Skip to content

Commit

Permalink
Update dependencies and enable dependency verification in Gradle
Browse files Browse the repository at this point in the history
Here's another attempt to enable Gradle dependency verification. I've
tried to do this a couple of times before, but always ran into issues.
With a helper script borrowed from a different project, hopefully this
will finally work reliably.

Every time we update Gradle or a dependency, the script I mentioned
needs to be run to update the list of checksums. The script runs the
build, the tests and the instrumented tests. This is necessary
because apparently Gradle is not able to discover all dependencies
without actually running the build tasks.

It's a little bit annoying that this Gradle feature is so half-baked
that we need a helper script to make things work, but I think it's worth
it.
  • Loading branch information
alexbakker committed Mar 24, 2024
1 parent 49a2b5d commit def939e
Show file tree
Hide file tree
Showing 5 changed files with 3,529 additions and 13 deletions.
18 changes: 9 additions & 9 deletions app/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -133,10 +133,10 @@ aboutLibraries {
}

dependencies {
def cameraxVersion = '1.3.1'
def cameraxVersion = '1.3.2'
def glideVersion = '4.16.0'
def guavaVersion = '33.0.0'
def hiltVersion = '2.50'
def guavaVersion = '33.1.0'
def hiltVersion = '2.51'
def junitVersion = '4.13.2'
def libsuVersion = '5.2.2'

Expand All @@ -154,7 +154,7 @@ dependencies {
implementation "androidx.core:core:1.12.0"
implementation 'androidx.constraintlayout:constraintlayout:2.1.4'
implementation 'androidx.documentfile:documentfile:1.0.1'
implementation "androidx.lifecycle:lifecycle-process:2.6.2"
implementation "androidx.lifecycle:lifecycle-process:2.7.0"
implementation "androidx.preference:preference:1.2.1"
implementation 'androidx.recyclerview:recyclerview:1.3.2'
implementation "androidx.viewpager2:viewpager2:1.0.0"
Expand All @@ -171,18 +171,18 @@ dependencies {
implementation "com.github.topjohnwu.libsu:io:${libsuVersion}"
implementation "com.google.guava:guava:${guavaVersion}-android"
implementation 'com.google.android.material:material:1.11.0'
implementation 'com.google.protobuf:protobuf-javalite:3.25.1'
implementation 'com.google.zxing:core:3.5.2'
implementation 'com.google.protobuf:protobuf-javalite:4.26.0'
implementation 'com.google.zxing:core:3.5.3'
implementation("com.mikepenz:aboutlibraries:11.1.0") {
exclude group: 'com.mikepenz', module: 'aboutlibraries-core'
}
implementation "com.mikepenz:aboutlibraries-core-android:11.1.0"
implementation 'com.mikepenz:aboutlibraries-core-android:11.1.1'
implementation 'com.nulab-inc:zxcvbn:1.8.2'
implementation 'de.hdodenhof:circleimageview:3.1.0'
implementation 'net.lingala.zip4j:zip4j:2.11.5'
implementation 'info.guardianproject.trustedintents:trustedintents:0.2'
implementation 'org.bouncycastle:bcprov-jdk18on:1.77'
implementation "org.simpleflatmapper:sfm-csv:8.2.3"
implementation 'org.simpleflatmapper:sfm-csv:9.0.0'

androidTestAnnotationProcessor "com.google.dagger:hilt-android-compiler:$hiltVersion"
androidTestImplementation "com.google.dagger:hilt-android-testing:$hiltVersion"
Expand All @@ -199,7 +199,7 @@ dependencies {
testImplementation 'androidx.test:core:1.5.0'
testImplementation "com.google.guava:guava:${guavaVersion}-jre"
testImplementation "junit:junit:${junitVersion}"
testImplementation 'org.json:json:20231013'
testImplementation 'org.json:json:20240303'
testImplementation 'org.robolectric:robolectric:4.11.1'

coreLibraryDesugaring 'com.android.tools:desugar_jdk_libs:2.0.4'
Expand Down
6 changes: 3 additions & 3 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ buildscript {
google()
}
dependencies {
classpath 'com.android.tools.build:gradle:8.2.0'
classpath 'com.google.dagger:hilt-android-gradle-plugin:2.50'
classpath 'com.android.tools.build:gradle:8.3.1'
classpath 'com.google.dagger:hilt-android-gradle-plugin:2.51'
classpath 'com.google.protobuf:protobuf-gradle-plugin:0.9.4'

