DEV Community: Kengo TODA The latest articles on DEV Community by Kengo TODA (@kengotoda). https://dev.to/kengotoda https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F42477%2F17a1e3c8-9f2e-4848-a166-bbec8f0642cd.jpeg DEV Community: Kengo TODA https://dev.to/kengotoda en Use NodeJS v16 as runtime for JavaScript actions Kengo TODA Wed, 29 Dec 2021 08:49:24 +0000 https://dev.to/kengotoda/use-nodejs-v16-as-runtime-for-javascript-actions-me5 https://dev.to/kengotoda/use-nodejs-v16-as-runtime-for-javascript-actions-me5 <p>This month <a href="https://github.com/actions/runner/issues/772">GitHub supported NodeJS v16 as runtime for JavaScript actions</a>. It is also <a href="https://docs.github.com/en/enterprise-server@3.0/actions/creating-actions/metadata-syntax-for-github-actions#runs-for-javascript-actions">supported by GitHub Enterprise Servers (GHES) 3.0</a> and later.</p> <h2> Motivation to use NodeJS v16 </h2> <p><a href="https://nodejs.org/about/releases/">The end-of-life of NodeJS v12 is the end of next April</a>. So, if you maintain your own JavaScript actions, it is suggested to migrate their runtime to NodeJS v16.</p> <h2> How to update the project </h2> <p>We can complete the minimal migration by <a href="https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs-for-javascript-actions">updating <code>run.using</code> in the <code>actions.yml</code> file</a>. We may need several additional updates like below:</p> <h3> Update <code>engines.node</code> in <code>package.json</code> </h3> <p>If you have specified the version of NodeJS to use in <code>package.json</code>, you will need to update it.<br> <code>16.13.1</code> is the current latest version, so the preferred configuration would be as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="nl">"engines"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"node"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^16.13.1"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Update <code>tsconfig.json</code> </h3> <p>NodeJS v16 lets us use ES2021. Based on the <a href="https://github.com/microsoft/TypeScript/wiki/Node-Target-Mapping#node-16">official TSConfig settings recommendation for NodeJS v16</a>, update the <code>compilerOptions</code> as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="nl">"compilerOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"lib"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"ES2021"</span><span class="p">],</span><span class="w"> </span><span class="nl">"module"</span><span class="p">:</span><span class="w"> </span><span class="s2">"commonjs"</span><span class="p">,</span><span class="w"> </span><span class="nl">"target"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ES2021"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Update TypeScript </h3> <p>If your TypeScript is too old to use ES2021, it is suggested to update.</p> <p>Note that TypeScript v4.4 <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-4-4/#use-unknown-catch-variables">changed the type of caught error from <code>any</code> to <code>unknown</code> by default</a>.<br> So if your action catches error to invoke <code>core.setFailed()</code> method, you need to check the type of caught object in runtime:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight diff"><code><span class="gd">- core.setFailed(error) </span><span class="gi">+ if (error instanceof Error) { + core.setFailed(error) + } else { + core.setFailed(JSON.stringify(error)) + } </span></code></pre> </div> <h3> Update ESLint </h3> <p>If you've updated your TypeScript, it is necessary to update ESLint too. If you've created projects based on the <a href="https://github.com/actions/typescript-action">official template project</a>, you can run the following command to upgrade ESLint and its plugins in batch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>npm add <span class="nt">-D</span> eslint@^8.5.0 @typescript-eslint/parser@^5.8.0 eslint-plugin-github@^4.3.5 eslint-plugin-jest@^25.3.0 </code></pre> </div> <p>If you found lint failure caused by changes on the ESLint side, copy the <a href="https://github.com/actions/typescript-action/blob/56d91620d7eacab6e7d3498bb7c114285476688e/.eslintrc.json">default <code>.eslintrc.json</code> from the template project</a>, or follow ESLint's migration guide documented in its <a href="https://github.com/typescript-eslint/typescript-eslint/releases">GitHub Releases</a>.</p> <h3> Update GitHub Actions Workflow to use NodeJS v16 </h3> <p>If you use the default NodeJS on the PATH, you need no action because <a href="https://github.blog/changelog/2021-12-10-github-actions-github-hosted-runners-now-run-node-js-16-by-default/">GitHub hosted runners use NodeJS v16 by default since this Dec/10th</a>.</p> <p>If you use <code>actions/setup-node</code> to specify the version of NodeJS, you need to update the <code>node-version</code> config in the workflow definitions.<br><br> Or if you have a configuration file like <code>.node-version</code> and <code>.nvmrc</code>, you can use the <a href="https://github.com/actions/setup-node/releases/tag/v2.5.0"><code>node-version-file</code> config supported from <code>v2.5.0</code></a>.</p> <h2> Wrap up </h2> <p>NodeJS v12 will reach its end-of-life soon. All system running on NodeJS needs to be migrated, and GitHub JavaScript Actions are also in the target.</p> <p>The migration process is quite simple, just update metadata and run the build with NodeJS v16. You may refer to <a href="https://github.com/gradle/wrapper-validation-action/pull/53">my PR for gradle/wrapper-validation-action</a> as example. Enjoy!</p> githubactions github javascript typescript SpotBugs supports SARIF that helps integration with other SAST tools Kengo TODA Sun, 17 Oct 2021 02:17:53 +0000 https://dev.to/kengotoda/spotbugs-supports-sarif-that-supports-integration-with-other-sast-tools-5fn https://dev.to/kengotoda/spotbugs-supports-sarif-that-supports-integration-with-other-sast-tools-5fn <p>Are you using SAST tools? How many tools you're using? Just one? Then it's fine. A few? It's still working, probably. More? Welcome to one of difficulties of DevSecOps!</p> <p>Currently, when we maintain a system, it's quite common to depend on multiple languages and ecosystems. If system is enough small, a one-stop SAST solution should be enough... but later you may find it's not enough.</p> <p>Then how to integrate reports generated by multiple SAST tools, to grab the overview of your system? The <a href="https://sarifweb.azurewebsites.net/">Static Analysis Results Interchange Format (SARIF)</a> could be a solution.