Expose list of all artifacts, including transitive #648
Conversation
dmivankov
requested review from
c-parsons,
cheister,
jin and
shs96c
as code owners
…ependencies to some scopes Note that using package default_visibility doesn't always work so explicit visiblity attributes are needed bazelbuild/bazel#13681 Somewhat related to bazel-contrib#648 In combination this for example allows to create a class_name -> maven artifact resolver for transitive dependency classes while still keeping strict visibility (making transitive dependencies visible only to the resolve cli tool)
There was a problem hiding this comment.
I'm not sure what the utility of exposing every single maven dependency is. For code scanning, it seems like it would be more targetted to override the macros generating deployable artifacts to walk the dependencies (possibly using the has_maven_deps aspect?) Out of process tools, such as dependabot, can already do something like bazel query @maven//:all to discover all the maven artifacts.
I'm reviewing even though I don't understand the why of this PR.
|
For github dependabot script execution isn't allowed but it has support for checked in Second case where it can be used is writing tools that depend on both dependencies metadata and jars, with dependencies info exported into starlark one can write such tools in bazel. One example is being able to list all |
…ependencies to some scopes Note that using package default_visibility doesn't always work so explicit visiblity attributes are needed bazelbuild/bazel#13681 Somewhat related to bazel-contrib#648 In combination this for example allows to create a class_name -> maven artifact resolver for transitive dependency classes while still keeping strict visibility (making transitive dependencies visible only to the resolve cli tool)
|
completely forgot to update this, let me maybe try exposing richer artifact information to avoid hardcoding the handling of sources and javadocs |
…ependencies to some scopes Note that using package default_visibility doesn't always work so explicit visiblity attributes are needed bazelbuild/bazel#13681 Somewhat related to bazel-contrib#648 In combination this for example allows to create a class_name -> maven artifact resolver for transitive dependency classes while still keeping strict visibility (making transitive dependencies visible only to the resolve cli tool)
dmivankov
force-pushed
the
expose_all_artifacts_list
branch
from
5cb1632
to
960a32f
Compare
coursier.bzl
Outdated
| @@ -497,6 +499,17 @@ def _pinned_coursier_fetch_impl(repository_ctx): | |||
|
|
|||
| http_files.extend(_get_jq_http_files()) | |||
|
|
|||
| http_files.extend([ | |||
| "maven_artifacts = [%s]" % (",".join([ | |||
There was a problem hiding this comment.
This structure doesn't match the expected usage. If you tried to add these maven_artifacts to a target's runtime_deps, the build will fail, as the deps are expected to be labels and not structs.
I think there's a couple of ways of handling this:
- Document this clearly in the README.md and explain how people could use it.
- Use the maven coordinates directly, once they've been converted back from the dict they are to a string, and use the
artifactmacro to ensure they're loaded properly.
The first option is a lot less work, but I think the second one makes the output more usable.
There was a problem hiding this comment.
one slight complication with coords is that artifact macro only works with "groupId:artifactId" and that there's strip classifier logic, need some work to extend artifact macro
for example for com.github.jnr:jffi:jar:native:1.3.1, com.github.jnr:jffi:jar:sources:1.3.1 and com.github.jnr:jffi:1.3.1 there are following targets
@maven//:com_github_jnr_jffi_native_1_3_1 // alias
@maven//:com_github_jnr_jffi_native // actual import
@maven//:com_github_jnr_jffi_jar_sources_1_3_1_extension
@maven//:com_github_jnr_jffi_jar_native_1_3_1_extension
@maven//:com_github_jnr_jffi_1_3_1_extension
@maven//:com_github_jnr_jffi_1_3_1 // alias
@maven//:com_github_jnr_jffi // import
so artifact("com.github.jnr:jffi:jar:native:1.3.1") needs to also strip jar classifier it seems
There was a problem hiding this comment.
The group and artifact IDs are the first two fields in the maven coordinates, which makes life a bit easier. I think you'd need to gather together all the imports, transform, and then sort, removing duplicates, and you'd be okay.
There was a problem hiding this comment.
Currenty I can put com.github.jnr:jffi:jar:native:1.3.1 and com.github.jnr:jffi:1.3.1 as artifacts in maven_install and then refer to them as @maven//:com_github_jnr_jffi_native and @maven//:com_github_jnr_jffi.
But there seems to be no ready-made macro yet that'd transform string "com.github.jnr:jffi:jar:native:1.3.1" to label @maven//:com_github_jnr_jffi_native
load("@rules_jvm_external//:defs.bzl", "artifact")
load("@rules_jvm_external//:specs.bzl", "parse")
s = "com.github.jnr:jffi:jar:native:1.3.1"
artifact(s) ==> @maven//:com_github_jnr_jffi # without _native part
parse.parse_maven_coordinate(s) ==> { group: "com.github.jnr", artifact: "jffi", classifier: "native", packaging: "jar", version: "1.3.1" }
artifact(parse.parse_maven_coordinate(s)) ==> still @maven//:com_github_jnr_jffiI could decypher and replicate dict -> label conversion (aka escape(strip_packaging_and_classifier_and_version(s))), but maybe instead artifact macro should be extended to handle all potential keys (it already can accept dict, but decides to only use group and artifact)
There was a problem hiding this comment.
