feat(gradle): implement gradle tools (#741)

* feat(gradle): implement gradle tools

- feat: implement extension dsl for jpms plugin
- feat: implement extension dsl for mrjar plugin
- feat: implement non-modular mrjar tasks
- test: fix or implement tests for mrjar plugin
- test: ungate several existing mrjar plugin tests
- fix: kotlin gradle plugin deprecations
- fix: plugin sample classpath resolution
- fix: drop lockfiles until release
- fix: drop verification metadata until release
- chore: upgrade kotlin → `2.0.21`
- chore: upgrade gradle → `8.12.1`

Signed-off-by: Sam Gammon <[email protected]>

* chore: ci jobs for gradle plugins

Signed-off-by: Sam Gammon <[email protected]>

* fixup! ci updates

Signed-off-by: Sam Gammon <[email protected]>

* chore: upgrades to gradle workflow

Signed-off-by: Sam Gammon <[email protected]>

* fixup! gradle sucks and hates their users

Signed-off-by: Sam Gammon <[email protected]>

* fixup! cleanup gradle mrjar tests

Signed-off-by: Sam Gammon <[email protected]>

* chore(gradle): `jmod` configuration extension

Signed-off-by: Sam Gammon <[email protected]>

---------

Signed-off-by: Sam Gammon <[email protected]>

Author: sgammon

.github/workflows/conventions.yml

@@ -1,4 +1,4 @@
-name: "Gradle Conventions"
+name: "Gradle"
 
 concurrency:
   group: build-conventions-${{ github.head_ref || github.run_id }}
@@ -13,7 +13,7 @@ on:
     branches:
       - main
     paths:
-      - ".github/workflows/conventions.yaml"
+      - ".github/workflows/conventions.yml"
       - "gradle/catalogs"
       - "gradle/plugins"
       - "gradle/"
@@ -34,14 +34,15 @@ on:
       - "actions/*/*.yml"
       - "containers/*/*.yaml"
       - "containers/*/*.yml"
+      - "gradle/*"
 
 permissions:
   contents: read
 
 jobs:
   ## Task: Build convention plugins with re-usable Gradle workflow
-  build-conventions:
-    name: "Build"
+  build-plugins:
+    name: "Plugins"
     uses: ./.github/workflows/jvm.gradle.yml
     permissions:
       actions: read
@@ -50,10 +51,10 @@ jobs:
       pull-requests: read
       id-token: write
     with:
-      action: "build test check"
+      action: check
       jvm: "21"
-      checks: false
+      checks: true
       cache_local: true
-      flags: "--no-configuration-cache --stacktrace -Porg.gradle.unsafe.isolated-projects=false -Dorg.gradle.unsafe.isolated-projects=false"
-      graph: "disabled"
+      flags: "--no-configuration-cache --stacktrace"
+      graph: disabled
       scan: true

.github/workflows/jvm.gradle.yml

@@ -172,6 +172,20 @@ on:
         type: string
         default: audit
 
+      ## Endpoints to allow.
+      endpoints:
+        description: "Endpoints"
+        required: false
+        type: string
+        default: 'github.com:443'
+
+      ## Whether to disable sudo.
+      sudoless:
+        description: "Disable Sudo"
+        required: false
+        type: boolean
+        default: true
+
       ## Outputs to include in assertions.
       outputs:
         description: "Outputs"
@@ -241,47 +255,34 @@ jobs:
       pull-requests: "read"
     steps:
       - name: "Setup: Harden Runner"
-        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           egress-policy: ${{ inputs.network || 'audit' }}
+          disable-sudo: ${{ inputs.sudoless }}
+          allowed-endpoints: ${{ inputs.endpoints }}
       - name: "Setup: Checkout"
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
-      - name: "Setup: Buildless"
-        uses: buildless/setup@30e82389418c7f17046606183bc4c78b2c8913e0  # v1.0.2
-      - name: "Setup: Cache"
-        uses: buildless/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
-        if: inputs.cache_action
-        with:
-          path: |
-            ./build
-            ~/.konan
-            ~/.gradle/caches
-            ~/.gradle/notifications
-            ~/.gradle/jdks
-          key: ${{ runner.os }}-gradlebuild-${{ hashFiles('**/*.versions.toml', 'settings.gradle.kts') }}
-          restore-keys: ${{ runner.os }}-gradlebuild-
       - name: "Setup: JDK ${{ env.JVM_VERSION }}"
-        uses: buildless/setup-java@3232623d9c428cc5f228a01a2ae8d2d70f79775e # v4.0.0
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         if: inputs.install_jvm
         with:
           distribution: ${{ env.JVM_DIST }}
           java-version: ${{ env.JVM_VERSION }}
       - name: "Setup: GraalVM"
-        uses: buildless/setup-graalvm@b8dc5fccfbc65b21dd26e8341e7b21c86547f61b # v1.1.5
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         if: inputs.install_gvm
         with:
           distribution: ${{ env.GVM_DIST || 'graalvm' }}
           java-version: ${{ env.JVM_VERSION }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          gds-token: ${{ secrets.GDS_TOKEN }}
-      - name: "Check: Gradle Wrapper"
+      - name: "Setup: Check Gradle Wrapper"
         uses: gradle/wrapper-validation-action@f9c9c575b8b21b6485636a91ffecd10e558c62f6 # v3.5.0
         if: inputs.checks
-      - name: "Build: Gradle"
+      - name: "Setup: Gradle"
         continue-on-error: ${{ inputs.labs || false }}
-        uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v2
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
         id: gradlebuild
         env:
           CI: true
@@ -292,25 +293,27 @@ jobs:
           cache-read-only: ${{ inputs.cache_read_only || false }}
           dependency-graph: ${{ inputs.graph }}
           build-scan-publish: ${{ inputs.scan }}
-          build-scan-terms-of-service-url: "https://gradle.com/terms-of-service"
-          build-scan-terms-of-service-agree: ${{ inputs.scan && 'yes' || 'no' }}
-          arguments: |
-            ${{ inputs.action || 'build' }}
-            ${{ inputs.flags }}
+          build-scan-terms-of-use-url: "https://gradle.com/terms-of-service"
+          build-scan-terms-of-use-agree: ${{ inputs.scan && 'yes' || 'no' }}
+      - name: "Build: Gradle"
+        run: |
+          ./gradlew \
+            ${{ inputs.action || 'build' }} \
+            ${{ inputs.flags }} \
             -Pci=true
       - name: "Build: Provenance Subject"
         id: hash
         run: |
           echo "hashes=$(sha256sum ${{ inputs.outputs }} | base64 -w0)" >> "$GITHUB_OUTPUT"
       - name: "Report: Codecov"
-        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
+        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
         if: inputs.coverage
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: ${{ inputs.coverage_report }}
           flags: ${{ inputs.coverage_flags }}
       - name: "Publish: Build Artifacts"
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         if: inputs.artifacts
         with:
           name: ${{ inputs.artifact }}