</p> <p>SARIF is an OASIS standard and an industry standard format for the output of static analysis tools. Configure each SAST tool to generate a SARIF report, then we can merge reports to get a simple overview of the service. The <a href="https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning">GitHub Code scanning</a> is one example, it works as a dashboard of all SAST tools like below:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--os1UN5r1--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5g3d8101gtyv4q7as4rs.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--os1UN5r1--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5g3d8101gtyv4q7as4rs.png" alt="GitHub Code scanning Example"></a></p> <h2> How to configure SpotBugs to generate a SARIF report </h2> <p>First, it's better to use SpotBugs 4.4.1 and above, that includes a <a href="https://github.com/spotbugs/spotbugs/issues/1630">fix to make SARIF report compatible with Github code scanning API requirements</a>.</p> <p>If you use command line interface to run SpotBugs, append <a href="https://spotbugs.readthedocs.io/en/latest/running.html?highlight=sarif#text-ui-options"><code>-sarif</code> option</a>.</p> <p>If you are using Gradle, configure tasks with <code>SpotBugsTask</code> to set <code>reports.sarif.enabled</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">spotbugsMain</span> <span class="o">{</span> <span class="n">reports</span> <span class="o">{</span> <span class="n">sarif</span> <span class="o">{</span> <span class="n">enabled</span> <span class="o">=</span> <span class="kc">true</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>If you are using Maven, configure the plugin with <code>&lt;sarifOutput&gt;true&lt;/sarifOutput&gt;</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>com.github.spotbugs<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spotbugs-maven-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;configuration&gt;</span> <span class="nt">&lt;sarifOutput&gt;</span>true<span class="nt">&lt;/sarifOutput&gt;</span> <span class="nt">&lt;/configuration&gt;</span> <span class="nt">&lt;/plugin&gt;</span> </code></pre> </div> <p>Refer to <a href="https://github.com/spotbugs/spotbugs-gradle-plugin">spotbugs/spotbugs-gradle-plugin</a> as a living example with GitHub Code scanning integration.</p> <p>Hope that this guide helps you to find new way to handle SAST tool reports, and make your hacking awesome!</p> sast devsecops spotbugs java How to replace @types/jest with @jest/globals and jest-mock Kengo TODA Sun, 22 Aug 2021 09:38:31 +0000 https://dev.to/kengotoda/how-to-replace-types-jest-with-jest-globals-and-jest-mock-52mb https://dev.to/kengotoda/how-to-replace-types-jest-with-jest-globals-and-jest-mock-52mb <p>I believe that it's always better to prefer official type definitions rather than unofficial DefinitelyTyped. And <a href="https://jestjs.io/ja/blog/2021/05/25/jest-27">Jest v27 introduced new defaults</a> so I thought that it's a nice timing to replace <code>@types/jest</code> with <code>@jest/globals</code> and <code>jest-mock</code>. I'll share several problems I met:</p> <h2> Dependency Update </h2> <p><code>jest-circus</code> is now default test runner, so we don't need to depend on it directly. Also remove <code>@types/jest</code> to replace with <code>@jest/globals</code> and <code>jest-mock</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm remove jest-circus @types/jest npm add <span class="nt">-D</span> jest@^27.0.6 ts-jest@^27.0.5 </code></pre> </div> <h2> Configuration </h2> <p>I'm using <code>ts-jest</code> to transpile TypeScript code, and its configuration is like below. Now we can remove both <code>testEnvironment</code> and <code>testRunner</code> in most cases:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="na">defaults</span><span class="p">:</span> <span class="nx">tsjPreset</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">ts-jest/presets</span><span class="dl">'</span><span class="p">)</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">clearMocks</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">moduleFileExtensions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">js</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ts</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// no need `testEnvironment: "node"` any more</span> <span class="na">testMatch</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">**/*.test.ts</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// no need `testRunner: "jest-circus"` any more</span> <span class="na">transform</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">tsjPreset</span><span class="p">.</span><span class="nx">transform</span><span class="p">,</span> <span class="p">},</span> <span class="na">verbose</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>I <a href="https://kulshekhar.github.io/ts-jest/docs/getting-started/presets#advanced">do not use preset to configure <code>ts-jest</code></a>, to let other integrations like puppeteer use it.</p> <h2> Import from <code>@jest/globals</code> and <code>jest-mock</code> </h2> <p>As described in the <a href="https://jestjs.io/docs/api">official API Document</a>, we can import Jest API from <code>@jest/globals</code> module.</p> <p>About <code>SpyInstance</code>, <code>@types/jest</code> provides it as <code>jest.SpyInstance</code>. But official type definition provides it as <code>import { SpyInstance } from 'jest-mock';</code> ... with generics!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">beforeEach</span><span class="p">,</span> <span class="nx">jest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@jest/globals</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SpyInstance</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jest-mock</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">spyOSHomedir</span><span class="p">:</span> <span class="nx">SpyInstance</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="p">[]</span><span class="o">&gt;</span><span class="p">;</span> <span class="nx">beforeEach</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">spyOSHomedir</span> <span class="o">=</span> <span class="nx">jest</span><span class="p">.</span><span class="nx">spyOn</span><span class="p">(</span><span class="nx">os</span><span class="p">,</span> <span class="dl">'</span><span class="s1">homedir</span><span class="dl">'</span><span class="p">);</span> <span class="nx">spyOSHomedir</span><span class="p">.