Why Maven tries to download parent pom present in local repository from remotes?-CodePudding

We have a project A that refers a custom parent pom B hosted on our JFROG repository.

When our Github Action is building the project, we are providing a settings.xml file containing the connection to the JFROG repository that allows the action to download the parent pom inside its local repository.

Then a second step of our Github Actions worflow launches a Sonarqube analysis with the maven plugin : mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar. This step does not need to download any custom dependencies so we don't provide the settings.xml file but the step fails because maven still tries to download the parent pom from remote repositories (Central) and does not find it.

I can not understand why maven tries to download the parent pom although it has already been downloaded and is available inside the local repository...

We use a Cache action to be sure that the local maven repository is not erased between steps, I checked that the parent pom is well available inside the local repository just before the Sonarqube maven plugin is launched...

I have put Maven in offline mode to force it to use the pom from its local repository but it fails again, it is like Maven was not using this local repository.

I do not think the problem could come from the Github Actions and I do not understand why Maven does not use the local repository...

CodePudding user response：

In maven settings, there's a separate updatePolicy for releases and snapshots. It's set to daily by default:

  <repositories>
    <repository>
      <releases>
        <updatePolicy>daily</updatePolicy>
      </releases>
      <snapshots>
        <updatePolicy>daily</updatePolicy>
      </snapshots>

So if the files in your local repository are more than a day old, and you don't have a settings.xml, maven will download the dependencies just to be sure.

A workaround would be to provide a settings.xml file with <updatePolicy>never</updatePolicy>

CodePudding user response：

OK I have actually found the reason and it is explained inside this post : maven can't find my local artifacts

To sum up, the pom is downloaded from our JFrog Repository and Maven creates a file _remote.repositories to keep trace of the repository where the dependency comes from.

When the second step executes Maven without the connection to this JFrog Repository, Maven ignores the dependency because it comes from a repository not used by this execution and tries to resolve the dependency again. It is a kind of security feature.

A solution to bypass this feature is to add the property aether.enhancedLocalRepository.trackingFilename with an unknown value : -Daether.enhancedLocalRepository.trackingFilename=some_nonexistent_dummy_file_name.