build.gradle.kts

@@ -22,7 +22,7 @@ plugins {
   `test-report-aggregation`
 
   alias(core.plugins.gradle.checksum)
-  alias(core.plugins.gradle.doctor)
+  alias(core.plugins.gradle.doctor) apply false
   alias(core.plugins.versions)
   alias(libs.plugins.dependencyAnalysis)
   id(core.plugins.kotlin.multiplatform.get().pluginId) apply false

config/detekt/detekt.yml

@@ -106,7 +106,7 @@ complexity:
     ignoreOverloaded: false
   CyclomaticComplexMethod:
     active: true
-    threshold: 15
+    threshold: 85
     ignoreSingleWhenExpression: false
     ignoreSimpleWhenEntries: false
     ignoreNestingFunctions: false
@@ -128,11 +128,11 @@ complexity:
     threshold: 600
   LongMethod:
     active: true
-    threshold: 60
+    threshold: 120
   LongParameterList:
     active: true
-    functionThreshold: 6
-    constructorThreshold: 7
+    functionThreshold: 12
+    constructorThreshold: 15
     ignoreDefaultParameters: false
     ignoreDataClasses: true
     ignoreAnnotatedParameter: []

gradle.properties

@@ -16,14 +16,14 @@ build-infra.prepack=true
 build-infra.plugins=base,jpms,mrjar,jmod,jlink,gha,graalvm
 
 # build conventions: jvm
-conventions.jvm.target=17
+conventions.jvm.target=21
 conventions.jvm.toolchain=21
 
 # build conventions: kotlin
-conventions.kotlin.version=1.9.22
-conventions.kotlin.api=1.9
-conventions.kotlin.language=1.9
-conventions.kotlin.jvm.target=17
+conventions.kotlin.version=2.0.21
+conventions.kotlin.api=2.0
+conventions.kotlin.language=2.0
+conventions.kotlin.jvm.target=21
 
 # kotlin settings
 kotlin.parallel.tasks.in.project=true
@@ -43,7 +43,7 @@ kotlin.build.report.include_compiler_arguments=true
 # gradle settings
 org.gradle.caching=true
 org.gradle.unsafe.isolated-projects=false
-org.gradle.configuration-cache=true
+org.gradle.configuration-cache=false
 org.gradle.configuration-cache-problems=warn
 org.gradle.dependency-verification=lenient
 org.gradle.jvmargs=-XX:+UseParallelGC \

gradle/build-infra/build.gradle.kts

@@ -50,7 +50,7 @@ group = "dev.elide.infra"
 // Build infra targets; does not apply to shipped/published targets.
 val buildTimeJvmTarget = JvmTarget.JVM_21
 val buildTimeJavaTarget = JavaVersion.VERSION_21
-val buildTimeKotlinTarget = KotlinVersion.KOTLIN_1_9
+val buildTimeKotlinTarget = KotlinVersion.KOTLIN_2_0
 
 java {
   sourceCompatibility = buildTimeJavaTarget