chore: updates to gradle build

- feat: add testlogger to show test results - feat: ship SPDX SBOMs with JARs - feat: support JPMS (Java Modules) - feat: enable parallel gradle builds - feat: gradle build caching - feat: gradle configuration cache - feat: accelerated downloads with pkgst - feat: add pkgst repository endpoints - docs: initial readme updates for gradle changes - chore: update gradle → `8.5` - chore: update jvm target → `21` - chore: update ci images → `21.0.1_12-jdk-jammy` - chore: `javax` → `jakarta` - chore: convert to version catalog - chore: add dependency locking - chore: add dependency verification Signed-off-by: Sam Gammon <[email protected]>
sgammon · Jan 6, 2024 · 1faedef · 1faedef
1 parent 58a7986
commit 1faedef
Show file tree

Hide file tree

Showing 19 changed files with 7,177 additions and 102 deletions.
diff --git a/Earthfile b/Earthfile
@@ -1,16 +1,16 @@
 VERSION 0.7
-FROM eclipse-temurin:17-jdk-focal
+FROM eclipse-temurin:21.0.1_12-jdk-jammy
 WORKDIR /code
 
 build-with-gradle:
     COPY gradlew .
     COPY gradle gradle
     COPY gradle.properties .
-    COPY settings.gradle .
+    COPY settings.gradle.kts .
     COPY build.gradle .
     COPY config config
     COPY src src
-    RUN ./gradlew clean build
+    RUN ./gradlew clean build --no-configuration-cache
 
 run-with-gradle:
     FROM +build-with-gradle

diff --git a/README.md b/README.md
@@ -126,6 +126,9 @@ align="right" width="20%" height="auto"/>
 
 ## Recent significant changes
 
+- Gradle: Refactor to JVM21 build, with Version Catalogs, build caching, and
+  support for dependency verification/locking and SBOMs.
+
 - Gradle: remove use of `testsets` plugin for integration testing in favor of
   native Gradle. This is in support of Gradle 8
 

diff --git a/batect.yml b/batect.yml
@@ -1,6 +1,6 @@
 containers:
   build-env:
-    image: eclipse-temurin:17-jdk-focal
+    image: eclipse-temurin:21.0.1_12-jdk-jammy
     environment:
       # Needed for Gradle: Maven handles this via `.mvn/jvm.config`
       JAVA_OPTS: --add-opens java.base/java.lang=ALL-UNNAMED
@@ -29,7 +29,7 @@ tasks:
       container: build-env
       # One time only when updating to DependencyCheck plugin 7.0.0:
       # command: ./gradlew --no-daemon --warning-mode=all dependencyCheckPurge clean build
-      command: ./gradlew --no-daemon --warning-mode=all clean build
+      command: ./gradlew --no-configuration-cache --no-daemon --warning-mode=all clean build
   run-with-gradle:
     description: Runs the demo program assuming a Gradle build
     run:

diff --git a/build.gradle b/build.gradle
@@ -1,52 +1,52 @@
-// TODO: Why does IntelliJ complain about these imports?
+import com.adarshr.gradle.testlogger.theme.ThemeType
 import com.github.benmanes.gradle.versions.updates.DependencyUpdatesTask
 import com.github.spotbugs.snom.SpotBugsTask
 
 plugins {
     id "build-dashboard" // See build/reports/buildDashboard/index.html
     // TODO: project-report is presently broken because of pitest task
     id "project-report" // Try the `projectReport` task
-    id "com.dorongold.task-tree"
-    id "com.github.ben-manes.versions" // Try the `dependencyUpdates` task
     id "java" // Gradle support for Java
     id "checkstyle" // To check that code follow style standards
     id "pmd" // Static analysis based on source (does not check compiled code)
-    id "com.github.spotbugs" // Static analysis based on compiled code (does not check source)
-    id "com.github.andygoossens.gradle-modernizer-plugin"
     id "jacoco" // To run test coverage
-    id "info.solidsoft.pitest" // To run mutation testing
-    id "org.kordamp.gradle.jdeps"
-    id "org.owasp.dependencycheck" // To push security to the left
     id "application" // To build the executable jar
+
+    alias libs.plugins.dependency.check  // To push security to the left
+    alias libs.plugins.jdeps
+    alias libs.plugins.modernizer
+    alias libs.plugins.pitest  // To run mutation testing
+    alias libs.plugins.sbom  // Embeds SPDX Software Bill Of Materials (SBOMs) files in JARs
+    alias libs.plugins.spotbugs  // Static analysis based on compiled code (does not check source)
+    alias libs.plugins.tasktree
+    alias libs.plugins.testlogger
+    alias libs.plugins.versions  // Try the `dependencyUpdates` task
 }
 
 version = "0-SNAPSHOT"
 group = "demo"
 
