add check to diff pom files and see if any dependency is downgraded (firebase#4719)

* add check to diff pom files and see if any dependency is downgraded * update revert * add copyright * update * Update buildSrc/src/main/java/com/google/firebase/gradle/plugins/GmavenHelper.kt Co-authored-by: Rodrigo Lazo <rlazo@users.noreply.github.com> * Update buildSrc/src/main/java/com/google/firebase/gradle/plugins/GmavenHelper.kt Co-authored-by: Rodrigo Lazo <rlazo@users.noreply.github.com> * Update buildSrc/src/main/java/com/google/firebase/gradle/plugins/GmavenHelper.kt Co-authored-by: Rodrigo Lazo <rlazo@users.noreply.github.com> * update * Update buildSrc/src/main/java/com/google/firebase/gradle/plugins/PomValidator.kt Co-authored-by: Rodrigo Lazo <rlazo@users.noreply.github.com> * update --------- Co-authored-by: Rodrigo Lazo <rlazo@users.noreply.github.com>

Author: VinayGuthal

.github/workflows/validate-dependencies.yml

@@ -0,0 +1,17 @@
+name: Validate Artifact Dependencies
+
+on:
+ workflow_dispatch:
+ pull_request:
+ branches:
+ - 'releases/**'
+
+jobs:
+ build-artifacts:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Perform gradle build
+ run: |
+ ./gradlew validatePomForRelease -PpublishConfigFilePath=release.cfg -PpublishMode=RELEASE -PincludeFireEscapeArtifacts=true

buildSrc/src/main/java/com/google/firebase/gradle/plugins/BaseFirebaseLibraryPlugin.kt

@@ -72,6 +72,15 @@ abstract class BaseFirebaseLibraryPlugin : Plugin<Project> {
  return apiInfo
  }
 
+ protected fun getIsPomValidTask(project: Project, firebaseLibrary: FirebaseLibraryExtension) {
+ project.tasks.register<PomValidator>("isPomDependencyValid") {
+ pomFilePath.value(project.file("build/publications/mavenAar/pom-default.xml"))
+ groupId.value(firebaseLibrary.groupId.get())
+ artifactId.value(firebaseLibrary.artifactId.get())
+ dependsOn("generatePomFileForMavenAarPublication")
+ }
+ }
+
  protected fun getGenerateApiTxt(project: Project, srcDirs: Set<File>) =
  project.tasks.register<GenerateApiTxtTask>("generateApiTxtFile") {
  sources.value(project.provider { srcDirs })

buildSrc/src/main/java/com/google/firebase/gradle/plugins/FirebaseJavaLibraryPlugin.kt

@@ -47,6 +47,7 @@ class FirebaseJavaLibraryPlugin : BaseFirebaseLibraryPlugin() {
 
  setupStaticAnalysis(project, firebaseLibrary)
  setupApiInformationAnalysis(project)
+ getIsPomValidTask(project, firebaseLibrary)
  configurePublishing(project, firebaseLibrary)
  }
 
@@ -55,6 +56,7 @@ class FirebaseJavaLibraryPlugin : BaseFirebaseLibraryPlugin() {
  project.convention.getPlugin<JavaPluginConvention>().sourceSets.getByName("main").java.srcDirs
 
  val apiInfo = getApiInfo(project, srcDirs)
+
  val generateApiTxt = getGenerateApiTxt(project, srcDirs)
  val docStubs = getDocStubs(project, srcDirs)
 

buildSrc/src/main/java/com/google/firebase/gradle/plugins/FirebaseLibraryPlugin.kt

@@ -79,6 +79,7 @@ class FirebaseLibraryPlugin : BaseFirebaseLibraryPlugin() {
  setupApiInformationAnalysis(project, android)
  android.testServer(FirebaseTestServer(project, firebaseLibrary.testLab, android))
  setupStaticAnalysis(project, firebaseLibrary)
+ getIsPomValidTask(project, firebaseLibrary)
  configurePublishing(project, firebaseLibrary, android)
  }
 