Sounds quite doable, but maybe there's an even better way?
There was a problem hiding this comment.
Update PR with support for full string coords in artifact macro
…ependencies to some scopes (#649) Note that using package default_visibility doesn't always work so explicit visiblity attributes are needed bazelbuild/bazel#13681 Somewhat related to #648 In combination this for example allows to create a class_name -> maven artifact resolver for transitive dependency classes while still keeping strict visibility (making transitive dependencies visible only to the resolve cli tool)
private/rules/artifact.bzl
Outdated
| return parse.parse_maven_coordinate(artifact_str) | ||
| def _ensure_version(a): | ||
| # fake :version part is due to get_simple_coord not supporting unversioned coords | ||
| return a if len(a.split(":")) > 2 else (a + ":fake_version") |
There was a problem hiding this comment.
ugly hack, want to reuse get_simple_coord logic with support for type and classifier, but it doesn't support unversioned artifacts, also only works on strings
There was a problem hiding this comment.
I don't understand why you need all of this? Is it so you can keep the one call to get_simple_coord ? Why can't this logic be put in get_simple_coord instead?
There was a problem hiding this comment.
it can, but it may cause breaking changes to other use sites of that function
There was a problem hiding this comment.
did a quick look, looks like this should be safe so moved there now
private/coursier_utilities.bzl
Outdated
| @@ -27,7 +27,7 @@ SUPPORTED_PACKAGING_TYPES = [ | |||
| "scala-jar", | |||
| ] | |||
|
|
|||
| def strip_packaging_and_classifier(coord): | |||
| def get_versioned_coord(coord): | |||
There was a problem hiding this comment.
Why these name changes? Feels like the new names are not as clear.
There was a problem hiding this comment.
can revert renaming. New names describe the purpose and applicability (maybe even better would be get_versioned_label_name and get_simple_label_name? Didn't do that initially because the jump to labels requires an extra escape on top and there are places where escape isn't applied) and it makes it more clear why they can be reused to parse coord strings into labels, while old ones describe implementation (and applicability but for cases where we have purpose in terms of implementation / action on coord parts rather than in terms of ways to address one and the same artifact)
There was a problem hiding this comment.
reverted the rename. The only place without escape is around checking against jetify_include_list which could be shifted to operate on labels rather than coords, and it may add support for classifier to jetify_include_list, but that can be a separate PR if needed at all
There was a problem hiding this comment.
thanks, the diff is easier to follow without the renames.
dmivankov
force-pushed
the
expose_all_artifacts_list
branch
from
05adb93
to
0ce871c
Compare
And add support for :type and :classifier in defs.bzl:artifact() by internally
using strip_packaging_and_classifier_and_version. To keep support for groupId:artifactId
update strip_packaging_and_classifier_and_version implementation for that case.
To be used like
load("@maven//:defs.bzl", "maven_artifacts")
and for example
load("@rules_jvm_external//:defs.bzl", "artifact")
load("@rules_jvm_external//:specs.bzl", "parse")
all_maven_targets = [artifact(a) for a in maven_artifacts if not parse.parse_maven_coordinate(a).get("classifier", "compile") in ["sources", "native"]]
java_export(
name = "maven-transitive-deps-lib",
maven_coordinates = "com.example.deps:%s:%s" % (name, "0.1"),
visibility = ["//visibility:public"],
runtime_deps = all_maven_targets,
)
which makes "maven-transitive-deps-lib-pom" target available that
can be useful for other tools like security scanners and/or dependabot
dmivankov
force-pushed
the
expose_all_artifacts_list
branch
from
7640996
to
f3eb06a
Compare
|
squashed and updated to remove renames and expose just the coords, making sure artifact macro now can handle coords with classifiers. Diff got smaller now |
| @@ -46,6 +46,10 @@ def strip_packaging_and_classifier(coord): | |||
| return ":".join(coordinates) | |||
|
|
|||
| def strip_packaging_and_classifier_and_version(coord): | |||
| coordinates = coord.split(":") | |||
There was a problem hiding this comment.
Do you mind adding a test to tests/unit/coursier_utilities_test.bzl for this?
There was a problem hiding this comment.
added a test case now
dmivankov
force-pushed
the
expose_all_artifacts_list
branch
from
2e9e817
to
9c577c2
Compare
Also document strict_visibility_value from bazel-contrib#649
dmivankov
force-pushed
the
expose_all_artifacts_list
branch
from
9c577c2
to
8b82fe1
Compare
|
added few new lines to readme |
There was a problem hiding this comment.
Thank you for being so patient with this PR, and thank you for documenting the new feature, @dmivankov. LGTM! :)
And add support for :type and :classifier in defs.bzl:artifact() by internally
using strip_packaging_and_classifier_and_version. To keep support for groupId:artifactId
update strip_packaging_and_classifier_and_version implementation for that case.
To be used like
and for example
which makes "maven-transitive-deps-lib-pom" target available that
can be useful for other tools like security scanners and/or dependabot