[DNM] Add Develocity build scan plugin#5379
Conversation
Adds the Develocity Gradle plugin (v4.4.1) to publish build scans on every build, making it easier to debug and analyze build performance. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
📲 Install BuildsAndroid
|
runningcode
changed the title
Instructions and example for changelogPlease add an entry to Example: ## Unreleased
### Features
- [DNM] Add Develocity build scan plugin ([#5379](https://github.com/getsentry/sentry-java/pull/5379))If none of the above apply, you can opt out of this check by adding |
romtsn
left a comment
romtsn
left a comment
There was a problem hiding this comment.
i'm not sure but I feel like this potentially needs to go through #discuss-legal first?
Lower maxHeapSize from 2g to 1g for all tests in the root build. Remove duplicated maxParallelForks and heap settings from sample project systemTest tasks since they inherit from the root config. Use typed tasks.named<Test> where applicable. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| termsOfUseAgree.set("yes") | ||
| publishing.onlyIf { true } | ||
| } | ||
| } |
There was a problem hiding this comment.
Build scans unconditionally published to external service
Medium Severity
The Develocity configuration uses publishing.onlyIf { true }, which unconditionally publishes build scan data to Gradle's cloud servers on every build. Build scans can include environment variables, system properties, and file paths. This also automatically accepts the terms of service via termsOfUseAgree.set("yes") without any user awareness, which affects all contributors.
Reviewed by Cursor Bugbot for commit 9b87d20. Configure here.
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| develocity { | ||
| buildScan { | ||
| termsOfUseUrl.set("https://gradle.com/help/legal-terms-of-use") | ||
| termsOfUseAgree.set("yes") | ||
| publishing.onlyIf { true } | ||
| } |
There was a problem hiding this comment.
Bug: The Develocity configuration unconditionally publishes build scans to a public server for all builds, including local ones, exposing potentially sensitive environment data.
Severity: HIGH
Suggested Fix
Modify the publishing.onlyIf condition to only be true for CI/CD environments, not local builds. For example, check for a specific environment variable like CI. This will prevent local developer build data from being publicly uploaded.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: settings.gradle.kts#L14-L19
Potential issue: The Develocity build scan configuration in `settings.gradle.kts` is set
to always publish scans by using `publishing.onlyIf { true }`. Since a private server is
not specified, these scans are uploaded to the public Gradle server
(`scans.gradle.com`). This applies to all builds, including those run on local developer
machines, and can expose sensitive information like local usernames, file paths, and
operating system details without explicit user consent for each build.
Did we get this right? 👍 / 👎 to inform future reviews.
Let Gradle use its default heap settings for test JVMs rather than explicitly capping them. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| outputs.upToDateWhen { false } | ||
|
|
||
| maxParallelForks = 1 | ||
|
|
There was a problem hiding this comment.
System tests lose sequential execution guarantee
Medium Severity
maxParallelForks = 1 was removed from all system test task configurations across ~20 sample modules. System tests interact with real servers and shared resources like network ports. Without this constraint, Gradle may fork multiple test processes in parallel (default is based on CPU count), causing port conflicts and flaky test failures. This change is unrelated to the Develocity plugin and appears accidental.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit 0d72252. Configure here.
Run tests + coverage and lint/verification as separate parallel CI jobs to reduce wall-clock time. Spotless will move to its own workflow. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Configure minHeapSize, maxHeapSize, and maxParallelForks for sentry-android-core, sentry-spring-boot, and sentry-spring-boot-4. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| koverXmlReportRelease | ||
| -x :sentry-spring-boot:test | ||
| -x :sentry-spring-boot-jakarta:test | ||
| -x :sentry-spring-boot-4:test |
There was a problem hiding this comment.
Spring Boot module unit tests excluded from CI
High Severity
The test job explicitly excludes unit tests for :sentry-spring-boot, :sentry-spring-boot-jakarta, and :sentry-spring-boot-4 via -x flags. Previously, make preMerge ran ./gradlew check which included all module tests. The Spring Boot matrix workflows only run system tests (Python-based), not these Gradle unit tests, so these unit tests are no longer executed anywhere in CI.
Reviewed by Cursor Bugbot for commit 72134fd. Configure here.
| ./gradlew | ||
| apiCheck | ||
| animalsnifferMain | ||
| lint |
There was a problem hiding this comment.
CI lint job missing detekt static analysis checks
Medium Severity
The new lint job only runs apiCheck, animalsnifferMain, and lint. The old workflow ran ./gradlew check which also executed detekt (configured in build.gradle.kts with custom rules from detekt.yml). The detekt static analysis is no longer run in CI, allowing code quality regressions to pass undetected.
Reviewed by Cursor Bugbot for commit 72134fd. Configure here.
Performance metrics 🚀
|
| Revision | Plain | With Sentry | Diff |
|---|---|---|---|
| 2195398 | 319.02 ms | 342.38 ms | 23.36 ms |
| d364ace | 411.72 ms | 430.81 ms | 19.10 ms |
| d15471f | 286.65 ms | 314.68 ms | 28.03 ms |
| ff8eea4 | 313.42 ms | 337.08 ms | 23.66 ms |
| 17a0955 | 372.53 ms | 446.70 ms | 74.17 ms |
| 23d6b12 | 354.10 ms | 408.38 ms | 54.28 ms |
| cf708bd | 408.35 ms | 458.98 ms | 50.63 ms |
| 6edfca2 | 305.52 ms | 432.78 ms | 127.26 ms |
| 72020f8 | 312.32 ms | 370.94 ms | 58.62 ms |
| 6b019b7 | 343.31 ms | 417.23 ms | 73.91 ms |
App size
| Revision | Plain | With Sentry | Diff |
|---|---|---|---|
| 2195398 | 0 B | 0 B | 0 B |
| d364ace | 1.58 MiB | 2.11 MiB | 539.75 KiB |
| d15471f | 1.58 MiB | 2.13 MiB | 559.54 KiB |
| ff8eea4 | 1.58 MiB | 2.28 MiB | 718.64 KiB |
| 17a0955 | 1.58 MiB | 2.10 MiB | 533.20 KiB |
| 23d6b12 | 1.58 MiB | 2.10 MiB | 532.31 KiB |
| cf708bd | 1.58 MiB | 2.11 MiB | 539.71 KiB |
| 6edfca2 | 1.58 MiB | 2.13 MiB | 559.07 KiB |
| 72020f8 | 1.58 MiB | 2.19 MiB | 620.21 KiB |
| 6b019b7 | 0 B | 0 B | 0 B |
Remove maxParallelForks from per-module test config and add heap size settings to sentry-android-replay. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 5 total unresolved issues (including 4 from previous reviews).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit d89823c. Configure here.
| } | ||
| } | ||
|
|
||
| tasks.withType<Test>().configureEach {} |
There was a problem hiding this comment.
Empty no-op test configuration block is dead code
Low Severity
tasks.withType<Test>().configureEach {} is an empty configuration block that has no effect. It likely was intended to contain heap size settings (like the similar blocks added to sentry-android-replay and sentry-spring-boot), but was left empty. The allprojects block in the root build.gradle.kts already configures heap sizes for all test tasks, so this block is redundant dead code.
Reviewed by Cursor Bugbot for commit d89823c. Configure here.
3 participants
Summary
settings.gradle.kts🤖 Generated with Claude Code