Make keepSecrets task compatible with configuration cache

[notenoughgold]

Modernize gradle task inputs for configuration cache compatibility

Bump dependencies as below:

• Update Kotlin to 2.2.21
• Update Android Gradle Plugin to 8.13.1
• Update Gradle to 8.14.3
• Set JVM target to 17
• Update sample app compileSdk and targetSdk to 36
• Update sample app minSdk to 23
• Update androidx.activity:activity-ktx to 1.12.0
• Add edge-to-edge support in the sample app

Fixes Issue: #19

Summary by CodeRabbit

• New Features

  • Added window insets support for improved system UI compatibility in the sample app.

• Chores

  • Upgraded Kotlin, Android Gradle Plugin, and Gradle to newer versions.
  • Bumped Android SDKs (compile/target SDK 36, min SDK 23) and updated Android libraries.
  • Switched build configuration to a Java toolchain targeting Java 17.
  • Updated static-analysis/formatting tooling versions and related entries.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated build toolchain (Gradle, AGP, Kotlin), added jvmTarget=17, migrated Java/Kotlin compilation to Gradle toolchains, refactored KeepSecretsTask to use constructor injection and explicit Gradle property inputs, changed SecretsVaultExtension file properties to RegularFileProperty and added CMake config, and adjusted sample app SDK and window insets handling.

Changes

Cohort / File(s)	Change Summary
Build configuration gradle/libs.versions.toml, gradle/wrapper/gradle-wrapper.properties	Bumped Kotlin (1.8.21 → 2.2.21), Android Gradle Plugin (8.0.1 → 8.13.1), Detekt (1.22.0 → 1.23.8), androidx-activity-ktx (1.7.2 → 1.12.0), added jvmTarget = "17", and updated Gradle distribution to 8.14.3; renamed some detekt bundle keys.
Gradle build scripts → Java toolchain sampleapp/build.gradle.kts, secretsvaultplugin/build.gradle.kts	Replaced explicit source/target and Kotlin jvmTarget settings with Gradle java toolchain using libs.versions.jvmTarget; updated sample app compileSdk/minSdk/targetSdk to 36/23/36 and removed compileOptions/JvmTarget blocks.
Plugin API / extension refactor secretsvaultplugin/src/main/kotlin/.../extensions/SecretsVaultExtension.kt	Converted secretsFile and sourceSetSecretsMappingFile from Property<File> to RegularFileProperty; added cmake: Property<CMakeExtension>.
Task architecture secretsvaultplugin/src/main/kotlin/.../KeepSecretsTask.kt	Converted task to use constructor injection (@Inject ProjectLayout), exposed inputs as Gradle properties with annotations (DirectoryProperty, RegularFileProperty, ListProperty, Property<String>, etc.), switched file resolution to projectLayout + properties, and replaced json.get() with json.decodeFromString.
Plugin wiring secretsvaultplugin/src/main/kotlin/.../SecretsVaultPlugin.kt	Wire SecretsVaultExtension values into KeepSecretsTask inputs, resolve pluginSourceFolder via projectLayout, add packageName fallback to Android namespace, and expose CMake project name/version to task.
Sample app UI sampleapp/src/main/kotlin/.../MainActivity.kt	Added window insets handling for ScrollView to adjust margins to system bars insets.

Sequence Diagram(s)

sequenceDiagram
    participant Plugin as SecretsVaultPlugin
    participant Ext as SecretsVaultExtension
    participant Task as KeepSecretsTask
    participant Layout as ProjectLayout

    Plugin->>Ext: read extension values (secretsFile, cmake, obfuscationKey, appSignatures, makeInjectable, packageName?)
    Note right of Plugin: Determine packageName fallback (Android namespace) and cmake defaults
    Plugin->>Task: create/configure task (inject ProjectLayout)
    Plugin->>Task: set pluginSourceFolder (via ProjectLayout)
    Plugin->>Task: wire RegularFileProperty and other inputs
    Task->>Layout: resolve paths via DirectoryProperty/RegularFileProperty
    Task->>Task: decode secrets (json.decodeFromString) and generate outputs (Kotlin/CPP/CMake)
    Task-->>Plugin: task outputs (files written)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Pay special attention to:
  • KeepSecretsTask.kt constructor + property annotations and file-resolution changes.
  • SecretsVaultExtension.kt API changes (RegularFileProperty) and transitive impacts.
  • SecretsVaultPlugin.kt wiring for packageName fallback and CMake values.
  • Compatibility implications of Kotlin 2.2.21 / AGP 8.13.1 and Gradle 8.14.3 (buildscript/toolchain resolution).

Possibly related PRs

• Fix checking obfuscated value instead of key name on generating cpp file for secrets #14 — Modifies KeepSecretsTask logic; likely overlaps with the architectural refactor in this PR.

Suggested reviewers

• oguzgu
• agabeyalioglu
• opsenes
• ekrem-duvarbasi-commencis

Poem

🐰 Hopped through toolchains, versions bright,

Injected tasks in morning light.
Secrets tucked in files so neat,
CMake and package names all neat.
Rabbits guard each build’s delight.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately captures the main objective of the PR—making the keepSecrets task compatible with configuration cache through modernization of Gradle task inputs.
Docstring Coverage	✅ Passed	Docstring coverage is 85.71% which is sufficient. The required threshold is 80.00%.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch improvement/configuration-cache-compat

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

secretsvaultplugin/src/main/kotlin/com/commencis/secretsvaultplugin/SecretsVaultPlugin.kt (1)

69-73: Consider using Provider-based path resolution.

