Update Maven to 3.9.3 on runners (including Ubuntu)

[tuxji]

Tool name

Apache Maven

Tool license

Apache License 2.0

Add or update?

• Add
• Update

Desired version

3.9.3 or later

Approximate size

No response

Brief description of tool

As of version 4.0.0, the Eclipse Tycho plugin for Maven requires Maven 3.9.0 or later:

Error: Failed to execute goal org.eclipse.tycho:tycho-packaging-plugin:4.0.1:build-qualifier (default-build-qualifier) on project com.ge.research.jena: The plugin org.eclipse.tycho:tycho-packaging-plugin:4.0.1 requires Maven version 3.9.0 -> [Help 1]

I know that Maven 3.9.0 broke some users' CI builds due to removing an outdated and vulnerable plexus-utils dependency from the plugin classpath. I know that GitHub developers closed a request to update Maven to 3.9.1 for the same reason. The fix for affected plugin maintainers is to explicitly declare a dependency on plexus-utils. The workaround for affected plugin users is to add this dependency to the affected plugin's dependencies until the issue is fixed by the affected plugin maintainer.

Maven was frozen at 3.8.8 in March. Now it is August, and this Maven 3.8.8 version is blocking some users' CI builds from updating Eclipse Tycho. Please consider updating Maven to 3.9.3 since affected plugin maintainers and users have had 5 months to fix their plexus-utils dependencies and updating Maven will help some users who need Maven 3.9.0 or later.

URL for tool's homepage

No response

Provide a basic test case to validate the tool's functionality.

No response

Platforms where you need the tool

• Azure DevOps
• GitHub Actions

Runner images where you need the tool

• Ubuntu 20.04
• Ubuntu 22.04
• macOS 11
• macOS 12
• macOS 13
• Windows Server 2019
• Windows Server 2022

Can this tool be installed during the build?

No response

Tool installation time in runtime

No response

Are you willing to submit a PR?

No response

[ilia-shipitsin]

@tuxji , while we evaluate the impact of update, can you help with justification whether such an update can (or cannot) be done by user himself ?

we are afraid to introduce some breaking change for the majority of users

[ilia-shipitsin]

@tuxji you said The workaround for affected plugin users is to add this dependency to the affected plugin's dependencies until the issue is fixed by the affected plugin maintainer.

do you know is there any ETA for a fix from plugin maintainer ?

[tuxji]

@tuxji , while we evaluate the impact of update, can you help with justification whether such an update can (or cannot) be done by user himself ?

we are afraid to introduce some breaking change for the majority of users

I am aware of two ways users can update Maven by themselves. Neither way is ideal.

1. Call an unverified GitHub action (https://github.com/marketplace/actions/setup-maven) in their GitHub workflow file. There is currently no verified action (such as setup-java) which will update Maven in a workflow.
2. Install the Apache Maven Wrapper script (https://github.com/apache/maven-wrapper) in their project, configure the desired Maven version, and modify their GitHub workflow to call the wrapper script instead of the mvn command.

[tuxji]

@tuxji you said The workaround for affected plugin users is to add this dependency to the affected plugin's dependencies until the issue is fixed by the affected plugin maintainer.

do you know is there any ETA for a fix from plugin maintainer ?

I do not know how many plugins broke in March, how many plugins have been fixed by their maintainers since then, and how many plugins still remain broken 5 months later. This is the risk that needs to be evaluated by GitHub developers.

[ilia-shipitsin]

we tried to update maven two times and every time we drown in feedback "please get it back".
I'm afraid that 3rd time will be like that.

can we stay with possibly non ideal, but working way updating maven directly in workflow ?

[ilia-shipitsin]

another idea is to use containers (maybe you already considered that).

https://github.com/ilia-shipitsin/php-matrix/blob/main/.github/workflows/blank.yml#L7-L12

i.e. you can specify any docker image to run on (supported only for linux runners).
there may be docker images with any maven version.

[tuxji]

No, I had not known about this third way to update Maven in one's workflow. Using a Maven container broke my workflow's docker/build-push-action step, but the error message suggested calling docker/setup-buildx-action. I added that step to my workflow and the next job ran successfully, so using a Maven container can indeed be a solution for some workflows.

I will close my request since the third way was good enough for me. For the benefit of other users who also want to try the third way, here it is:

jobs:
  integration:
    strategy:
      matrix:
        distribution: [ temurin ]
        java-version: [ 17 ]
        maven-version: [ 3.9 ]
        os: [ ubuntu-22.04 ]

    runs-on: ${{ matrix.os }}
    container:
      image: maven:${{ matrix.maven-version }}

[ilia-shipitsin]

@tuxji , if we want to keep it for other users, shall we convert it to discussion ?

[tuxji]

Yes, you may convert this issue to a discussion.

[michaldo]

we tried to update maven two times and every time we drown in feedback "please get it back".
I'm afraid that 3rd time will be like that.

This reasoning is road to nowhere.

Documentation clearly states:

https://github.com/actions/runner-images#preinstallation-policy

• Latest Technology: recent versions of tools will be given priority.

https://github.com/actions/runner-images#default-version-update-policy

• In general, once a new version is installed on the image, we announce the default version update 2 weeks prior to deploying it.
• For potentially dangerous updates, we may extend the timeline up to 1 month between the announcement and deployment.

Instead of listen feedback and postpone update Maven forever, please

• update Maven according to policies
• inform people which complain how to downgrade (not people who want follow policies how to upgrade)

[jantje]

Now nearly 6 months later and still nothing moved.
I'm starting to regret I moved to using actions as it is clear github does not care about eclipse builds.

[Mailaender]

Eclipse Tycho 4.0.4 now requires Maven 3.9.4, so this request is already getting outdated. Thanks for sharing your hint at using the official https://hub.docker.com/_/maven instead.

[svenrienstra]

What will be the policy going forward now with Maven? Will it stay at 3.8 forever? When have people with issues on Maven 3.9 had enough time to fix it?

[Mailaender]

There is also https://github.com/sdkman/sdkman-action for using a fixed version of Maven.

[michaldo]

This issue was raised 01.08.2023. Runner Ubuntu was 5 months behind Maven development. Today is 07.10.2024. Runner Ubuntu is 19 months behind Maven development.

What must happen to Runner Ubuntu follow Maven releases? 2 years overdue? 5 years?

[vidyasagarnimmagaddi]

Hi @michaldo , we are considering to update the maven to latest , right now we are checking the possibilities ,, Will update / raise an announcement soon . thanks

[jobmission]

How's the progress?