buildSrc/src/main/java/com/google/firebase/gradle/plugins/GmavenHelper.kt

@@ -0,0 +1,40 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.firebase.gradle.plugins
+
+import java.net.URL
+import javax.xml.parsers.DocumentBuilder
+import javax.xml.parsers.DocumentBuilderFactory
+import org.w3c.dom.Document
+
+class GmavenHelper(val groupId: String, val artifactId: String) {
+ val GMAVEN_ROOT = "https://dl.google.com/dl/android/maven2"
+
+ fun getPomFileForVersion(version: String): String {
+ val pomFileName = "${artifactId}-${version}.pom"
+ val groupIdAsPath = groupId.replace(".", "/")
+ return "${GMAVEN_ROOT}/${groupIdAsPath}/${artifactId}/${version}/${pomFileName}"
+ }
+
+ fun getLatestReleasedVersion(): String {
+ val groupIdAsPath = groupId.replace(".", "/")
+ val mavenMetadataUrl = "${GMAVEN_ROOT}/${groupIdAsPath}/${artifactId}/maven-metadata.xml"
+ val factory: DocumentBuilderFactory = DocumentBuilderFactory.newInstance()
+ val builder: DocumentBuilder = factory.newDocumentBuilder()
+ val doc: Document = builder.parse(URL(mavenMetadataUrl).openStream())
+ doc.documentElement.normalize()
+ return doc.getElementsByTagName("latest").item(0).getTextContent()
+ }
+}

buildSrc/src/main/java/com/google/firebase/gradle/plugins/PomValidator.kt

@@ -0,0 +1,78 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.firebase.gradle.plugins
+
+import java.io.File
+import java.net.URL
+import javax.xml.parsers.DocumentBuilder
+import javax.xml.parsers.DocumentBuilderFactory
+import org.gradle.api.DefaultTask
+import org.gradle.api.GradleException
+import org.gradle.api.provider.Property
+import org.gradle.api.tasks.Input
+import org.gradle.api.tasks.InputFile
+import org.gradle.api.tasks.TaskAction
+import org.w3c.dom.Document
+import org.w3c.dom.Element
+import org.w3c.dom.Node
+import org.w3c.dom.NodeList
+
+abstract class PomValidator : DefaultTask() {
+ @get:InputFile abstract val pomFilePath: Property<File>
+ @get:Input abstract val artifactId: Property<String>
+ @get:Input abstract val groupId: Property<String>
+
+ @TaskAction
+ fun run() {
+ val gMavenHelper = GmavenHelper(groupId.get(), artifactId.get())
+ val latestReleasedVersion = gMavenHelper.getLatestReleasedVersion()
+ val releasedVersionPomUrl = gMavenHelper.getPomFileForVersion(latestReleasedVersion)
+ var output: String = diffWithPomFileUrl(releasedVersionPomUrl).trim()
+ if (output.isNotEmpty()) {
+ throw GradleException("${output}\nPlease fix the above errors")
+ }
+ }
+
+ fun getMapFromXml(pomNodeList: NodeList): Map<String, String> {
+ val pomMap = mutableMapOf<String, String>()
+ for (i in 0..pomNodeList.length - 1) {
+ val node: Node = pomNodeList.item(i)
+ if (node.getNodeType() == Node.ELEMENT_NODE) {
+ val element = node as Element
+ val artifact = element.getElementsByTagName("artifactId").item(0).getTextContent()
+ val version = element.getElementsByTagName("version").item(0).getTextContent()
+ pomMap[artifact] = version
+ }
+ }
+ return pomMap
+ }
+
+ fun diffWithPomFileUrl(pomUrl: String): String {
+ val factory: DocumentBuilderFactory = DocumentBuilderFactory.newInstance()
+ val oldPomBuilder: DocumentBuilder = factory.newDocumentBuilder()
+ val oldPomDoc: Document = oldPomBuilder.parse(URL(pomUrl).openStream())
+ val currentPomBuilder: DocumentBuilder = factory.newDocumentBuilder()
+ val currentPomDoc: Document = currentPomBuilder.parse(pomFilePath.get())
+ val oldPomMap = getMapFromXml(oldPomDoc.getElementsByTagName("dependency"))
+ val currentPomMap = getMapFromXml(currentPomDoc.getElementsByTagName("dependency"))
+
+ return currentPomMap
+ .filter {
+ (oldPomMap.get(it.key) != null) && (oldPomMap.get(it.key)!!.trim()) > it.value.trim()
+ }
+ .map { "Artifacts ${it.key} has been degraded to ${it.value} from ${oldPomMap.get(it.key)}" }
+ .joinToString("\n")
+ }
+}

buildSrc/src/main/java/com/google/firebase/gradle/plugins/publish/PublishingPlugin.java

@@ -134,6 +134,15 @@ public void apply(Project project) {
  .set("projectsToPublish", projectsToPublish);
 
  Publisher publisher = new Publisher(publishMode, projectsToPublish);
+ project
+ .getTasks()
+ .create(
+ "validatePomForRelease",
+ t -> {
+ for (FirebaseLibraryExtension toPublish : projectsToPublish) {
+ t.dependsOn(toPublish.getPath() + ":isPomDependencyValid");
+ }
+ });
  project.subprojects(
  sub -> {
  FirebaseLibraryExtension firebaseLibrary =