Empty dependency graph snapshot generated when state is loaded from configuration cache

Question

Empty dependency graph snapshot generated when state is loaded from configuration cache

Closed this issue 6 months ago · 0 comments

When the Gradle project configuration is successfully loaded from the configuration-cache, no dependencies will be resolved during the build execution. In this case, an empty dependency graph snapshot will be generated.

Submitting this empty snapshot can incorrectly clear the dependency graph for a repository, resolving any security vulnerabilities!

We should either:

Fail if the configuration-cache is enabled when generating a dependency graph snapshot.
Generate a different Job Correlator when configuration-cache state is reused. This would prevent the empty snapshot from overwriting a previous, correct snapshot.
Detect when an empty snapshot is generated due to configuration-cache reuse, and avoid submitting this snapshot (this would require a change in gradle-build-action).