os icon indicating copy to clipboard operation
os copied to clipboard
verified publisher icon wolfi-dev

gradle-8: use libraries while building gradle

Open kranurag7 opened this issue 7 months ago • 2 comments

kranurag7 avatar Jun 12 '25 16:06 kranurag7

📦 Build Failed: Missing Dependency

Could not download kotlin-compiler-embeddable-2.0.21.jar (org.jetbrains.kotlin:kotlin-compiler-embeddable:2.0.21) > Could not get resource 'https://libraries.cgr.dev/java-all/org/jetbrains/kotlin/kotlin-compiler-embeddable/2.0.21/kotlin-compiler-embeddable-2.0.21.jar'.

Build Details

Category Details
Build System Gradle
Failure Point ./gradlew :distributions-full:binDistributionZip

Root Cause Analysis 🔍

The build failed because it couldn't download a required dependency (kotlin-compiler-embeddable-2.0.21.jar) from the Chainguard repository. The server returned a 500 Internal Server Error when attempting to download the file, indicating a server-side issue with the repository rather than a problem with the build configuration itself.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: pipeline

  • add at line between 'rm gradle/gradle-daemon-jvm.properties' and './gradlew :distributions-full:binDistributionZip' (before ./gradlew :distributions-full:binDistributionZip) Original: 
./gradlew :distributions-full:binDistributionZip

Replacement:

./gradlew --init-script init.gradle :distributions-full:binDistributionZip

Content:

      # Create an init script to configure additional repositories
      cat > init.gradle << 'EOF'
      allprojects {
          repositories {
              // Add additional Maven repositories to find dependencies
              mavenCentral()
              maven { url "https://repo.maven.apache.org/maven2/" }
              maven { url "https://plugins.gradle.org/m2/" }
              // Keep the Chainguard repo as a fallback
              maven { url "https://libraries.cgr.dev/java-all/" }
          }
      }
      EOF

      # Use the init script when running gradle
Click to expand fix analysis

Analysis

The build failure shows that Gradle is failing to download the kotlin-compiler-embeddable-2.0.21.jar dependency from the Chainguard repository (libraries.cgr.dev). The error indicates a server-side issue (500 Internal Server Error) rather than a configuration problem. Since the error is related to accessing a specific dependency from a potentially unreliable or unavailable source, the solution should focus on:

  1. Ensuring that the build can access the required dependency through alternative repositories
  2. Configuring Gradle to use reliable Maven repositories that contain the Kotlin compiler dependency
  3. Following Wolfi's principle of keeping packages up-to-date with upstream releases
Click to expand fix explanation

Explanation

The build failure occurs because Gradle cannot download the kotlin-compiler-embeddable-2.0.21.jar dependency from the Chainguard repository (libraries.cgr.dev). The 500 Internal Server Error indicates a server-side issue with the repository.

The suggested fix creates a Gradle init script that configures additional Maven repositories for dependency resolution. This approach:

  1. Adds the official Maven Central repository (mavenCentral()) which is the primary source for Java/Kotlin dependencies
  2. Adds the Apache Maven repository as a backup source
  3. Adds the Gradle plugins repository which may also host Kotlin compiler dependencies
  4. Keeps the Chainguard repository as a fallback option

By providing multiple repository sources, Gradle will try each repository in order until it finds the required dependency. This redundancy makes the build more resilient against temporary outages or issues with any single repository.

The fix is minimal and non-invasive, requiring no permanent changes to the project's build files. It only affects the build process during the package creation and won't impact the final package itself.

This approach aligns with Wolfi's principles by:

  • Maintaining the use of the latest version of dependencies
  • Ensuring the build process is reliable by providing alternative sources
  • Not requiring any complex caching mechanisms in the ephemeral build environment
Click to expand alternative approaches

Alternative Approaches

  • Add a local Maven repository mirror as a dependency in the environment section to have a more controlled source for dependencies
  • Modify the build to pre-download the specific Kotlin compiler JAR using curl or wget before running the Gradle build
  • Create a custom repository configuration file (settings.gradle) that overrides the default repositories
  • Configure Gradle to use offline mode with previously downloaded dependencies, but this would require setting up a more complex caching mechanism

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

octo-sts[bot] avatar Jun 12 '25 16:06 octo-sts[bot]

This Pull Request is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Keep fresh with the 'lifecycle/frozen' label.

github-actions[bot] avatar Nov 21 '25 01:11 github-actions[bot]