Skip to content

Align package versions to Renovate changes in Core#616

Merged
fdevans merged 5 commits into
mainfrom
renovate-alignment
Jul 1, 2026
Merged

Align package versions to Renovate changes in Core#616
fdevans merged 5 commits into
mainfrom
renovate-alignment

Conversation

@fdevans

@fdevans fdevans commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Release Notes

Updated the Rundeck CLI's build dependencies and plugins to match the versions managed by Renovate in Rundeck Core, keeping the CLI in step with Core (now tracking the 6.1 line) and incorporating routine maintenance updates to its underlying libraries.

PR Details

Version alignment (gradle/libs.versions.toml)

Aligns the version catalog with Renovate-driven changes in Core:

  • Groovy: 4.0.304.0.32
  • Axion Release plugin: 1.15.51.21.2
  • Jackson Databind: 2.21.22.22.0
  • Byte Buddy: 1.15.111.18.10
  • Rundeck Core authz libraries: 6.0.0-alpha1-202604076.1.0-SNAPSHOT

Dependency verification updates (gradle/verification-metadata.xml)

The version bumps required regenerating Gradle's dependency verification metadata. While doing so, the verification policy was tuned to eliminate recurring, non-security-related build breakage:

  • Switched from PGP signature verification to strict SHA-256 checksum verification. Signature verification relies on public keyservers that are frequently unreachable in CI (the file already carried a dozen "key couldn't be downloaded" workarounds). Every third-party artifact is still cryptographically verified by checksum, and the build still runs in strict mode.
  • Added a trust rule for org.rundeck *-SNAPSHOT artifacts. Core snapshots are republished with a new checksum on every build, so pinning them is inherently fragile and caused repeated failures; they're now trusted via their source repository instead of a pinned checksum.
  • Regenerated checksums against a clean Gradle home so the Gradle Module Metadata (.module) files served by the plugin classpath repository (junit-bom, spring-framework-bom, groovy-bom, Jackson BOMs) are captured — fixing strict-verification failures that only surface on fresh CI environments.

Verification

./gradlew build --dependency-verification strict passes against a clean Gradle user home, reproducing CI conditions.

@fdevans fdevans requested review from a team and Copilot July 1, 2026 17:07

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Gradle version catalog to align dependency/plugin versions with Renovate-driven changes from Core, ensuring this repo pulls the same upstream component versions.

Changes:

  • Bump Groovy from 4.0.30 to 4.0.32
  • Update several build/runtime dependencies (Axion Release plugin, Jackson Databind, Byte Buddy)
  • Switch Rundeck dependency from 6.0.0-alpha1-20260407 to 6.1.0-SNAPSHOT

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread gradle/libs.versions.toml
fdevans added 4 commits July 1, 2026 10:31
The Get RPM Version step used sed 's/-/./' which only replaces the first
dash, while build.gradle names packages with replaceAll('-', '.'). On
branches whose axion version contains multiple dashes (e.g.
2.1.2-renovate-alignment-SNAPSHOT) the computed path no longer matched the
built .deb/.rpm, so upload-artifact found no files and the install-test
jobs failed to download the artifacts. Use the global sed flag so the
version matches the packaged filenames.
Add if-no-files-found: error to the release artifact upload steps so a
version/path mismatch fails the build job loudly instead of silently
uploading nothing and breaking the downstream install-test jobs.

@ncofreortiz-hub ncofreortiz-hub left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fdevans fdevans merged commit 418877b into main Jul 1, 2026
10 checks passed
@fdevans fdevans deleted the renovate-alignment branch July 1, 2026 21:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants