Skip to content

SOLR-18296: dependency-analysis (DAGP) — reporting + safe advice (part 1/3)#4612

Open
serhiy-bzhezytskyy wants to merge 2 commits into
apache:mainfrom
serhiy-bzhezytskyy:dagp-pr1-infra-safe
Open

SOLR-18296: dependency-analysis (DAGP) — reporting + safe advice (part 1/3)#4612
serhiy-bzhezytskyy wants to merge 2 commits into
apache:mainfrom
serhiy-bzhezytskyy:dagp-pr1-infra-safe

Conversation

@serhiy-bzhezytskyy

Copy link
Copy Markdown
Contributor

Completes the dependency-analysis follow-up deferred from the Gradle 9 upgrade (SOLR-18289), which dropped the Gradle-9-incompatible ca.cutterslade.analyze plugin.

This is part 1 of 3, split so each layer can be judged independently (per @dsmiley / @janhoy dev@ feedback that the api-vs-implementation advice needs human judgement, not blanket application):

  • This PR (1/3, ready): wire in the Dependency Analysis Gradle Plugin (com.autonomousapps build-health) configured to report (warn), not fail — advice is guidance, not enforcement — plus the uncontroversial advice: removal of genuinely-unused dependency declarations and a few test-scope corrections.
  • PR 2/3 (draft, to follow): the ~36 inter-module project(...) api promotions that are genuinely public API.
  • PR 3/3 (draft, to follow, NOT for merge): the ~91 external-library api promotions DAGP suggests — shown for discussion; per the api-happiness concern these would leak transitively, so I'd keep them as implementation.

This PR's changes

  • Add com.autonomousapps.build-health plugin; dependencyAnalysis {} config set to severity('warn') (DAGP's default posture — reports advice, never fails the build).
  • Apply only safe advice: unused-dependency removals; implementation -> testImplementation corrections.
  • jwt-auth: keep jackson-databind as testImplementation (DAGP advises testRuntimeOnly, but tests compile against mock-oauth2-server's @JsonDeserialize annotations — demoting breaks compilation under -Werror); documented inline.
  • Force kotlin-metadata-jvm to match Solr's Kotlin so DAGP can analyze :solr:ui (Compose/KMP) — DAGP doesn't yet support Kotlin 2.4.0 metadata (Update kotlin-metadata-jvm to 2.3+ for Kotlin 2.4 support autonomousapps/dependency-analysis-gradle-plugin#1661); temporary until their fix ships.
  • Lockfiles regenerated.

Testing

gradlew check -x test passes.

AI assistance disclosure

Per AGENTS.md / how-to-contribute.adoc: prepared with an AI coding agent and reviewed by me for correctness, scope, and alignment with Solr's build conventions.

Completes the dependency-analysis follow-up deferred from the Gradle 9 upgrade
(SOLR-18289), which dropped the Gradle-9-incompatible ca.cutterslade.analyze
plugin. Adds the Dependency Analysis Gradle Plugin (com.autonomousapps
build-health) configured to REPORT (warn), not fail — its advice is guidance
for human review, not enforcement.

Applies only the uncontroversial advice:
 - removal of genuinely-unused dependency declarations
 - a few test-scope corrections (implementation -> testImplementation)

Deliberately NOT included here (left for separate case-by-case review):
 - implementation -> api promotions (DAGP is aggressive here; per dev@ these
   need human judgement, as liberal api is viral/transitive)

Also forces kotlin-metadata-jvm to match Solr's Kotlin so DAGP can analyze the
:solr:ui (Compose/KMP) module. Lockfiles regenerated.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant