Skip to content

[deps] [gradle] Locking Dependencies #9603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
onelapahead wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

[deps] [gradle] Locking Dependencies #9603

onelapahead wants to merge 6 commits into from

Conversation

@onelapahead
Copy link

@onelapahead onelapahead commented Jan 5, 2026
edited
Loading

PR description

gradle.lockfile, similar to the gradle/verification-metadata.xml, helps to make builds reproducible and ensures always the same versions are installed, with the verification metadata ensuring those versions are still the same as when they were originally installed/tested.

The lockfile is useful for tools like trivy (which is used for image scanning currently in the Besu GHA workflows) to be able to generate an SBOM w/o having to first compile the software into JARs.

cc @matthew1001

Fixed Issue(s)

N/A

Thanks for sending a pull request! Have you done the following?

  • Checked out our contribution guidelines?
  • Considered documentation and added the doc-change-required label to this PR if updates are required.
  • Considered the changelog and included an update if required.
  • For database changes (e.g. KeyValueSegmentIdentifier) considered compatibility and performed forwards and backwards compatibility tests

Locally, you can run these tests to catch failures early:

  • spotless: ./gradlew spotlessApply
  • unit tests: ./gradlew build
  • acceptance tests: ./gradlew acceptanceTest
  • integration tests: ./gradlew integrationTest
  • reference tests: ./gradlew ethereum:referenceTests:referenceTests
  • hive tests: Engine or other RPCs modified?

@onelapahead
[deps] [gradle] Locking Dependencies
1314697 
Signed-off-by: hfuss <hayden.fuss@kaleido.io>
@onelapahead
update PR template
662d246 
Signed-off-by: hfuss <hayden.fuss@kaleido.io>
@onelapahead
changelog
2833a45 
Signed-off-by: hfuss <hayden.fuss@kaleido.io>
@onelapahead onelapahead mentioned this pull request Jan 5, 2026
Merged
onelapahead
onelapahead commented Jan 5, 2026
View reviewed changes
@matthew1001
Changelog reference to PR
8f5eed6 
Signed-off-by: Matthew Whitehead <matthew.whitehead@kaleido.io>
@matthew1001
Merge branch 'main' into gradle-lockfile2
ef9bbb6 
Signed-off-by: Matt Whitehead <matthew.whitehead@kaleido.io>
matthew1001
matthew1001 approved these changes Jan 6, 2026
View reviewed changes
Copy link
Contributor

@matthew1001 matthew1001 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but @jflo I think you (or someone else) might want to take a look as well?

@onelapahead
updating lockfile / verification after main merge
3ac4101 
Signed-off-by: hfuss <hayden.fuss@kaleido.io>
@jflo jflo assigned fab-10 and unassigned fab-10 Jan 6, 2026
@jflo jflo requested a review from fab-10 January 6, 2026 15:23
@onelapahead
Copy link
Author

onelapahead commented Jan 6, 2026

Tests failed due to a bunch of 403's from Maven - assuming thats a blip

fab-10
fab-10 reviewed Jan 7, 2026
View reviewed changes
Copy link
Contributor

@fab-10 fab-10 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should the lockfile be added also for the evmtool? and could you link the doc of how Trivy uses this?

gradle/verification-metadata.xml
<sha256 value="b67cc3d0980927049a3beb00d506ece288746732b0dec812245c59f453fb1ca1" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.logging.log4j" name="log4j-api" version="2.25.2">
Copy link
Contributor

@fab-10 fab-10 Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why these additions? I do not see changes in the dependency list

Copy link
Author

@onelapahead onelapahead Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry this was likely from an unclean Gradle state - lemme fix that.

@onelapahead
Copy link
Author

onelapahead commented Jan 7, 2026

should the lockfile be added also for the evmtool? and could you link the doc of how Trivy uses this?

Definitely, we've realized w/ kaleido-io#32 we're missing a ton of lockfiles frankly - so will move this to draft and better explain how to generate the lockfiles reliably and how they are used by trivy for SBOM gen.

@onelapahead onelapahead marked this pull request as draft January 7, 2026 14:29
@macfarla macfarla moved this to Open PRs in 26.1.0 Release Jan 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fab-10 fab-10 fab-10 left review comments

@matthew1001 matthew1001 matthew1001 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

26.1.0 Release
Status: Open PRs

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@onelapahead @matthew1001 @fab-10