</span><span class="nx">mockReturnValue</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>This generics will bring better type safety, and tons of code change. For instance, mocked function sometimes wants to return the value that satisfies required type partially. In the following case, mocked <code>fs.statSync</code> returns an object that has only <code>isFile()</code> method even though the <a href="https://nodejs.org/docs/latest-v12.x/api/fs.html#fs_class_fs_stats">required type <code>fs.Stats</code> has more properties and methods</a>. In such case we can use the <a href="https://www.typescriptlang.org/docs/handbook/utility-types.html#partialtype">Partial utility type</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">beforeEach</span><span class="p">,</span> <span class="nx">jest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@jest/globals</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SpyInstance</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jest-mock</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">spyFsStat</span><span class="p">:</span> <span class="nx">SpyInstance</span><span class="o">&lt;</span><span class="nb">Partial</span><span class="o">&lt;</span><span class="nx">fs</span><span class="p">.</span><span class="nx">Stats</span> <span class="o">|</span> <span class="nx">fs</span><span class="p">.</span><span class="nx">BigIntStats</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">[</span><span class="nx">fs</span><span class="p">.</span><span class="nx">PathLike</span><span class="p">,</span> <span class="nx">fs</span><span class="p">.</span><span class="nx">StatOptions</span><span class="p">?]</span><span class="o">&gt;</span> <span class="nx">beforeEach</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">spyFsStat</span> <span class="o">=</span> <span class="nx">jest</span><span class="p">.</span><span class="nx">spyOn</span><span class="p">(</span><span class="nx">fs</span><span class="p">,</span> <span class="dl">'</span><span class="s1">statSync</span><span class="dl">'</span><span class="p">);</span> <span class="nx">spyFsStat</span><span class="p">.</span><span class="nx">mockImplementation</span><span class="p">((</span><span class="na">file</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nx">PathLike</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">isFile</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">file</span> <span class="o">===</span> <span class="nx">expectedJdkFile</span> <span class="p">};</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>One more example: when you mock overloaded methods, you'll face some difficulty like:</p> <p><a href="https://javascript.plainenglish.io/mocking-ts-method-overloads-with-jest-e9c3d3f1ce0c">https://javascript.plainenglish.io/mocking-ts-method-overloads-with-jest-e9c3d3f1ce0c</a></p> <p>By applying the solution introduced in that article, we may lose integrity in test codes. So it would be an acceptable solution to use <code>unknown</code> in some cases:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">let</span> <span class="nx">spyFsReadDir</span><span class="p">:</span> <span class="nx">SpyInstance</span><span class="o">&lt;</span><span class="nx">unknown</span><span class="p">,</span> <span class="nx">Parameters</span><span class="o">&lt;</span><span class="k">typeof</span> <span class="nx">fs</span><span class="p">.</span><span class="nx">readdirSync</span><span class="o">&gt;&gt;</span><span class="p">;</span> <span class="nx">beforeEach</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// returned value is typed as `Dirent[]` but we want to return `string[]`, so use `unknown` to relax mismatch</span> <span class="nx">spyFsReadDir</span> <span class="o">=</span> <span class="nx">jest</span><span class="p">.</span><span class="nx">spyOn</span><span class="p">(</span><span class="nx">fs</span><span class="p">,</span> <span class="dl">'</span><span class="s1">readdirSync</span><span class="dl">'</span><span class="p">);</span> <span class="nx">spyFsReadDir</span><span class="p">.</span><span class="nx">mockImplementation</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="dl">'</span><span class="s1">JavaTest</span><span class="dl">'</span><span class="p">]);</span> <span class="p">});</span> </code></pre> </div> <p>That's all, you may refer to <a href="https://github.com/KengoTODA/setup-java/commit/24f091afd1eab070d0107b0ac233a5f4cc77aef5">my commit</a> replacing DefinitelyTyped with official type definitions. Thank you!</p> jest typescript A complete guide to use dependabot with semantic-release and @vercel/ncc for GitHub Actions Kengo TODA Fri, 16 Jul 2021 12:05:34 +0000 https://dev.to/kengotoda/a-complete-guide-to-use-dependabot-with-semantic-release-and-vercel-ncc-for-github-actions-230p https://dev.to/kengotoda/a-complete-guide-to-use-dependabot-with-semantic-release-and-vercel-ncc-for-github-actions-230p <p><a href="https://dependabot.com/" rel="noopener noreferrer">Depandabot</a> is a really productive solution to keep our products secure and updated.</p> <p>It is also easy to set up, however, it provides no chance to run a command in the PR, so we have additional considerations if we have some pre-release processes. For instance, for a GitHub Actions repository, we want to keep the <code>dist</code> directory updated by <a href="https://www.npmjs.com/package/@vercel/ncc" rel="noopener noreferrer"><code>@vercel/ncc</code></a> right after we update its dependencies.</p> <p>This article introduces <a href="https://semantic-release.gitbook.io/" rel="noopener noreferrer">semantic-release</a> as a solution. It automates the release process, and its <a href="https://github.com/semantic-release/exec" rel="noopener noreferrer">exec plugin</a> helps us to run <code>@vercel/ncc</code> before the release automatically.</p> <p>Overview of the development process is like below:</p> <ol> <li>Dependabot creates a PR to update dependencies</li> <li>GitHub Actions test the change, and reflect its result to GitHub Checks</li> <li>Merge the PR manually or automatically</li> <li>GitHub Actions run on the default branch, and trigger the semantic-release</li> <li>semantic-release creates a Git tag, a GitHub Release, and a npm release</li> </ol> <p>Check the following chapters for detail, or refer to <a href="https://github.com/KengoTODA/actions-setup-docker-compose/tree/ce91d5b76f4c9910e6958b58396df65e8fdaebe0" rel="noopener noreferrer">my GitHub repo</a> as a working example.</p> <h2> Install necessary node packages </h2> <p>Make sure you have a npm project in your working directory, and run the following command to install semantic-release and its plugins:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> npm add <span class="nt">-D</span> semantic-release @semantic-release/exec @semantic-release/git </code></pre> </div> <h2> Configure npm to run <code>@vercel/ncc</code> </h2> <p>In <code>package.json</code>, confirm that we have a script to run <code>ncc</code> to optimize JS files like below:</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"package"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ncc build --source-map"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Configure semantic-release </h2> <p>Follow the <a href="https://semantic-release.gitbook.io/semantic-release/usage/configuration" rel="noopener noreferrer">official documents</a> to configure <code>semantic-release</code>.