Issue
We have a project A that refers a custom parent pom B hosted on our JFROG repository.
When our Github Action is building the project, we are providing a settings.xml file containing the connection to the JFROG repository that allows the action to download the parent pom inside its local repository.
Then a second step of our Github Actions worflow launches a Sonarqube analysis with the maven plugin : mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar.
This step does not need to download any custom dependencies so we don't provide the settings.xml file but the step fails because maven still tries to download the parent pom from remote repositories (Central) and does not find it.
I can not understand why maven tries to download the parent pom although it has already been downloaded and is available inside the local repository...
We use a Cache action to be sure that the local maven repository is not erased between steps, I checked that the parent pom is well available inside the local repository just before the Sonarqube maven plugin is launched...
I have put Maven in offline mode to force it to use the pom from its local repository but it fails again, it is like Maven was not using this local repository.
I do not think the problem could come from the Github Actions and I do not understand why Maven does not use the local repository...
Solution
OK I have actually found the reason and it is explained inside this post : maven can't find my local artifacts
To sum up, the pom is downloaded from our JFrog Repository and Maven creates a file _remote.repositories to keep trace of the repository where the dependency comes from.
When the second step executes Maven without the connection to this JFrog Repository, Maven ignores the dependency because it comes from a repository not used by this execution and tries to resolve the dependency again. It is a kind of security feature.
A solution to bypass this feature is to add the property aether.enhancedLocalRepository.trackingFilename with an unknown value : -Daether.enhancedLocalRepository.trackingFilename=some_nonexistent_dummy_file_name.
Answered By - Matthieu Saleta
Answer Checked By - David Goodson (JavaFixing Volunteer)
