Skip to content

RUST-133 Enable Gradle dependency locking#222

Merged
romainbrenguier merged 2 commits into
masterfrom
romain/lockfile
Apr 24, 2026
Merged

RUST-133 Enable Gradle dependency locking#222
romainbrenguier merged 2 commits into
masterfrom
romain/lockfile

Conversation

@romainbrenguier

@romainbrenguier romainbrenguier commented Apr 24, 2026

Copy link
Copy Markdown
Contributor

Summary

  • enable Gradle dependency locking across all main projects
  • enable dependency locking for buildSrc
  • add the generated Gradle lockfiles

@hashicorp-vault-sonar-prod

hashicorp-vault-sonar-prod Bot commented Apr 24, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor

RUST-133

@romainbrenguier romainbrenguier marked this pull request as ready for review April 24, 2026 05:41
@romainbrenguier romainbrenguier requested a review from a team as a code owner April 24, 2026 05:41
@sonar-review-alpha

sonar-review-alpha Bot commented Apr 24, 2026
edited
Loading

Copy link
Copy Markdown

Summary

This PR enables Gradle dependency locking for the Sonar Rust project. Dependency locking pins exact versions of transitive dependencies in lockfiles, ensuring reproducible builds and preventing unexpected dependency updates. The changes apply this feature across all main projects and the buildSrc configuration, and include the generated lockfiles needed for builds to use the locked versions.

This is a configuration/tooling change that improves build reproducibility with no changes to runtime functionality.

What reviewers should know

What to focus on:

  • Review the lockfile changes to ensure the locked dependency versions are sensible (no obvious mismatches or outdated pins)
  • Verify that dependency locking configuration is consistently applied across all main projects and buildSrc
  • Check if any documentation or CI/CD changes are needed to ensure developers understand to update lockfiles when adding/updating dependencies

Non-obvious aspects:

  • Lockfiles are typically generated artifacts rather than hand-edited—ensure the generation process is documented for team members
  • Gradle dependency locking requires using gradle.lockfile or similar patterns; verify the correct mechanism is used
  • This may impact local development workflows—developers must regenerate lockfiles when dependency declarations change

Gotchas:

  • If lockfiles are committed but not properly maintained, they can become stale and cause confusion
  • Ensure the PR doesn't lock problematic transitive dependencies (inspect key dependencies in the lockfiles)
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]

This comment was marked as resolved.

Sign in to view

sonar-review-alpha[bot]

This comment was marked as resolved.

Sign in to view

@sonarqube-next

sonarqube-next Bot commented Apr 24, 2026

Copy link
Copy Markdown

Quality Gate passed Quality Gate passed for 'sonar-rust'

Issues
0 New issues
1 Fixed issue
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

sebastien-marichal
sebastien-marichal approved these changes Apr 24, 2026
View reviewed changes

@sebastien-marichal sebastien-marichal left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@romainbrenguier romainbrenguier merged commit 522e711 into master Apr 24, 2026
17 checks passed
@romainbrenguier romainbrenguier deleted the romain/lockfile branch April 24, 2026 14:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sebastien-marichal sebastien-marichal sebastien-marichal approved these changes

+1 more reviewer

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@romainbrenguier @sebastien-marichal