-repositories {
-    mavenCentral()
-}
-
 dependencies {
-    compileOnly "org.projectlombok:lombok:$lombokVersion"
-    annotationProcessor "org.projectlombok:lombok:$lombokVersion"
-    compileOnly "com.github.spotbugs:spotbugs-annotations:$spotbugsVersion"
-    compileOnly "com.google.code.findbugs:findbugs-annotations:$findbugsAnnotationsVersion"
-    compileOnly "org.gaul:modernizer-maven-annotations:$modernizerVersion"
-
-    testCompileOnly "org.projectlombok:lombok:$lombokVersion"
-    testAnnotationProcessor "org.projectlombok:lombok:$lombokVersion"
-    testCompileOnly "com.google.code.findbugs:findbugs-annotations:$findbugsAnnotationsVersion"
-
-    testImplementation "org.junit.jupiter:junit-jupiter:$junitVersion"
-    testImplementation "org.assertj:assertj-core:$assertJVersion"
-    testImplementation "org.mockito:mockito-core:$mockitoVersion"
-    testImplementation "com.github.stefanbirkner:system-lambda:$systemLambdaVersion"
+    implementation libs.jakarta.annotation
+    compileOnly libs.lombok
+    annotationProcessor libs.lombok
+    compileOnly libs.spotbugs
+    compileOnly libs.findbugs
+    compileOnly libs.modernizer
+
+    testCompileOnly libs.lombok
+    testAnnotationProcessor libs.lombok
+    testCompileOnly libs.findbugs
+
+    testImplementation libs.junit.jupiter
+    testImplementation libs.assertj
+    testImplementation libs.mockito
+    testImplementation libs.systemlambda
 
     // Quiet build -- build works without this, but JUnit complains
-    testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
+    testRuntimeOnly libs.junit.jupiter.engine
 
-    spotbugsPlugins "com.h3xstream.findsecbugs:findsecbugs-plugin:$findsecbugsPluginVersion"
+    spotbugsPlugins libs.findsecbugs
 
     // Give special attention to https://blog.gradle.org/log4j-vulnerability
     // Gradle 7.3.3+ addresses this out of the box. If you are using Gradle
@@ -96,19 +96,43 @@ configurations.pmd {
 }
 
 java {
+    modularity.inferModulePath = true
+
     toolchain {
         languageVersion.set(JavaLanguageVersion.of("$jdkVersion"))
     }
 }
 
-tasks.withType(JavaCompile) {
-    options.compilerArgs += ["-Werror", "-Xlint:all,-processing", "-parameters"]
+tasks.withType(JavaCompile).configureEach {
+    options.compilerArgs += ["-Werror", "-Xlint:all,-processing", "-parameters", "-Xlint:-requires-automatic", "-Xlint:-requires-transitive-automatic"]
 }
 
 test {
     // NB -- JaCoCo draws from _unit tests_, not integration tests
     // When tests fail, you still have a coverage report
     finalizedBy jacocoTestReport
+
+    // Important: Remove this when you actually use this codebase. Tests cannot be cached for local
+    // testing of the sample. In most projects, this directive below should be deleted.
+    outputs.upToDateWhen { false }
+}
+
+testlogger {
+    theme = ThemeType.MOCHA
+    showFailed = true
+    showPassed = true
+    showSkipped = true
+}
+
+spdxSbom {
+    targets {
+        create("release") {
+            scm {
+                uri.set("https://github.com/binkley/modern-java-practices.git")
+                tool.set("git")
+            }
+        }
+    }
 }
 
 tasks.register('integrationTest', Test) {
@@ -119,14 +143,14 @@ tasks.register('integrationTest', Test) {
     classpath = sourceSets.integrationTest.runtimeClasspath
     shouldRunAfter test
 