</p> <p>In my case, it became like below to use the <code>main</code> branch as default branch, and run <code>exec</code> plugin and <code>git</code> plugin:</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="nl">"release"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"branches"</span><span class="p">:</span><span class="w"> </span><span class="s2">"main"</span><span class="p">,</span><span class="w"> </span><span class="nl">"plugins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"@semantic-release/commit-analyzer"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@semantic-release/release-notes-generator"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@semantic-release/npm"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@semantic-release/github"</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="s2">"@semantic-release/exec"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"prepare"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm run package"</span><span class="w"> </span><span class="p">}],</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"@semantic-release/git"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"assets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"dist"</span><span class="p">,</span><span class="w"> </span><span class="s2">"package.json"</span><span class="p">,</span><span class="w"> </span><span class="s2">"package-lock.json"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"chore(release): ${nextRelease.version} [skip ci]</span><span class="se">\n\n</span><span class="s2">${nextRelease.notes}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Configure the dependabot to follow the Conventional Commit </h2> <p>Configure <code>.github/dependabot.yml</code> to enable dependabot. Make sure <code>commit-message</code> part is configured with <code>prefix: fix</code> to following the <a href="https://www.conventionalcommits.org/en/v1.0.0/" rel="noopener noreferrer">Conventional Commits</a>.</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">version</span><span class="pi">:</span> <span class="m">2</span> <span class="na">updates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">package-ecosystem</span><span class="pi">:</span> <span class="s">npm</span> <span class="na">directory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/"</span> <span class="na">schedule</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">daily</span> <span class="na">commit-message</span><span class="pi">:</span> <span class="na">prefix</span><span class="pi">:</span> <span class="s">fix</span> <span class="na">prefix-development</span><span class="pi">:</span> <span class="s">chore</span> <span class="na">include</span><span class="pi">:</span> <span class="s">scope</span> </code></pre> </div> <h2> (optional) Configure the auto-merge probot </h2> <p>To merge PRs made by dependabot automatic, you may introduce <a href="https://github.com/apps/probot-auto-merge" rel="noopener noreferrer">probot-auto-merge</a>. <code>.github/auto-merge.yml</code> will be like below:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">minApprovals</span><span class="pi">:</span> <span class="na">NONE</span><span class="pi">:</span> <span class="m">0</span> <span class="na">requiredLabels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">dependencies</span> <span class="na">updateBranch</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">mergeMethod</span><span class="pi">:</span> <span class="s">rebase</span> </code></pre> </div> <p>If we apply <code>NONE: 0</code> to <code>minApprovals</code> configuration to merge without manual review, make sure the <a href="https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches" rel="noopener noreferrer">branch protection rule</a> is created for the default branch, to make sure PRs will be merged only when <a href="https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks" rel="noopener noreferrer">required status checks</a> have passed.</p> <p>There is no way to configure the branch protection rule by file, so you need to use GUI at github.com like below:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdbgsgwmhgn5y26m77fhl.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdbgsgwmhgn5y26m77fhl.png" alt="screenshot of the branch protection rule GUI"></a></p> <h2> Create a PAT (Personal Access Token) </h2> <p>semantic-release needs a GitHub token to push a commit. But when we have branch protection rules for the target branch, <code>secrets.GITHUB_TOKEN</code> provides not enough permission so you'll face an <a href="https://github.com/KengoTODA/actions-setup-docker-compose/runs/3085079041?check_suite_focus=true#step:6:2121" rel="noopener noreferrer">error like below</a>:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> error: GH006: Protected branch update failed for refs/heads/main. error: 2 of 2 required status checks are expected. </code></pre> </div> <p>To avoid this error, <a href="https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token" rel="noopener noreferrer">create a PAT</a> and store it as an <a href="https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository" rel="noopener noreferrer">encrypted secret</a>.</p> <p>To keep our development environment secure, it's better to keep <a href="https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps" rel="noopener noreferrer">PAT's scope</a> minimal as much as possible. In my case, just a <code>public_repo</code> scope is enough.</p> <h2> Configure GitHub Actions </h2> <p>We have a PAT so now we can configure GitHub Actions workflow!<br> It'll be like below:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="c1"># Make sure the release step uses its own credentials.</span> <span class="na">persist-credentials</span><span class="pi">:</span> <span class="kc">false</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">npm ci</span> <span class="s">npm run all</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run semantic-release</span> <span class="c1"># This process will run `ncc`, commit files, push a Git commit, and release to GitHub and npmjs.</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">npx semantic-release</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.PAT_TO_PUSH }}</span> <span class="na">NPM_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.NPM_TOKEN }}</span> </code></pre> </div> <p>Or you may refer to <a href="https://github.com/KengoTODA/actions-setup-docker-compose/blob/ce91d5b76f4c9910e6958b58396df65e8fdaebe0/.github/workflows/test.yml" rel="noopener noreferrer">my workflow config</a> as a working example.</p> <p>Important points are as follows:</p> <ol> <li>Run <code>actions/checkout</code> with <code>persist-credentials: false</code>, or <a href="https://github.com/semantic-release/git/issues/196#issuecomment-601310576" rel="noopener noreferrer"><code>git</code> plugin will use the GitHub token generated by <code>actions/checkout</code></a>.