Allow User Customization for gradlew --write-verification-metadata command

[dalewest]

Tell us more.

Our company is attempting to use renovate on our java projects that have dependency verification enabled. We are having issues with this where the renovate pipeline does not reliably update the gradle/verification-metadata.xml file. As a result we end up with a large number of failing MR pipelines.

Troubleshooting this is difficult as the command used has been renovate is hard coded as below:

./gradlew --console=plain --dependency-verification lenient -q --write-verification-metadata sha256 help

The -q parameter tells gradlew to only log errors and apparently whatever is not working correctly does not generate any errors. For example, we use a private gitlab registry for internal java artifacts, this gradlew command is behaving as if it does not know about or cannot authenticate to this registry but I have no way of seeing that from the output.

In addition to modifying logging of this command, we would also like to change the task of the gradle command from to help something will work better for us.

Thank you. If there is some other way I am missing that can help troubleshoot these problems I would be pleased to know about them.

[dalewest]

Can I please get an issue created from this ticket? It appears I do not have permission to do so.

[rarkins]

We create an issue once there is a viable solution in mind. If you're interested to implement this yourself then please let us know your proposed plan (eg new configuration options?) for feedback first

[raphiz]

I have the same issue in a couple of repos of mine (Here's an example).

It's important to note that this is not an issue with renovate per se, but how renovate calls gradle.

Currently, the help task is called to generate the verification-metadata.xml (e.g. ./gradlew --write-verification-metadata sha256 help). Gradle is lazy and may not evaluate the required dependencies:

[...] Gradle may discover more dependencies and artifacts depending on the tasks you execute. [...]

In my tests, using the built-in dependencies task instead of help works quite well (./gradlew --write-verification-metadata sha256 dependencies). This can be reproduced on the renovate/org.http4k-http4k-bom-5.x branch in this example repository.

I suggest we either adapt the default task to the built-in dependencies task or maybe even make the task that renovate executes configurable.

I can create a PR if this sounds reasonable.

Also, a big thank you for all your hard work on this amazing project! 🙏

[Churro]

Sounds reasonable for me to use the dependencies task instead of help. gradle itself refers to it as a starting point. The dependencies task is also called for lockfile generation, so generally I would expect it for verification metadata too.

[raphiz]

👍 I created a PR for this: #29602

[dalewest]

Excellent. Thanks Raphi, I was not aware of the dependencies task but on some quick testing it does seem much more effective.