-    testLogging {
-        events "passed"
-    }
+    // Important: Remove this when you actually use this codebase. Tests cannot be cached for local
+    // testing of the sample. In most projects, this directive below should be deleted.
+    outputs.upToDateWhen { false }
 }
 
 check.dependsOn integrationTest
 
-tasks.withType(Test) {
+tasks.withType(Test).configureEach {
     // Quieter builds when JUL is in use (you or another library or tool)
     // TODO: Keep builds noisy in CI
     systemProperty "java.util.logging.config.file",
@@ -136,7 +160,7 @@ tasks.withType(Test) {
 }
 
 checkstyle {
-    toolVersion = checkstyleVersion
+    toolVersion = libs.versions.checkstyle.get()
     // default checkstyle config -- specific to your team agreement
     configFile = project(":").file("config/checkstyle/checkstyle.xml")
     // Google style (idiosyncratic to Google):
@@ -147,8 +171,8 @@ checkstyle {
 
 pmd {
     ignoreFailures = false
-    // TODO: targetJdk = 17 -- there is no defined property for this
-    toolVersion = pmdVersion
+    // TODO: targetJdk = 21 -- there is no defined property for this
+    toolVersion = libs.versions.pmd.get()
 
     consoleOutput = true
     rulesMinimumPriority = 5
@@ -165,10 +189,10 @@ pmd {
 spotbugs {
     effort = "Max"
     reportLevel = "Low"
-    toolVersion = spotbugsVersion
+    toolVersion = libs.versions.spotbugs.core.get()
 }
 
-tasks.withType(SpotBugsTask) {
+tasks.withType(SpotBugsTask).configureEach {
     reports {
         html {
             enabled = true
@@ -186,7 +210,7 @@ modernizer {
 }
 
 jacoco {
-    toolVersion = jacocoVersion
+    toolVersion = libs.versions.jacoco.get()
 }
 
 jacocoTestReport {
@@ -204,11 +228,11 @@ jacocoTestCoverageVerification {
 }
 
 pitest {
-    junit5PluginVersion = pitestJUnit5PluginVersion
+    junit5PluginVersion = libs.versions.pitest.junit5.get()
     mutationThreshold = 100
     // Cannot name this "pitestVersion" -- the plugin has a property of the same
     // name, so this property needs to have a distinct name to satisfy Gradle
-    pitestVersion = "$pitestToolVersion"
+    pitestVersion = libs.versions.pitest.tool.get()
     timestampedReports = false
     verbose = true
 }
@@ -246,14 +270,19 @@ jar {
     }
 }
 
+dependencyLocking {
+    lockAllConfigurations()
+    lockMode = LockMode.LENIENT
+}
+
 check {
     dependsOn += jacocoTestCoverageVerification
     dependsOn += "pitest"
     dependsOn += integrationTest
     dependsOn += dependencyCheckAnalyze
 }
 
-tasks.withType(DependencyUpdatesTask) {
+tasks.withType(DependencyUpdatesTask).configureEach {
     rejectVersionIf {
         !isStable(it.candidate.version) && isStable(it.currentVersion)
     }

