Skip to content

Tidy up#255

Merged
cstamas merged 7 commits into
masterfrom
tidy-up
Jan 20, 2026
Merged

Tidy up#255
cstamas merged 7 commits into
masterfrom
tidy-up

Conversation

@cstamas

@cstamas cstamas commented Jan 20, 2026

Copy link
Copy Markdown
Collaborator

Removal of Ant left some remnants, clean them up.

@cstamas
Tidy up
b702bc9 
Removal of Ant left some remnants, clean them up.
@cstamas cstamas self-assigned this Jan 20, 2026
@cstamas

cstamas commented Jan 20, 2026

Copy link
Copy Markdown
Collaborator Author

ping @odisseus

@cstamas cstamas marked this pull request as ready for review January 20, 2026 11:40
manandbytes
manandbytes reviewed Jan 20, 2026
View reviewed changes
Comment thread .github/workflows/ci.yml
@@ -18,7 +20,7 @@ jobs:
with:
distribution: temurin
java-version: 11

@manandbytes manandbytes Jan 20, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cache: 'maven' would enable caching of Maven artifacts

@cstamas cstamas Jan 20, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cache: 'maven' would cache local repository, and usually this is not what you want. But I agree, we can use this "low hanging fruit" until come up with better cache.

@manandbytes manandbytes Jan 20, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cache: 'maven' would cache local repository, and usually this is not what you want. But I agree, we can use this "low hanging fruit" until come up with better cache.

Now Maven does not download anything and this is what I want:

Cache hit for: setup-java-Linux-x64-maven-3ddbf759ed683e90355f47106d5267473ecc42a2c13648ab09a57287f5d9dfa9
...
Cache restored successfully
Cache restored from key: setup-java-Linux-x64-maven-3ddbf759ed683e90355f47106d5267473ecc42a2c13648ab09a57287f5d9dfa9

@cstamas cstamas Jan 20, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's right, with pre-populated local repository it will pick up everything (even corruption) from previous build. This is why caching local repository is wrong.

Maven caching without re-using local repository is much better:
https://maveniverse.eu/blog/2025/09/16/maven-local-repository/
and
https://maveniverse.eu/docs/mimir/

@cstamas cstamas Jan 20, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or in other words: building with empty local repository AND still downloading nothing is what CI should do, as otherwise it is prone to same issues as your workstation, and leads to issues "works for me (on my workstation)" but fails on my colleagues workstation (and endless scratching heads why).

@cstamas cstamas requested a review from manandbytes January 20, 2026 12:07
@cstamas

cstamas commented Jan 20, 2026

Copy link
Copy Markdown
Collaborator Author

Thanks @manandbytes and @odisseus for helping!
Will merge once @ianopolous or @vorburger take a peek and approve.

@ianopolous

ianopolous commented Jan 20, 2026

Copy link
Copy Markdown
Collaborator

Is there a way to include hashes in the pom for dependencies so we are not vulnerable to third party tampering?

@cstamas

cstamas commented Jan 20, 2026

Copy link
Copy Markdown
Collaborator Author

Yes, not in the pom but it is possible to lock down key deps.
See:

@ianopolous

ianopolous commented Jan 20, 2026

Copy link
Copy Markdown
Collaborator

That was a large factor of why I had vendored dependencies. To rule out a class of supply chain attack.

@cstamas

cstamas commented Jan 20, 2026

Copy link
Copy Markdown
Collaborator Author

Related https://maveniverse.eu/blog/2025/12/06/lockfiles/

@cstamas

cstamas commented Jan 20, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator Author

Let's go baby steps :)
SHA512 for key deps (POMs and JARs) added but as is here, is fragile (fail if missing=false), this means if POM is modified and dependency changes to other GAV no sha512 will be validated. Other solution is failIfMissing=true and record whole build SHA512 checksums, but for that we need more for Maven build, at least make build reproducible....

ianopolous
ianopolous approved these changes Jan 20, 2026
View reviewed changes

@ianopolous ianopolous left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@cstamas cstamas merged commit 79d7990 into master Jan 20, 2026
1 of 2 checks passed
@cstamas cstamas deleted the tidy-up branch January 20, 2026 15:33
@vorburger vorburger mentioned this pull request Jan 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianopolous ianopolous ianopolous approved these changes
@vorburger vorburger Awaiting requested review from vorburger
+2 more reviewers
@manandbytes manandbytes manandbytes approved these changes
@odisseus odisseus odisseus approved these changes
Reviewers whose approvals may not affect merge requirements

Assignees

@cstamas cstamas

Labels

maintenance

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cstamas @ianopolous @manandbytes @odisseus