</li> <li>Set the PAT created at the previous chapter to <code>GITHUB_TOKEN</code> when we run <code>npx semantic-release</code>.</li> </ol> <h2> Wrap up </h2> <p>Dependabot is really productive, even to GitHub Actions project that needs to keep the <code>dist</code> directory updated. semantic-release helps us not only by tagging but also by running commands to make the project ready to release.</p> <p>There are several pitfalls around permission control, hope that this article helps you to avoid them. Enjoy hacking! :)</p> semanticrelease githubactions dependabot New GitHub Action to set up docker-compose Kengo TODA Fri, 28 Aug 2020 12:23:36 +0000 https://dev.to/kengotoda/new-github-action-to-set-up-docker-compose-4ne3 https://dev.to/kengotoda/new-github-action-to-set-up-docker-compose-4ne3 <h3> My Action </h3> <p>This <a href="https://github.com/KengoTODA/actions-setup-docker-compose">setup-docker-compose action</a> downloads the <code>docker-compose</code> command and add it to the <code>PATH</code> for following executions. At this moment, It supports the Linux environment only.</p> <h3> Submission Category: </h3> <p>Wacky Wildcards. Usually, FOSS projects don't need to use this action, because action runners hosted by GitHub already have <code>docker-compose</code> in its <code>PATH</code>. So other categories aren't suitable to submit.</p> <h3> Yaml File or Link to Code </h3> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--vJ70wriM--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://practicaldev-herokuapp-com.freetls.fastly.net/assets/github-logo-ba8488d21cd8ee1fee097b8410db9deaa41d0ca30b004c0c63de0a479114156f.svg" alt="GitHub logo"> <a href="https://github.com/KengoTODA"> KengoTODA </a> / <a href="https://github.com/KengoTODA/actions-setup-docker-compose"> actions-setup-docker-compose </a> </h2> <h3> the GitHub Action setting up docker-compose command </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <h1> GitHub action to setup <code>docker-compose</code> command</h1> <p><a href="https://github.com/KengoTODA/actions-setup-docker-compose/actions"><img alt="actions-setup-docker-compose status" src="https://res.cloudinary.com/practicaldev/image/fetch/s--CkeA2QE1--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://github.com/KengoTODA/actions-setup-docker-compose/workflows/build-test/badge.svg"></a></p> <p>This action downloads the <code>docker-compose</code> command and add it to the <code>PATH</code> for following execution. It supports Linux environment only.</p> <h2> How to use</h2> <p>Add a step to your workflow like below:</p> <div class="highlight highlight-source-yaml"><pre> <span class="pl-ent">steps</span>: - <span class="pl-ent">uses</span>: <span class="pl-s">KengoTODA/actions-setup-docker-compose@main</span> <span class="pl-ent">with</span>: <span class="pl-ent">version</span>: <span class="pl-s"><span class="pl-pds">'</span>1.26.2<span class="pl-pds">'</span></span></pre></div> <p>The <code>version</code> parameter is required, specify the full version of <code>docker-compose</code> command.</p> </div> </div> <br> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/KengoTODA/actions-setup-docker-compose">View on GitHub</a></div> <br> </div> <br> <h3> Additional Resources / Info </h3> <p>As noted above, FOSS projects usually don't need to use this action. So there is no FOSS project depending on it for now.</p> <p>This action is for who's trying to integrate FOSS power into in-house development with the self-hosted runner.</p> actionshackathon github opensource dockercompose Deploying to OSSRH with Gradle in 2020 Kengo TODA Wed, 29 Apr 2020 01:22:29 +0000 https://dev.to/kengotoda/deploying-to-ossrh-with-gradle-in-2020-1lhi https://dev.to/kengotoda/deploying-to-ossrh-with-gradle-in-2020-1lhi <p>It seems that the method described in <a href="https://central.sonatype.org/pages/gradle.html">the official page</a> is a little bit old. Here I'll introduce a modern way.</p> <h2> Metadata and Signing </h2> <p>Use <a href="https://docs.gradle.org/current/userguide/publishing_maven.html#publishing_maven">the <code>maven-publish</code> plugin</a> instead of <a href="https://docs.gradle.org/current/userguide/maven_plugin.html">the <code>maven</code> plugin</a>. No need to configure the <code>artifacts</code> extension.</p> <h2> Jar Files </h2> <p>The <code>classifier</code> property of <code>Jar</code> task is now <a href="https://docs.gradle.org/current/dsl/org.gradle.api.tasks.bundling.Jar.html#org.gradle.api.tasks.bundling.Jar:classifier">deprecated</a>. Instead, we can use <a href="https://docs.gradle.org/current/userguide/java_plugin.html#sec:java-extension"><code>withJavadocJar()</code> and <code>withSourcesJar()</code> in the <code>java</code> extension</a>.<br> </p> <div class="highlight"><pre class="highlight groovy"><code><span class="n">java</span> <span class="o">{</span> <span class="n">withJavadocJar</span><span class="o">()</span> <span class="n">withSourcesJar</span><span class="o">()</span> <span class="o">}</span> </code></pre></div> <h2> Signing artifacts </h2> <p>We're using <code>maven-publish</code> plugin, so the <code>signing</code> extension in our build script will be like the following:<br> </p> <div class="highlight"><pre class="highlight groovy"><code><span class="n">ext</span><span class="o">.</span><span class="na">isReleaseVersion</span> <span class="o">=</span> <span class="o">!</span><span class="n">version</span><span class="o">.</span><span class="na">endsWith</span><span class="o">(</span><span class="s2">"SNAPSHOT"</span><span class="o">)</span> <span class="c1">// -------------------------------------</span> <span class="c1">// here 'publishing' extension will come</span> <span class="c1">// -------------------------------------</span> <span class="n">signing</span> <span class="o">{</span> <span class="n">sign</span> <span class="n">publishing</span><span class="o">.</span><span class="na">publications</span><span class="o">.</span><span class="na">mavenJava</span> <span class="o">}</span> <span class="n">tasks</span><span class="o">.</span><span class="na">withType</span><span class="o">(</span><span class="n">Sign</span><span class="o">)</span> <span class="o">{</span> <span class="n">onlyIf</span> <span class="o">{</span> <span class="n">isReleaseVersion</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div> <h2> Metadata Definition and Upload </h2> <p>Instead of <code>uploadArchives</code> extension for the <code>maven</code> plugin, configure <code>publishing</code> extension for the <code>maven-publish</code> plugin.