diff --git a/gradle.lockfile b/gradle.lockfile
@@ -0,0 +1,102 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+com.beust:jcommander:1.48=pmd
+com.github.spotbugs:spotbugs-annotations:4.8.0=compileClasspath,spotbugs
+com.github.spotbugs:spotbugs:4.8.0=spotbugs
+com.github.stefanbirkner:system-lambda:1.2.1=integrationTestCompileClasspath,integrationTestRuntimeClasspath,testCompileClasspath,testRuntimeClasspath,tmpTestImplementation
+com.github.stephenc.jcip:jcip-annotations:1.0-1=spotbugs
+com.google.code.findbugs:findbugs-annotations:3.0.1=compileClasspath,testCompileClasspath
+com.google.code.findbugs:jsr305:3.0.2=checkstyle,compileClasspath,spotbugs
+com.google.code.gson:gson:2.10.1=spotbugs
+com.google.code.gson:gson:2.8.9=pmd
+com.google.collections:google-collections:1.0=checkstyle
+com.google.errorprone:error_prone_annotations:2.18.0=checkstyle
+com.google.guava:failureaccess:1.0.1=checkstyle
+com.google.guava:guava:32.0.1-jre=checkstyle
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=checkstyle
+com.google.j2objc:j2objc-annotations:2.8=checkstyle
+com.h3xstream.findsecbugs:findsecbugs-plugin:1.12.0=spotbugsPlugins
+com.puppycrawl.tools:checkstyle:10.12.4=checkstyle
+commons-beanutils:commons-beanutils:1.9.4=checkstyle
+commons-codec:commons-codec:1.15=checkstyle,spotbugs
+commons-collections:commons-collections:3.2.2=checkstyle
+info.picocli:picocli:4.7.5=checkstyle
+jakarta.annotation:jakarta.annotation-api:2.1.1=compileClasspath,integrationTestCompileClasspath,integrationTestRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+jaxen:jaxen:2.0.0=spotbugs
+net.bytebuddy:byte-buddy-agent:1.14.8=integrationTestCompileClasspath,integrationTestRuntimeClasspath,testCompileClasspath,testRuntimeClasspath,tmpTestImplementation
+net.bytebuddy:byte-buddy:1.14.8=integrationTestCompileClasspath,integrationTestRuntimeClasspath,testCompileClasspath,testRuntimeClasspath,tmpTestImplementation
+net.sf.saxon:Saxon-HE:12.3=checkstyle,spotbugs
+net.sourceforge.pmd:pmd-core:6.55.0=pmd
+net.sourceforge.pmd:pmd-java:6.55.0=pmd
+net.sourceforge.saxon:saxon:9.1.0.8=pmd
+org.antlr:antlr4-runtime:4.13.1=checkstyle
+org.antlr:antlr4-runtime:4.7.2=pmd
+org.apache.bcel:bcel:6.8.0=spotbugs
+org.apache.commons:commons-lang3:3.12.0=pitest
+org.apache.commons:commons-lang3:3.14.0=spotbugs
+org.apache.commons:commons-lang3:3.8.1=checkstyle,pmd
+org.apache.commons:commons-text:1.10.0=pitest,spotbugs
+org.apache.commons:commons-text:1.3=checkstyle
+org.apache.httpcomponents.client5:httpclient5:5.1.3=checkstyle,spotbugs
+org.apache.httpcomponents.core5:httpcore5-h2:5.1.3=checkstyle,spotbugs
+org.apache.httpcomponents.core5:httpcore5:5.1.3=checkstyle,spotbugs
+org.apache.httpcomponents:httpclient:4.5.13=checkstyle
+org.apache.httpcomponents:httpcore:4.4.14=checkstyle
+org.apache.logging.log4j:log4j-api:2.20.0=spotbugs
+org.apache.logging.log4j:log4j-core:2.20.0=spotbugs
+org.apache.maven.doxia:doxia-core:1.12.0=checkstyle
+org.apache.maven.doxia:doxia-logging-api:1.12.0=checkstyle
+org.apache.maven.doxia:doxia-module-xdoc:1.12.0=checkstyle
+org.apache.maven.doxia:doxia-sink-api:1.12.0=checkstyle
+org.apache.xbean:xbean-reflect:3.7=checkstyle
+org.apiguardian:apiguardian-api:1.1.2=integrationTestCompileClasspath,testCompileClasspath
+org.assertj:assertj-core:3.24.2=integrationTestCompileClasspath,integrationTestRuntimeClasspath,testCompileClasspath,testRuntimeClasspath,tmpTestImplementation
