SecurityException when configuring and using axion plugin from buildSrc

Question

SecurityException when configuring and using axion plugin from buildSrc

3ric-T opened this issue 2 years ago · 2 comments

I try to declare and configure axion-release-plugin from buildSrc directory and libs.versions.toml versions catalog file with Gradle-7.6 and JDK-17. Then we have

In libs.versions.toml:

[libraries]
(...)
axion-release-plugin  = { module = "pl.allegro.tech.build:axion-release-plugin", version="1.14.4" }
(...)

In buildSrc/build.gradle.kts:

dependencies {
(...)
  implementation( libs.axion.release.plugin )
(...)
}

In buildSrc/src/main/kotlin/xxx.java-conventions.gradle.kts:

plugins {
(...)
    id("pl.allegro.tech.build.axion-release")
}
scmVersion {
    tag {
        prefix.set("")
    }
}
version=scmVersion.version

When I try to access version property from scmVersion in xxx.java-conventions.gradle.kts as described above, I face a SecurityException that prevent the build to execute (it does not occur if scmVersion is not accessed):

> ./gradlew projects

FAILURE: Build failed with an exception.

* Where:
Build file '/home/erict/workspaces/xxx/xxx/build.gradle.kts' line: 1

* What went wrong:
An exception occurred applying plugin request [id: 'xxx.java-conventions']
> Failed to apply plugin 'xxx.java-conventions'.
   > class "org.eclipse.jgit.transport.JschConfigSessionFactory"'s signer information does not match signer information of other classes in the same package

It may be caused by some other plugins using a more recent version of jGit but even with the help of the documentation, I wasn't able to fix it.
It perfectly works however when the plugin is declared in the [plugins] of the catalog file and configured and used in the build.gradle.kts files of each module. Moving this declaration in build.gradle.kts of root project avoid code duplicates, thanks to a little trick that applies root version to subprojects.

However, this is not satisfying as buildSrc directory is here to allow build logic sharing.
Full stacktrace is attached to this issue.

Answer 1 · 2023-04-04T07:05:51.000Z

hi! love that you use version-catalogue gradle feature!
maybe you could exclude jGit somehow from plugins dependencies? axion should be using current versions of jgit

Answer 2 · 2023-09-26T23:39:05.000Z

@3ric-T , try defining axion plugin in the build.gradle file under buildSrc. It breaks the nice way of having all versions listed in the .toml file, but it works well at least. The below example is for Groovy DSL.

plugins {
id 'groovy-gradle-plugin'
}

dependencies {
..
implementation 'pl.allegro.tech.build:axion-release-plugin:1.13.3'
}
Then you do not need to explicitly list dependency on the axion plugin in your subprojects as long as you have the convention plugin defined there instead.