<br> </p> <div class="highlight"><pre class="highlight groovy"><code><span class="n">publishing</span> <span class="o">{</span> <span class="n">repositories</span> <span class="o">{</span> <span class="n">maven</span> <span class="o">{</span> <span class="kt">def</span> <span class="n">releaseRepo</span> <span class="o">=</span> <span class="s2">"https://oss.sonatype.org/service/local/staging/deploy/maven2/"</span> <span class="kt">def</span> <span class="n">snapshotRepo</span> <span class="o">=</span> <span class="s2">"https://oss.sonatype.org/content/repositories/snapshots/"</span> <span class="n">url</span> <span class="o">=</span> <span class="n">isReleaseVersion</span> <span class="o">?</span> <span class="n">releaseRepo</span> <span class="o">:</span> <span class="n">snapshotRepo</span> <span class="n">credentials</span> <span class="o">{</span> <span class="n">username</span> <span class="o">=</span> <span class="n">project</span><span class="o">.</span><span class="na">hasProperty</span><span class="o">(</span><span class="s1">'ossrhUsername'</span><span class="o">)</span> <span class="o">?</span> <span class="n">ossrhUsername</span> <span class="o">:</span> <span class="s2">"Unknown user"</span> <span class="n">password</span> <span class="o">=</span> <span class="n">project</span><span class="o">.</span><span class="na">hasProperty</span><span class="o">(</span><span class="s1">'ossrhPassword'</span><span class="o">)</span> <span class="o">?</span> <span class="n">ossrhPassword</span> <span class="o">:</span> <span class="s2">"Unknown password"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">publications</span> <span class="o">{</span> <span class="n">mavenJava</span><span class="o">(</span><span class="n">MavenPublication</span><span class="o">)</span> <span class="o">{</span> <span class="n">pom</span> <span class="o">{</span> <span class="n">groupId</span> <span class="o">=</span> <span class="s1">'com.example'</span> <span class="n">name</span> <span class="o">=</span> <span class="s1">'example project'</span> <span class="n">description</span> <span class="o">=</span> <span class="s1">'Example Project to learn how to deploy to OSSRH'</span> <span class="n">url</span> <span class="o">=</span> <span class="s1">'https://example.com/'</span> <span class="n">from</span> <span class="n">components</span><span class="o">.</span><span class="na">java</span> <span class="n">licenses</span> <span class="o">{</span> <span class="n">license</span> <span class="o">{</span> <span class="n">name</span> <span class="o">=</span> <span class="s1">'The Apache License, Version 2.0'</span> <span class="n">url</span> <span class="o">=</span> <span class="s1">'http://www.apache.org/licenses/LICENSE-2.0.txt'</span> <span class="o">}</span> <span class="o">}</span> <span class="n">scm</span> <span class="o">{</span> <span class="n">connection</span> <span class="o">=</span> <span class="s1">'scm:git:git@github.com:example.com/example.git'</span> <span class="n">developerConnection</span> <span class="o">=</span> <span class="s1">'scm:git:git@github.com:example.com/example.git'</span> <span class="n">url</span> <span class="o">=</span> <span class="s1">'https://github.com/example.com/example/'</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div> <h2> Deployment </h2> <p>Use the <code>publishToMavenLocal</code> task to publish artifacts to maven local repository.</p> <p>Use the <code>publish</code> task to publish artifacts to maven remote repositories. Don't forget to visit <a href="https://oss.sonatype.org/">oss.sonatype.org</a> to close and release your staging repository.</p> java gradle SpotBugs v4.0.0 is out! Kengo TODA Wed, 19 Feb 2020 11:04:58 +0000 https://dev.to/kengotoda/spotbugs-v4-0-0-is-out-32ej https://dev.to/kengotoda/spotbugs-v4-0-0-is-out-32ej <p>This week we've released <a href="https://github.com/spotbugs/spotbugs/blob/4.0.0/CHANGELOG.md#400---2020-02-15">SpotBugs v4.0.0</a>.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--HaZB-YAa--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://spotbugs.github.io/images/logos/spotbugs_logo_600px.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--HaZB-YAa--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://spotbugs.github.io/images/logos/spotbugs_logo_600px.png" alt="SpotBugs Logo"></a></p> <p>We've spent about a year to deliver this stable version, however, this version has less breaking changes. We removed only unused features based on <a href="https://github.com/spotbugs/discuss/issues/65">this investigation</a>. I wish you can enjoy the new version with fewer migration costs.</p> <p>Note that default detectors in this version still has some problems around Java 9+, check <a href="https://github.com/spotbugs/spotbugs/issues?q=is%3Aopen+is%3Aissue+label%3AJava-9">related issues</a> if you run SpotBugs for projects using Java 11, 14 or later. To avoid this problem, you can <a href="https://spotbugs.readthedocs.io/en/latest/running.html#detector-visitor-configuration-options">limit activated detectors by command line option</a>.</p> <p>We also provide <a href="https://spotbugs.readthedocs.io/en/stable/migration.html#guide-for-migration-from-spotbugs-3-1-to-4-0">the official migration guide</a>. If you're SpotBugs plugin author, please check it to ease your migration.</p> <p>BTW if you're using IntelliJ IDEA, watch <a href="https://github.com/spotbugs/spotbugs/issues/515">this issue</a> and contribute to help <a href="https://github.com/GoSecure/findbugs-idea">the SpotBugs-IDEA project</a>. I'm not member of it, but it seems pretty cool.<br> And if you're using Gradle, watch <a href="https://github.com/spotbugs/spotbugs-gradle-plugin/issues/180">this issue</a> and help us to verify <a href="https://github.com/KengoTODA/spotbugs-gradle-plugin-v2/">the experimental implementation</a>. Current implementation has many problems, and it's quite hard to solve incrementally, so I started this project from scratch. It seems working and keep most of API, but we still need your contribution especially from <a href="https://github.com/KengoTODA/spotbugs-gradle-plugin-v2/issues/1">Android project developers</a>.</p> spotbugs java Tips to implement Gradle Plugin Kengo TODA Thu, 09 Jan 2020 20:59:13 +0000 https://dev.to/kengotoda/tips-to-implement-gradle-plugin-8d6 https://dev.to/kengotoda/tips-to-implement-gradle-plugin-8d6 <p>Now I'm implementing <a href="https://github.com/KengoTODA/spotbugs-gradle-plugin-v2">a new Gradle Plugin</a>. <a href="https://gradle.org/guides/?q=Plugin%20Development">The official document</a> is really nice, and I wish my experience will help you to code yours.