+org.checkerframework:checker-qual:3.27.0=checkstyle
+org.codehaus.plexus:plexus-classworlds:2.6.0=checkstyle
+org.codehaus.plexus:plexus-component-annotations:2.1.0=checkstyle
+org.codehaus.plexus:plexus-container-default:2.1.0=checkstyle
+org.codehaus.plexus:plexus-utils:3.3.0=checkstyle
+org.dom4j:dom4j:2.1.4=spotbugs
+org.gaul:modernizer-maven-annotations:2.7.0=compileClasspath,modernizer
+org.gaul:modernizer-maven-plugin:2.7.0=modernizer
+org.jacoco:org.jacoco.agent:0.8.11=jacocoAgent,jacocoAnt
+org.jacoco:org.jacoco.ant:0.8.11=jacocoAnt
+org.jacoco:org.jacoco.core:0.8.11=jacocoAnt
+org.jacoco:org.jacoco.report:0.8.11=jacocoAnt
+org.javassist:javassist:3.28.0-GA=checkstyle
+org.junit.jupiter:junit-jupiter-api:5.9.3=integrationTestCompileClasspath,integrationTestRuntimeClasspath,testCompileClasspath,testRuntimeClasspath,tmpTestImplementation
+org.junit.jupiter:junit-jupiter-engine:5.9.3=integrationTestRuntimeClasspath,testRuntimeClasspath,tmpTestImplementation
+org.junit.jupiter:junit-jupiter-params:5.9.3=integrationTestCompileClasspath,integrationTestRuntimeClasspath,testCompileClasspath,testRuntimeClasspath,tmpTestImplementation
+org.junit.jupiter:junit-jupiter:5.9.3=integrationTestCompileClasspath,integrationTestRuntimeClasspath,testCompileClasspath,testRuntimeClasspath,tmpTestImplementation
+org.junit.platform:junit-platform-commons:1.9.2=pitest
+org.junit.platform:junit-platform-commons:1.9.3=integrationTestCompileClasspath,integrationTestRuntimeClasspath,testCompileClasspath,testRuntimeClasspath,tmpTestImplementation
+org.junit.platform:junit-platform-engine:1.9.2=pitest
+org.junit.platform:junit-platform-engine:1.9.3=integrationTestRuntimeClasspath,testRuntimeClasspath,tmpTestImplementation
+org.junit.platform:junit-platform-launcher:1.9.2=pitest
+org.junit.platform:junit-platform-launcher:1.9.3=integrationTestRuntimeClasspath,testRuntimeClasspath
+org.junit:junit-bom:5.9.2=pitest
+org.junit:junit-bom:5.9.3=integrationTestCompileClasspath,integrationTestRuntimeClasspath,testCompileClasspath,testRuntimeClasspath,tmpTestImplementation
+org.mockito:mockito-core:5.6.0=integrationTestCompileClasspath,integrationTestRuntimeClasspath,testCompileClasspath,testRuntimeClasspath,tmpTestImplementation
+org.objenesis:objenesis:3.3=integrationTestRuntimeClasspath,testRuntimeClasspath,tmpTestImplementation
+org.opentest4j:opentest4j:1.2.0=integrationTestCompileClasspath,integrationTestRuntimeClasspath,pitest,testCompileClasspath,testRuntimeClasspath,tmpTestImplementation
+org.ow2.asm:asm-analysis:9.6=spotbugs
+org.ow2.asm:asm-commons:9.5=modernizer
+org.ow2.asm:asm-commons:9.6=jacocoAnt,spotbugs
+org.ow2.asm:asm-tree:9.5=modernizer
+org.ow2.asm:asm-tree:9.6=jacocoAnt,spotbugs
+org.ow2.asm:asm-util:9.6=spotbugs
+org.ow2.asm:asm:9.4=pmd
+org.ow2.asm:asm:9.5=modernizer
+org.ow2.asm:asm:9.6=jacocoAnt,spotbugs
+org.pitest:pitest-command-line:1.15.2=pitest
+org.pitest:pitest-entry:1.15.2=pitest
+org.pitest:pitest-junit5-plugin:1.2.1=pitest
+org.pitest:pitest:1.15.2=pitest
+org.projectlombok:lombok:1.18.30=annotationProcessor,compileClasspath,testAnnotationProcessor,testCompileClasspath
+org.reflections:reflections:0.10.2=checkstyle
+org.slf4j:slf4j-api:2.0.0=spotbugsSlf4j
+org.slf4j:slf4j-api:2.0.9=spotbugs
+org.slf4j:slf4j-simple:2.0.0=spotbugsSlf4j
+org.xmlresolver:xmlresolver:5.2.0=checkstyle,spotbugs
+empty=integrationTestAnnotationProcessor