody who has access to my source code would would have access to my credentials. Alternatively, if I put the gradle-wrapper.properties file into my build image then all of my builds will be tied to the same credentials. Neither of these are acceptable.
What I'd much rather do is have Gradle Wrapper pick up it's credentials from environment variables. My run-time environment makes it very easy to provide the credentials in the right way - but is there a way to make Gradle consume the credentials from an environment variable?
From the documents you gave.
In {user.home} directory create .gradle folder if it does not exist.
enter gradle.properties:
systemProp.gradle.wrapperUser=username
systemProp.gradle.wrapperPassword=password
now all you need is distributionUrl to point to your URL, and gradle will handle credentials.
There are three ways to provide credentials:
In folder {user.home} \ .gradle create file gradle.properties with
systemProp.gradle.wrapperUser=username
systemProp.gradle.wrapperPassword=password
pass throw system properties ( note: username, password can be environment variables)
./gradlew -Dgradle.wrapperUser=$username -Dgradle.wrapperPassword=$password
add system properties to GRADLE_OPTS
export GRADLE_OPTS=-Dgradle.wrapperUser=$username -Dgradle.wrapperPassword=$password
(Not found in the Activator documentation)
It seems that it is possible to have Activator also use an existing local Maven repository by adding the following entry (in bold) in file build.sbt:
resolvers += Seq(
"Local Maven Repository" at "file://q:/repositories/maven",
"Sonatype OSS Snapshots" at "https://oss.sonatype.org/content/repositories/snapshots"
)
I am not sure it works but anyway, the problem with this approach is that the project structure must already have been created (and therefore a local repository created and automatically populated by downloads), hence my question : is it possible to tell Activator before it creates the project structure that it should use some local Maven repository ?
Thanks in advance for any hint.
Activator makes use of the sbt-launcher. You can use the sbt-launcher to control which repositories sbt makes use of by default for each project and for the launcher itself.
If you'd like to modify the activator launcher itself, unzip the jar file and take a look at the sbt/boot.properties file included. You can use the format outlined at sbt's launcher docs to add your local maven repository to the list.
A simpler option in the future (but not enabled in our current properties file) is the launcher's ability to have an override repository configuration file. See: Sbt's proxy configuration docs. This file would allow you to specify the repositories you wish activator to use by default. We disabled this to ensure the offline repository which activator uses is added by default. However, I'll open a ticket to re-enable this feature. That way, you should be able to just create a ~/.sbt/repositories file with the following contents:
[repositories]
activator-local: file://${activator.local.repository-${activator.home-${user.home}/.activator}/repository}, [organization]/[module]/(scala_[scalaVersion]/)(sbt_[sbtVersion]/)[revision]/[type]s/[artifact](-[classifier]).[ext]
local
maven-local
maven-central
typesafe-releases: http://typesafe.artifactoryonline.com/typesafe/releases
typesafe-ivy-releases: http://typesafe.artifactoryonline.com/typesafe/ivy-releases, [organization]/[module]/(scala_[scalaVersion]/)(sbt_[sbtVersion]/)[revision]/[type]s/[artifact](-[classifier]).[ext]
Note: the ~/.sbt/boot directory will always exist. This is created to ensure that no other process deletes jar files we use while running, so we copy these out of the local cache. If we didn't, you'd see some really fun error messages.