// NOTE: Do not place your application dependencies here; they belong
Expand All @@ -21,8 +21,8 @@ plugins {

allprojects {
repositories {
mavenCentral()
google()
mavenCentral()
maven { url 'https://jitpack.io' }
maven {
url 'https://jcenter.bintray.com'
Expand Down
126 changes: 126 additions & 0 deletions gradle/update_verification.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
#!/usr/bin/env python3

# Based on: https://github.com/chenxiaolong/BCR/blob/6f1f30cf89f7d564870fe61791a490649cfb0ea0/gradle/update_verification.py
# License: GPL-3.0

import hashlib
import io
import os
import subprocess
import sys
import tempfile
import urllib.request
import xml.etree.ElementTree as ET


GOOGLE_MAVEN_REPO = 'https://dl.google.com/android/maven2'


def add_source_exclusions(ns, root):
configuration = root.find(f'{{{ns}}}configuration')
trusted_artifacts = ET.SubElement(
configuration, f'{{{ns}}}trusted-artifacts')

for regex in [
r'.*-javadoc[.]jar',
r'.*-sources[.]jar',
r'.*-src[.]zip',
]:
ET.SubElement(trusted_artifacts, f'{{{ns}}}trust', attrib={
'file': regex,
'regex': 'true',
})


def add_missing_aapt2_platforms(ns, root):
components = root.find(f'{{{ns}}}components')
aapt2 = components.find(f'{{{ns}}}component[@name="aapt2"]')

for platform in ['linux', 'osx', 'windows']:
group = aapt2.attrib['group']
name = aapt2.attrib['name']
version = aapt2.attrib['version']
filename = f'{name}-{version}-{platform}.jar'

if aapt2.find(f'{{{ns}}}artifact[@name="{filename}"]') is not None:
continue

path = f'{group.replace(".", "/")}/{name}/{version}/{filename}'
url = f'{GOOGLE_MAVEN_REPO}/{path}'

with urllib.request.urlopen(url) as r:
if r.status != 200:
raise Exception(f'{url} returned HTTP {r.status}')

digest = hashlib.file_digest(r, 'sha512')

artifact = ET.SubElement(aapt2, f'{{{ns}}}artifact',
attrib={'name': filename})

ET.SubElement(artifact, f'{{{ns}}}sha512', attrib={
'value': digest.hexdigest(),
'origin': 'Generated by Gradle',
})

aapt2[:] = sorted(aapt2, key=lambda child: child.attrib['name'])


def patch_xml(path):
tree = ET.parse(path)
root = tree.getroot()

ns = 'https://schema.gradle.org/dependency-verification'
ET.register_namespace('', ns)

# Add exclusions to allow Android Studio to download sources.
add_source_exclusions(ns, root)

# Gradle only adds the aapt2 entry for the host OS. We have to manually add
# the checksums for the other major desktop OSs.
add_missing_aapt2_platforms(ns, root)

# Match gradle's formatting exactly.
ET.indent(tree, ' ')
root.tail = '\n'

with io.BytesIO() as f:
# etree's xml_declaration=True uses single quotes in the header.
f.write(b'<?xml version="1.0" encoding="UTF-8"?>\n')
tree.write(f)
serialized = f.getvalue().replace(b' />', b'/>')

with open(path, 'wb') as f:
f.write(serialized)


def main():
root_dir = os.path.join(sys.path[0], '..')
xml_file = os.path.join(sys.path[0], 'verification-metadata.xml')

try:
os.remove(xml_file)
except FileNotFoundError:
pass

# Gradle will sometimes fail to add verification entries for artifacts that
# are already cached.
with tempfile.TemporaryDirectory() as temp_dir:
env = os.environ | {'GRADLE_USER_HOME': temp_dir}

subprocess.check_call(
[
'./gradlew' + ('.bat' if os.name == 'nt' else ''),
'--write-verification-metadata', 'sha512',
'--no-daemon',
'build',
'connectedCheck'
],
env=env,
cwd=root_dir,
)

patch_xml(xml_file)


if __name__ == '__main__':
main()
Loading

0 comments on commit def939e

Please sign in to comment.