</p> <h2> Use groovy for extension and task </h2> <p>The extension is a major way to configure your plugin. It's a class that uses <a href="https://docs.gradle.org/current/userguide/lazy_configuration.html">Property and Provider</a> as its fields, then users can set values like below:<br> </p> <div class="highlight"><pre class="highlight groovy"><code><span class="n">extension</span> <span class="o">{</span> <span class="n">intProp</span> <span class="o">=</span> <span class="mi">10</span> <span class="n">fileProp</span> <span class="o">=</span> <span class="n">file</span><span class="o">(</span><span class="s1">'config.yml'</span><span class="o">)</span> <span class="n">listProp</span> <span class="o">=</span> <span class="o">[</span> <span class="s1">'bar'</span><span class="o">,</span> <span class="s1">'baz'</span> <span class="o">]</span> <span class="o">}</span> </code></pre></div> <p>Groovy helps you to generate necessary accessors, so what you need is simply private final fields:<br> </p> <div class="highlight"><pre class="highlight groovy"><code><span class="kd">class</span> <span class="nc">MyExtension</span> <span class="o">{</span> <span class="nd">@NonNull</span> <span class="kd">final</span> <span class="n">Property</span><span class="o">&lt;</span><span class="n">Boolean</span><span class="o">&gt;</span> <span class="n">boolProp</span><span class="o">;</span> <span class="nd">@Inject</span> <span class="n">MyExtension</span><span class="o">(</span><span class="n">ObjectFactory</span> <span class="n">objects</span><span class="o">)</span> <span class="o">{</span> <span class="n">boolProp</span> <span class="o">=</span> <span class="n">objects</span><span class="o">.</span><span class="na">property</span><span class="o">(</span><span class="n">Boolean</span><span class="o">).</span><span class="na">convention</span><span class="o">(</span><span class="kc">false</span><span class="o">)</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">class</span> <span class="nc">MyTask</span> <span class="kd">extends</span> <span class="n">DefaultTask</span> <span class="o">{</span> <span class="nd">@Input</span> <span class="nd">@NonNull</span> <span class="kd">final</span> <span class="n">Property</span><span class="o">&lt;</span><span class="n">Boolean</span><span class="o">&gt;</span> <span class="n">boolProp</span><span class="o">;</span> <span class="nd">@Inject</span> <span class="n">MyTask</span><span class="o">(</span><span class="n">ObjectFactory</span> <span class="n">objects</span><span class="o">)</span> <span class="o">{</span> <span class="n">extension</span> <span class="o">=</span> <span class="n">project</span><span class="o">.</span><span class="na">exntensions</span><span class="o">.</span><span class="na">getByType</span><span class="o">(</span><span class="n">MyExtension</span><span class="o">)</span> <span class="n">boolProp</span> <span class="o">=</span> <span class="n">objects</span><span class="o">.</span><span class="na">property</span><span class="o">(</span><span class="n">Boolean</span><span class="o">).</span><span class="na">convention</span><span class="o">(</span><span class="n">extension</span><span class="o">.</span><span class="na">boolProp</span><span class="o">)</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div> <h2> Always prefer lazy-approach </h2> <p>For better performance, we need to learn about <a href="https://docs.gradle.org/current/userguide/build_lifecycle.html">build lifecycle</a>, or face performance problem like <a href="https://github.com/spotbugs/spotbugs-gradle-plugin/issues/165">this</a>.</p> <p>Prefer the lazy-approach. Pick APIs that lets you specify a <code>configurationAction</code> as its parameter like <a href="https://docs.gradle.org/6.0.1/javadoc/org/gradle/api/tasks/TaskContainer.html#register-java.lang.String-java.lang.Class-org.gradle.api.Action-">TaskContainer#register(...)</a>.</p> <p>Refer <a href="https://docs.gradle.org/current/userguide/task_configuration_avoidance.html">the official document</a> for detail.</p> <h2> Understand the difference between getXxx() and findXxx() </h2> <p>In Groovy modules, methods named <code>getXxx()</code> throw an exception if you found nothing. On the other hand, methods named <code>findXxx()</code> return <code>null</code> (not <code>Optional</code>!).</p> <p>So when you expect that you always find the value (e.g. get the extension created by your plugin), use <code>getXxx()</code>. Otherwise, prefer <code>findXxx()</code> and check the nullness of returned value.</p> <h1> Worker API </h1> <p>To run heavy computations like static analysis, it is better to use <a href="https://guides.gradle.org/using-the-worker-api/">the Gradle Worker API</a>.</p> <p>In my case, I need to launch a JVM process to kick <a href="https://spotbugs.github.io/">SpotBugs</a>, and it makes build especially in multi-module projects. Here is the result of <a href="https://github.com/KengoTODA/spotbugs-gradle-plugin-v2/issues/15#issuecomment-572515786">my benchmark</a>:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--N3Y3rW-U--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://thepracticaldev.s3.amazonaws.com/i/rdqfwnnzaz7qek0cv8po.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--N3Y3rW-U--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://thepracticaldev.s3.amazonaws.com/i/rdqfwnnzaz7qek0cv8po.png" alt="Benchmark Result"></a></p> <p>It requires Gradle 5.6+ but is actually valuable. You may have a try :)</p> groovy gradle Sign Eclipse plugin by Gradle Kengo TODA Wed, 21 Nov 2018 10:28:15 +0000 https://dev.to/kengotoda/sign-eclipse-plugin-by-gradle-4md8 https://dev.to/kengotoda/sign-eclipse-plugin-by-gradle-4md8 <p>When we distribute Eclipse plugin, it is better to sign your .jar files by <code>jarsigner</code> bundled with JDK. By this process user can install your plugin without warning <a href="https://github.com/spotbugs/spotbugs/issues/779#issue-372330179">like this</a>.<br> In Eclipse wiki we have <a href="https://wiki.eclipse.org/JAR_Signing">Jar Signing page</a>, but it explains no detailed method to sign. Here let's see how Gradle can sign your .jar files.</p> <p>To sign by <code>jarsigner</code>, you need <a href="https://en.wikipedia.org/wiki/Keystore">Java Keystore</a> file that stores keychain. We can use <code>keytool</code> to generate self-signed signature, but here we'll use <a href="https://letsencrypt.org/">Let's Encrypt</a> to generate non self-signed signature.