Gradle: SigstoreSignFilesTask should use the Gradle daemon JVM by default

[hfhbd]

Why does the task use the java toolchain and not the Gradle daemon JVM by default?

Gradle 9+ requires a JVM 17, but it is still common to target java 8 via toolchain. The current logic fails with this setup, because the sigstore task requires a JVM 11+.

While you can easily fix it, IMHO the tasks should use the Gradle daemon instead by default and not the java toolchain. The java toolchain is for compiling java code, while the daemon JVM is mostly for running Gradle tasks.

// launcherFor {} uses the JVM of the Gradle daemon
tasks.withType<SigstoreSignFilesTask>().configureEach {
    launcher.set(serviceOf<JavaToolchainService>().launcherFor { })
}

[loosebazooka]

I think that makes sense, @vlsi ?

[vlsi]

Gradle 9+ requires a JVM 17, but it is still common to target java 8 via toolchain

I am afraid "using toolchain to target Java 8" is the wrong way to go.

The proper way is to use JVM 25 toolchain and use --release option to make it produce Java 8-compatible bytecode.
This way you use the modern compiler (Java 25), and you get all the bugfixes OpenJDK included into Java 25.

If you use toolchain 8, then you use an outdated Java compiler which is misses many bugfixes, and which includes many known issues.

---

I am leaning towards this is a non-issue.

[hfhbd]

The proper way is to use JVM 25 toolchain and use --release option to make it produce Java 8-compatible bytecode.

In that case you don't need the toolchain feature at all. But this discussion is unrelated to this "bug".

[loosebazooka]

Yeah I actually think sigstore tasks should use the gradle system jvm, not the project build jvm? As all other build system related activity uses the jvm that gradle is launched with.

[vlsi]

In that case you don't need the toolchain feature at all

The toolchain is still needed to ensure everybody uses the same Java for building the software.
Toolchain is there to specify the compiler version (which is important and it should be a recent compiler).
release option is to configure the target platform version.

Kotlin-based projects need more properties: Kotlin/api-guidelines#44

But this discussion is unrelated to this "bug".

Well, the plugin code indeed requires Java 11, so it would require at least Java 11 for Gradle. We can indeed disconnect sigstore toolchain from the default java toolchain.

[vlsi]

As all other build system related activity uses the jvm that gradle is launched with.

Which "build system related" do you mean exactly?

[hfhbd]

Which "build system related" do you mean exactly?

One sample: publishing to Maven Central using the new api (and a custom Gradle plugin)

[loosebazooka]

I think signing is a build system related task (not a java compile task), I can see how that is a little vague though.