Add support for build artifacts locking using lockBuild parameter

[smaarn]

Objective: locking plugins (and their dependencies) as well as extensions being used in a maven project.

This involved several refactorings:

1. Extract Dependency from Artifact model
2. Introduce LockableEntity base class (and corresponding subclasses)

Fixes #84

Depends upon #86 (which basically updates the XSD)

[vandmo]

Looks really good!
Added some comment and have a closer look later.

[vandmo]

I think lockBuild would be enough? And maybe it should be moved to LockMojo.java ?
I think that the check goal should check the build lock if it exists in the lock file.

[smaarn]

Indeed.
Reworked that in two phases:

1. Renaming the parameter (991ae44)
2. Pull down the parameter and make sure the check logic automatically detects if it needs to check build logics (in 9a417a4)

[smaarn]

I believe this is pretty much ready to be reviewed.

I recon there are a few classes for which unit testing could be helpful (specifically thinking of lock file formatting / parsing logic which may be tricky to maintain and where errors are quickly made), but would rather have feedbacks first to see if this is the right implementation target.

[vandmo]

I have had a closer look now.

I think the code looks good but I am unsure about the new structure of the dependency-lock.json. I like the idea but it would break the build if somebody manages to do a lock with a new version of the plugin. It is opt-in in a way since lockBuild needs to be set but maybe it should be an additional flag. Is the lock file a lot smaller then it would be if it would behave as the pom lock file?

The XML schema would need to be updated as well (https://vandmo.github.io/dependency-lock-maven-plugin/maven-v4_0_0_ext.xsd and https://vandmo.github.io/dependency-lock-maven-plugin/dependencylock.xsd)

There are some tests that should problaby be added that I noticed, but those could be done separately from this MR. I can write them myself unless you really want to :)

• A test with <extension>...</extension> in the pom.
• Make sure that the generated pom validates against the schema at https://vandmo.github.io/dependency-lock-maven-plugin/dependencylock.xsd

[smaarn]

Will add a test for the support of "extension".

One question I have though: the mentioned xsd needs to be altered from what I see (or a newer version generated), would there be any objection to having it included in the build process ?

I see three ways of implementing this:

1. Having a copy of the xsd in the build process and have it "delivered" / "checked" in the release process (if we are to version the XSD)
2. Having a copy of the xsd in the build process and have it updated in the release process (if we are to not version the XSD)
3. Manually uploading the xsds and ensuring in the build process that those actually are compliant with generated resources (there are some plugins out there to "fetch them")

What would be your preference here ?

[vandmo]

I think it would be great if there could be a build step that commits the file in the gh-pages branch.

[smaarn]

Added:

1. Integration tests for extension cases (turns out that there was a bug so... good thing :) )
2. New XSD usage

This means that this PR will depend on #86 being merged to be fully operational in terms of XSD compliance

I can propose to do the automatic publishing to gh-pages but I'd rather do it in a separate PR as it involves a lot more discussion (notably because it requires adding rights for the process to contribute to github branches)

[vandmo]

I am pondering wheter it is a good idea to make the JSON lock file incompatible with older versions of the plugin.
Pros:

• Size reduction I would assume, but unsure how much
• The structure makes it impossible to specify different checksums for the same artifact
• Older versions of the plugin will fail which requires the user to bump it to a version that supports build locking which is wanted by the lock file
  Cons:
• Older versions of the plugin will fail with a bad error message if it encounters the lock file

Am I missing something?

[smaarn]

I am pondering wheter it is a good idea to make the JSON lock file incompatible with older versions of the plugin.
Pros:

• Size reduction I would assume, but unsure how much
• The structure makes it impossible to specify different checksums for the same artifact
• Older versions of the plugin will fail which requires the user to bump it to a version that supports build locking which is wanted by the lock file
  Cons:
• Older versions of the plugin will fail with a bad error message if it encounters the lock file

Am I missing something?

I believe you're not missing anything indeed. The "space gain" is not even guaranteed to be a huge one IMHO.

My only question here would be: is it reasonable to expect different versions of the plugin being used ? (e.g. locking with a new version and checking with an old version) Rolling back this is a one liner so do tell me if you'd rather keep it "backward compatible" (in the same manner as for the POM it turns out).

[smaarn]

Fixed the JSON format change in 0f7b954. WDYT ?

[vandmo]

Yeah, lets go with this version. It is consistent with how the pom is as well and if an artifact gets locked with different checksums for some reason then the check would fail for one of those. Probably very low risk of that happening though, somebody would need to edit the lock file manually I guess.
I will look closer during the day and merge it hopefully. Is it ok if I do "Squash and Merge" or do you want to keep the individual commits?

[smaarn]

Yeah, lets go with this version. It is consistent with how the pom is as well and if an artifact gets locked with different checksums for some reason then the check would fail for one of those. Probably very low risk of that happening though, somebody would need to edit the lock file manually I guess. I will look closer during the day and merge it hopefully. Is it ok if I do "Squash and Merge" or do you want to keep the individual commits?

By all means, do "Squash and Merge" ! The initial commits separation was to ease the review process and the refactoring logic, it loses any interests to keep as is "on master".

[vandmo]

Could you change back to the initial structure of the JSON lock file?
I have though about it now and I think that makes most sense.

It could be worth having a version: 2 in the JSON file and something similar in the XML file as well, and then make the plugin fail on any newer versions with a message like "Format version X not recognised, try bumping the plugin version". That would make it possible to do similar changes in the future which would result in better error messages for at least some people. That is separate PR/change though.

Maybe it could be worth having an option to use the new format even if the build is not locked, but that is also a separate thing.

[smaarn]

Could you change back to the initial structure of the JSON lock file? I have though about it now and I think that makes most sense.

It could be worth having a version: 2 in the JSON file and something similar in the XML file as well, and then make the plugin fail on any newer versions with a message like "Format version X not recognised, try bumping the plugin version". That would make it possible to do similar changes in the future which would result in better error messages for at least some people. That is separate PR/change though.

Maybe it could be worth having an option to use the new format even if the build is not locked, but that is also a separate thing.

Rolled back to the former proposal (e.g. "dependencies" field using "artifact" indirection) and added version field (used it as way to identify the file format).

Regarding the POM situation there are two options:

• Using a versioned XSD instead (e.g. dedicated path)
• Adding a "lockVersion" (the "version" field is already used, as well as "modelVersion")

Not too sure about either options TBH. What would be your take here ?

[vandmo]

Looks really good! I merged it and will create separate issues for remaining things we have talked about. Would be good to get the version in to the the XML somehow before creating a release.
I can always create a 0.0.0- version if you want to try it out before that.