</p> <p>First, follow interaction of Let's Encrypt, then you can generate <code>privkey.pem</code> and <code>fullchain.pem</code>. Second, use <code>openssl</code> command to generate <a href="https://en.wikipedia.org/wiki/PKCS_12">.p12 file</a> that is necessary to generate Java Keystore. Here is example:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span>openssl pkcs12 <span class="nt">-export</span> <span class="se">\</span> <span class="nt">-in</span> fullchain.pem <span class="nt">-inkey</span> privkey.pem <span class="se">\</span> <span class="nt">-out</span> your.p12 <span class="se">\</span> <span class="nt">-name</span> eclipse-plugin </code></pre></div> <p>Third, generate .jks file by <code>keytool</code> command:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span>keytool <span class="nt">-importkeystore</span> <span class="se">\</span> <span class="nt">-srckeystore</span> your.p12 <span class="nt">-srcstorepass</span> <span class="nv">$SRC_PASS</span> <span class="nt">-srcstoretype</span> PKCS12 <span class="se">\</span> <span class="nt">-destkeystore</span> your.jks <span class="nt">-deststorepass</span> <span class="nv">$DEST_PASS</span> </code></pre></div> <p>We use this .jks file to sign, so remember your <code>$DEST_PASS</code>. You also need to keep this .jks file secret. If you're using Travis CI, <a href="https://docs.travis-ci.com/user/encrypting-files/">encrypt-file command</a> is your friend.</p> <p>OK now we have all necessary things, let's config our <code>build.gradle</code> file.<br> What you need is a function to sign both <code>plugins</code> jar file and <code>feature</code> jar files. Groovy itself doesn't provide feature to sign, so use <a href="https://ant.apache.org/manual/Tasks/signjar.html">Ant's SignJar task</a> instead like below:<br> </p> <div class="highlight"><pre class="highlight groovy"><code><span class="c1">// sign all .jar file under specified dir</span> <span class="n">ext</span><span class="o">.</span><span class="na">signJar</span> <span class="o">=</span> <span class="o">{</span> <span class="n">File</span> <span class="n">dir</span> <span class="o">-&gt;</span> <span class="kt">def</span> <span class="n">keystorepass</span> <span class="o">=</span> <span class="n">project</span><span class="o">.</span><span class="na">hasProperty</span><span class="o">(</span><span class="s1">'DEST_PASS'</span><span class="o">)</span> <span class="o">?</span> <span class="n">keystorepass</span> <span class="o">:</span> <span class="s1">''</span><span class="o">;</span> <span class="k">if</span> <span class="o">(</span><span class="n">keystorepass</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">())</span> <span class="o">{</span> <span class="n">print</span> <span class="s1">'to sign eclipse plugins, set "DEST_PASS" project property'</span> <span class="k">return</span> <span class="o">}</span> <span class="n">dir</span><span class="o">.</span><span class="na">traverse</span><span class="o">(</span><span class="nl">type:</span> <span class="n">FILES</span><span class="o">,</span> <span class="nl">nameFilter:</span> <span class="o">~</span><span class="s">/.*\.jar$/</span><span class="o">)</span> <span class="o">{</span> <span class="kt">def</span> <span class="n">relativePath</span> <span class="o">=</span> <span class="n">rootDir</span><span class="o">.</span><span class="na">toPath</span><span class="o">().</span><span class="na">relativize</span><span class="o">(</span> <span class="n">it</span><span class="o">.</span><span class="na">toPath</span><span class="o">()</span> <span class="o">)</span> <span class="n">println</span> <span class="s2">"signing ${relativePath}"</span> <span class="n">ant</span><span class="o">.</span><span class="na">signjar</span><span class="o">(</span> <span class="nl">destDir:</span> <span class="n">it</span><span class="o">.</span><span class="na">parentFile</span><span class="o">,</span> <span class="nl">jar:</span> <span class="n">it</span><span class="o">,</span> <span class="nl">alias:</span> <span class="s1">'eclipse-plugin'</span><span class="o">,</span> <span class="nl">keystore:</span> <span class="s2">"path/to/your.jks"</span><span class="o">,</span> <span class="nl">storepass:</span> <span class="n">keystorepass</span><span class="o">,</span> <span class="nl">tsaurl:</span> <span class="s1">'http://timestamp.digicert.com'</span><span class="o">,</span> <span class="nl">verbose:</span> <span class="kc">true</span> <span class="o">)</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div> <p>Well done! You can simply invoke this function between jar task and <code>artifacts.xml</code> file generation (because this <code>artifacts.xml</code> contains md5 hash of .jar files).</p> <p>Here is <a href="https://github.com/spotbugs/spotbugs/pull/803">a PR that introduces jarsigner to SpotBugs build</a>, you may check it as working solution. It uses Gradle 5.0 RC3, but it should work with Gradle 4 too.</p> eclipse java gradle Build stage on Travis CI Kengo TODA Fri, 27 Jul 2018 10:55:48 +0000 https://dev.to/kengotoda/build-stage-on-travis-ci-3pdk https://dev.to/kengotoda/build-stage-on-travis-ci-3pdk <p>Today I found <a href="https://blog.travis-ci.com/2018-07-18-build-stages-officially-released">a Travis CI blog post</a> regarding build stage on Travis CI. Now it goes GA so we all can enjoy this feature.</p> <p>Here is <a href="https://github.com/KengoTODA/findbugs-slf4j/pull/118/files">the my PR to introduce build stage</a>. In my feeling, it has one good point:</p> <h2> No more <code>if</code> in analysis and deploy part </h2> <p>When I run analysis like <a href="https://sonarcloud.io">SonarCloud</a>, it was necessary to limit target JVM &amp; environment variable to make PR page easy to read. For example, here is a <code>.travis.yml</code> snippet that runs analysis only with specific condition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jdk</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">oraclejdk8</span> <span class="pi">-</span> <span class="s">oraclejdk9</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./mvnw org.jacoco:jacoco-maven-plugin:prepare-agent verify -B</span> <span class="pi">-</span> <span class="s">if [[ $TRAVIS_JDK_VERSION == "oraclejdk8" ]]; then ./mvnw sonar:sonar -B; fi</span> </code></pre> </div> <p>In case of build stage, script runs with the first value in <code>env</code>, <code>jdk</code> and others by default. So we can remove <code>if</code> from <code>.travis.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jdk</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">oraclejdk8</span> <span class="pi">-</span> <span class="s">oraclejdk9</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./mvnw verify -B</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">include</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">analysis</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./mvnw org.jacoco:jacoco-maven-plugin:prepare-agent verify sonar:sonar -B</span> </code></pre> </div> <p>One point, is that, each build stage and job doesn't share generated files. So here we need to run <code>verify</code> phase even in <code>analysis</code> stage, to generate analysis targets (<code>.class</code> file in this case).</p> <p>This merit works even to <a href="https://docs.travis-ci.com/user/deployment">deploy</a> phase. This feature should reduce complexity in our <code>.travis.yml</code>.</p> <p>That's all. Enjoy hacking with Travis CI!</p> travis build deploy ci