{{ message }}
Switch lockfile date verification from search API to HEAD requests#11431
Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit intoMay 21, 2026
Merged
Conversation
sarahchen6
requested review from
AlexeyKuznetsov-DD
and removed request for
a team
sarahchen6
added
tag: no release notes
bric3
approved these changes
May 21, 2026
Contributor
There was a problem hiding this comment.
suggestion: Not for this PR but have you thought about making this running in parallel.
Contributor
Author
There was a problem hiding this comment.
Oh no I hadn't 🤔 I can experiment with that!
Contributor
Author
There was a problem hiding this comment.
I experimented some with AI, but the current implementation is already very fast (i.e. a few seconds for the HTTP requests) relative to other steps in the workflow (e.g. 5+ minutes for the resolveAndLockAll commands in example), so perhaps not worth the optimization here.
Contributor
There was a problem hiding this comment.
By the way thanks for looking into it.
Contributor
Author
|
/merge |
gh-worker-dd-mergequeue-cf854d
Bot
merged commit f22d44d
into
master
575 of 581 checks passed
gh-worker-dd-mergequeue-cf854d
Bot
deleted the
sarahchen6/update-gradle-dependencies-check
branch
This was referenced May 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What Does This Do
Switch the Gradle dependency age verifications from using a search API to making HEAD requests (
"https://repo1.maven.org/maven2").Motivation
This is a follow-up of #11293 that enforces a 48h cooldown period for gradle dependencies. The workflow could only be tested after merging to
masterdue to theocto-stspolicy scope. After merging, the workflow completed successfully (run); however, the previous search API led to most lockfiles reverted due to not being able to verify the dependency ages correctly (PR produced). This fix using HEAD requests should be more reliable. I tested locally with Claude and all dependencies that were previously unverifiable could be checked.Additional Notes
Akka dependencies require the repo's
AKKA_REPO_TOKENtoken to access.I used Claude to verify that dependency ages could be accessed via HEAD requests locally; however, the true test can only be conducted after merging these changes to
masterdue to the workflow'socto-stspolicy scope.Contributor Checklist
type:and (comp:orinst:) labels in addition to any other useful labelsclose,fix, or any linking keywords when referencing an issueUse
solvesinstead, and assign the PR milestone to the issueJira ticket: [PROJ-IDENT]
Note: Once your PR is ready to merge, add it to the merge queue by commenting
/merge./merge -ccancels the queue request./merge -f --reason "reason"skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.