-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] Inconsistent gradle configuration exclusion results #198
Comments
Since this is a public project, I strongly recommend that you publish Build Scans for your dependency submission actions. This will give you a good overview of which configurations are resolving the dependencies in question. It's difficult to get this sort of overview otherwise, since the way dependencies are declared and how they are resolved is different. Another mechanism is to run the Note that configurations named |
I'd also recommend that you use the Instead, you're generating a dependency graph based on running the |
Great! I tired to use It seems that the deps generated by However, |
Did you try generating a build scan? If you share that I can help explain why you're seeing this behaviour. Without it I'm just guessing. |
@bigdaz I'll try to generate one maybe tomorrow and then I'll update it under this post. 😊 |
I see now that Develocity (Gradle Enterprise) is already enabled for I really recommend you do that, so that you'll get Build Scans for each workflow run on an ongoing basis. However, since you won't have the access key configured in your fork, you won't be able to publish build scans to ge.apache.org until the code is merged. So for now, try re-running your PR workflow with action debugging enabled. The process is described here: https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#when-you-cannot-publish-a-build-scan. This will tell you which dependencies are resolved in which configurations. |
Thank you for instruction. I've re-ran the job with the I briefly compared the logs of the two and it seems that only the latter outputs the following log:
|
Thanks for sharing those jobs. If you download the logs for each and search for "Detected dependency" you'll find:
This shows that exclusion is removing some dependencies from those that are considered, but you must consider that many of the "Detected dependencies" are duplicated in multiple configurations. It's very likely that the every dependency excluded in the second job is also present in a configuration that wasn't excluded. This could be due to all of the 'detachedConfiguration*' configurations: I suspect these are created by the Spring Dependency Management plugin. Maybe try excluding those as well. |
@bigdaz Thanks for the analysis. That is, |
I'm not sure it's "best practice". The Spring Dependency Management plugin introduces a bunch of |
@Pil0tXia Are you OK with closing this issue? It would be great if you reply with a solution that works for you. |
Since my purpose of using Dependency Gragh is to review third-party dependency licenses in binary distributions in conjunction with However, this solution is not applicable due to an unresolved bug of |
I want to analyze the dependencies of runtimeClasspath only. I have tried the following methods:
DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: runtimeClasspath
, log, dependency graph artifact size: 563 Bytes (empty, no deps in it)DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS: '.*[Tt]est(Compile|Runtime)Classpath'
, log, dependency graph artifact size: 18.2 KB (almost full deps in it, 18.3 KB when no exclusion applied)DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS: '.*(testCompile|testRuntime|compile)Classpath'
, log, dependency graph artifact size: 16.8 KB (jupiter with testImplementation scope still in it although test exclusion declared)DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: '[Ii]mplementation.*|[Rr]untime.*|[Cc]ompile.*|[Aa]pi.*|[Aa]nnotation.*'
, log, dependency graph artifact size: 10.9 KB (jupiter not in it finally, but lombok with compileOnly scope is still in it)DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: '[Ii]mplementation.*|[Rr]untime.*|[Aa]pi.*'
, log, dependency graph artifact size: 563 Bytes (empty, no deps in it)I am not clear about the reasons. I think I will temporarily use
DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: '[Ii]mplementation.*|[Rr]untime.*|[Cc]ompile.*|[Aa]pi.*'
to analyze the dependencies of runtimeClasspath (i.e., the dependencies bundled when packaging as a binary release), butcompileOnly
scope deps are not excluded with this regex.The text was updated successfully, but these errors were encountered: