Add allowlist test for packaged runtime JARs Track the set of third-party runtime dependencies that are bundled into the oauth plugin by generating a deterministic manifest for :oauth__plugin and diffing it against an allowlist in CI. This prevents accidental changes to the packaged dependency set and ensures that libraries already provided by Gerrit are not bundled into the plugin. Exclude org.slf4j:slf4j-api from the Maven dependencies since Gerrit ships it, avoiding duplicate classes and potential version skew in the plugin classloader. Change-Id: I625bd7f0d4a29ff68996b295562b5349ef4b7c55
diff --git a/.bazelrc b/.bazelrc index b799288..83ac6a4 100644 --- a/.bazelrc +++ b/.bazelrc
@@ -1,7 +1,7 @@ common --enable_bzlmod --lockfile_mode=error build --workspace_status_command="python3 ./tools/workspace_status.py" -test --build_tests_only +test --build_tests_only --test_output=errors build --java_language_version=21 build --java_runtime_version=remotejdk_21
diff --git a/BUILD b/BUILD index d0b4c45..a0f87a5 100644 --- a/BUILD +++ b/BUILD
@@ -3,6 +3,10 @@ "gerrit_plugin", "gerrit_plugin_tests", ) +load( + "@com_googlesource_gerrit_bazlets//tools:runtime_jars_allowlist.bzl", + "runtime_jars_allowlist_test", +) gerrit_plugin( name = "oauth", @@ -37,3 +41,10 @@ "@oauth_plugin_deps//:com_github_scribejava_scribejava_core", ], ) + +runtime_jars_allowlist_test( + name = "check_oauth_third_party_runtime_jars", + allowlist = ":oauth_third_party_runtime_jars.allowlist.txt", + hint = ":check_oauth_third_party_runtime_jars_manifest", + target = ":oauth__plugin", +)
diff --git a/MODULE.bazel b/MODULE.bazel index 80acb9a..d0fce9e 100644 --- a/MODULE.bazel +++ b/MODULE.bazel
@@ -4,7 +4,7 @@ bazel_dep(name = "com_googlesource_gerrit_bazlets") git_override( module_name = "com_googlesource_gerrit_bazlets", - commit = "6166cef56705308547a67ab28f61ee1c090915cc", + commit = "36fe0395b55eb127f85661c82fd26e4844fab060", remote = "https://gerrit.googlesource.com/bazlets", ) @@ -59,11 +59,13 @@ # avoid bundling it into the plugin and prevent duplicate classes # or version skew at runtime in Gerrit's plugin classloader. "commons-io:commons-io", - # com.sap.cloud.security.xsuaa:token-client depends on caffeine cache. - # Gerrit core already provides caffeine cache, so exclude it here to - # avoid bundling it into the plugin and prevent duplicate classes - # or version skew at runtime in Gerrit's plugin classloader. + # com.sap.cloud.security.xsuaa:token-client depends on caffeine cache, + # and slf4j-api. Gerrit core already provides caffeine cache and + # slf4j-api, so exclude it here to avoid bundling it into the plugin + # and prevent duplicate classes or version skew at runtime in Gerrit's + # plugin classloader. "com.github.ben-manes.caffeine:caffeine", + "org.slf4j:slf4j-api", ], fail_if_repin_required = True, fail_on_missing_checksum = True,
diff --git a/oauth_third_party_runtime_jars.allowlist.txt b/oauth_third_party_runtime_jars.allowlist.txt new file mode 100644 index 0000000..15953aa --- /dev/null +++ b/oauth_third_party_runtime_jars.allowlist.txt
@@ -0,0 +1,15 @@ +env +jackson-annotations +jackson-core +jackson-databind +java-access-api +java-api +java-consumption-api +java-core-api +java-sap-service-operator +java-sap-vcap-services +java-security +json +scribejava-apis +scribejava-core +token-client
diff --git a/src/main/resources/Documentation/build.md b/src/main/resources/Documentation/build.md index 717e0b8..763ad49 100644 --- a/src/main/resources/Documentation/build.md +++ b/src/main/resources/Documentation/build.md
@@ -8,6 +8,36 @@ The standalone build mode is recommended, as this mode doesn't require the Gerrit tree to exist locally. +### Packaged runtime JAR allowlist test + +This plugin tracks the set of third-party runtime JARs that are bundled into the plugin JAR. +A deterministic, version-agnostic manifest is generated from the plugin’s runtime classpath and +compared against the checked-in allowlist: + +`oauth_third_party_runtime_jars.allowlist.txt` + +This acts as a guardrail to detect unintended changes to the packaged runtime dependency set. + +To run the check (standalone or in Gerrit tree): + +```bash +bazelisk test //:check_oauth_third_party_runtime_jars +``` + +#### Updating the allowlist + +If the test fails because the packaged third-party JAR set changed, the plugin’s bundled runtime +dependencies have changed. + +If the change is expected and has been reviewed, refresh the allowlist: + +```bash +bazelisk build //:oauth_third_party_runtime_jars.txt +cp bazel-bin/oauth_third_party_runtime_jars.txt oauth_third_party_runtime_jars.allowlist.txt +``` + +Commit the updated allowlist along with the dependency change. + ### Build standalone Clone the plugin: