fix(gradle): resolve sandbox violations in e2e-gradle tests#35349
Merged
Conversation
✅ Deploy Preview for nx-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for nx-dev ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
|
View your CI Pipeline Execution ↗ for commit 6d4a9ae
☁️ Nx Cloud last updated this comment at |
![nx-cloud[bot]](https://avatars.githubusercontent.com/in/80458?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
The gradle e2e tests invoked `gradlew :gradle-project-graph:publishToMavenLocal` inline via execSync, which compiles Kotlin sources inside the sandboxed task and triggers unexpected-read violations against packages/gradle/project-graph/build/*. Move the publish to a dependsOn on the inferred @nx/gradle target so its reads/writes happen outside the e2e task. Also narrow the workspace tsconfig.json input in nx.json's e2eInputs to the fields that affect compilation, matching the playwright plugin pattern.
…er inputs
The inferred gradle:publishToMavenLocal target (now a dependsOn of e2e-gradle
tests) doesn't pass -PskipSign=true, so signing tasks fail in CI without GPG
keys. Replace the skipSign flag with setRequired({ hasTask("publish") }) so
signing is only required when publishing to Maven Central via the `publish`
lifecycle task; publishToMavenLocal silently no-ops when no keys are present.
Also declare workspace gradle wrapper + gradle.properties as inputs on
e2e-gradle e2e-local / e2e-ci--**/** targets, matching the input set the
@nx/gradle plugin uses for its inferred gradle tasks. The bootstrap
`gradle init` call in create-gradle-project must use the workspace wrapper
since the fixture's wrapper doesn't exist yet.
astro-docs:validate-links declared dependentTasksOutputFiles: "**/sitemap*.xml" on its build dep, but the script reads both HTML files and sitemaps from dist/. Narrow the inputs to the actual file types the script walks (**/*.html + **/sitemap*.xml). Also drop the nxDevSitemapPath read — next-sitemap generation was removed from nx-dev in #35315, so the existsSync branch was dead code.
…ishes publishToMavenLocal writes to ~/.m2/repository/ which is outside the workspace and not a declarable Nx output. On a remote cache hit, Nx would skip launching gradle entirely, leaving ~/.m2/ empty on a fresh e2e agent and breaking plugin resolution from mavenLocal. Override cache: false so the publish runs on every agent; gradle's own up-to-date checks keep it cheap.
FrozenPandaz
force-pushed
the
fix-sandbox
branch
from
db03632 to
1567ad3
Compare
AgentEnder
approved these changes
Apr 20, 2026
nx-dev sitemap generation is being restored in #35351, so the cross-site link validation branch is still needed. Keep the narrowed dependentTasksOutputFiles glob on astro-docs:validate-links — that's independent of where the nx-dev sitemap comes from.
validate-links reads nx-dev/nx-dev/public/sitemap-0.xml (restored by #35351) to validate cross-site links. Add nx-dev:build to dependsOn so the existing **/sitemap*.xml dependentTasksOutputFiles glob picks up nx-dev's sitemap output; before #35351 lands the existsSync guard in validate-links.ts no-ops.
FrozenPandaz
force-pushed
the
fix-sandbox
branch
from
d6af704 to
e259c57
Compare
…Self-Healing CI Rerun]
Contributor
There was a problem hiding this comment.
Nx Cloud has identified a flaky task in your failed CI:
🔂 Since the failure was identified as flaky, we triggered a CI rerun by adding an empty commit to this branch.
🔔 Heads up, your workspace has pending recommendations ↗ to auto-apply fixes for similar failures.
🎓 Learn more about Self-Healing CI on nx.dev
Contributor
|
This pull request has already been merged/closed. If you experience issues related to these changes, please open a new issue referencing this pull request. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Current Behavior
The
e2e-gradle:e2e-ci--**/*.test.tstasks produce hundreds of sandbox violations: ~163 unexpected reads + ~160 unexpected writes underpackages/gradle/project-graph/build/**, plus reads of workspace-root gradle config files.The root cause is
e2e/gradle/src/utils/create-gradle-project.tsinvoking./gradlew :gradle-project-graph:publishToMavenLocal -PskipSign=trueinline viaexecSyncduring test setup, which compiles Kotlin sources inside the sandboxed task and produces all those file accesses.Expected Behavior
The
publishToMavenLocalstep runs as a proper Nx task dependency before the e2e test, outside the sandbox. Its outputs are declared by the@nx/gradle-inferred target.Changes
execSync(gradlew :gradle-project-graph:publishToMavenLocal)increate-gradle-project.ts; make thee2e-localande2e-ci--**/**targets one2e-gradledepend on:gradle-project-graph:gradle:publishToMavenLocal.publishToMavenLocaltarget doesn't pass-PskipSign=true, so replace theskipSignflag inpackages/gradle/project-graph/build.gradle.ktswithsetRequired({ gradle.taskGraph.hasTask(":gradle-project-graph:publish") }). Signing is required for the Maven Central path (publishlifecycle task) but silently no-ops forpublishToMavenLocalwhen no GPG keys are provisioned.gradle initcall must use the workspace wrapper, so addgradle/wrapper/gradle-wrapper.jar,gradle/wrapper/gradle-wrapper.properties, andgradle.propertiesas inputs on the e2e targets, matching the@nx/gradleplugin's inferred gradle-task input set.publishToMavenLocalwrites to~/.m2/repository/(outside the workspace, can't be declared as an Nx output). A remote cache hit would skip launching gradle, leaving~/.m2/empty on the agent and breaking plugin resolution. Overridecache: falseon:gradle-project-graph:gradle:publishToMavenLocal.e2eInputstsconfig input — use{ json, fields }innx.jsonto hash only the fields that affect compilation (same pattern as@nx/playwright).astro-docs:validate-linksinputs — swap the**/sitemap*.xmldep-task-outputs glob for**/*.html+**/sitemap*.xml(the actual files the script reads) and drop the deadnx-dev/public/sitemap-0.xmlbranch since cleanup(nx-dev): pare nx-dev down to /ai-chat, /api, /courses only #35315 removednext-sitemapfrom nx-dev.Related Issue(s)
NXC-3981