Using copyTask.destinationDir.path extracts the path as a String during configuration. While the task output is wrapped in a Provider via map, the destinationDir property access pattern could be improved for better configuration cache hygiene.

Consider using the Provider-based destination:

 pluginSourceFolder.set(
     unzipTaskProvider.map { copyTask ->
-        project.layout.projectDirectory.dir(copyTask.destinationDir.path)
+        copyTask.destinationDir
     }
 )

If pluginSourceFolder is a DirectoryProperty, you can directly set it from the File returned by destinationDir.

secretsvaultplugin/src/main/kotlin/com/commencis/secretsvaultplugin/KeepSecretsTask.kt (1)

126-126: Optional: Remove unnecessary encodeDefaults configuration.

The encodeDefaults = true configuration only affects encoding/serialization. Since this json instance is only used for decodeFromString operations (lines 197, 223), this setting has no effect and can be removed for clarity.

-    private val json = Json { encodeDefaults = true }
+    private val json = Json

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 069629e and c03aa93.

📒 Files selected for processing (8)

• gradle/libs.versions.toml (3 hunks)
• gradle/wrapper/gradle-wrapper.properties (1 hunks)
• sampleapp/build.gradle.kts (2 hunks)
• sampleapp/src/main/kotlin/com/commencis/secretsvaultplugin/sampleapp/MainActivity.kt (2 hunks)
• secretsvaultplugin/build.gradle.kts (1 hunks)
• secretsvaultplugin/src/main/kotlin/com/commencis/secretsvaultplugin/KeepSecretsTask.kt (13 hunks)
• secretsvaultplugin/src/main/kotlin/com/commencis/secretsvaultplugin/SecretsVaultPlugin.kt (3 hunks)
• secretsvaultplugin/src/main/kotlin/com/commencis/secretsvaultplugin/extensions/SecretsVaultExtension.kt (2 hunks)

🔇 Additional comments (15)

gradle/libs.versions.toml (4)

7-7: Good addition of centralized JVM target.

Adding jvmTarget = "17" to the version catalog enables consistent JVM target configuration across modules.

---

31-32: Bundle reference syntax updated correctly.

The bundle now correctly references the library aliases using kebab-case (detekt-formating, detekt-rules), matching the library definitions on lines 17-18.

---

2-3: Version numbers are legitimate — both Kotlin 2.2.21 and Android Gradle Plugin 8.13.1 are actual releases.

Kotlin 2.2.21 was released on October 23, 2025. Android Gradle Plugin 8.13.1 was published on November 10, 2025. Both versions exist and are appropriate choices for the current timeframe. The version numbers are not unusually high; they represent normal patch releases within their respective major/minor version series.

Likely an incorrect or invalid review comment.

---

21-21: androidx.activity:activity-ktx 1.12.0 is valid and stable.

Version 1.12.0 was released on November 19, 2025 as a stable release. The version bump from 1.7.2 to 1.12.0 is significant but represents a legitimate upstream release.

sampleapp/build.gradle.kts (3)

13-14: Breaking change: minSdk increased from 21 to 23.

This drops support for Android 5.0-5.1 (Lollipop). This is a sample app, so the impact is limited, but worth noting.

---

78-82: Good migration to Java toolchain.

Using java { toolchain { ... } } instead of compileOptions and kotlinOptions is the recommended approach for configuration cache compatibility. The toolchain automatically configures both Java and Kotlin compilation targets.

---

9-9: Android SDK 36 is available and stable. SDK 36 (Android 16) was officially released to the stable channel in March 2025. The compileSdk = 36 change is appropriate and supported.

secretsvaultplugin/build.gradle.kts (1)

17-21: Clean toolchain configuration.

Good migration from explicit sourceCompatibility/targetCompatibility and KotlinCompile task configuration to the simpler toolchain DSL. This reduces boilerplate and is configuration cache friendly.

secretsvaultplugin/src/main/kotlin/com/commencis/secretsvaultplugin/extensions/SecretsVaultExtension.kt (1)

28-29: Breaking API change: File properties migrated to RegularFileProperty.

Migrating from Property<File> to RegularFileProperty is the correct approach for configuration cache compatibility. However, this is a breaking change for any consumers setting these properties.

Previous usage:

secretsFile.set(file("secrets.json"))

New usage:

secretsFile.set(layout.projectDirectory.file("secrets.json"))

Consider documenting this migration in the changelog or PR description.

secretsvaultplugin/src/main/kotlin/com/commencis/secretsvaultplugin/SecretsVaultPlugin.kt (2)

88-89: Good use of flatMap for lazy property chaining.

Using flatMap to chain into the nested CMakeExtension properties maintains lazy evaluation, which is important for configuration cache compatibility.

---

116-116: Correct migration to layout-based file convention.

Using project.layout.projectDirectory.file(...) instead of project.file(...) is the proper approach for configuration cache compatibility with RegularFileProperty.

gradle/wrapper/gradle-wrapper.properties (1)

3-3: Gradle 8.14.3 is a valid, stable release.

Gradle 8.14.3 was released on July 4, 2025 (4 months before the current date), includes bug fixes and Java 24 support, and the -all.zip distribution is confirmed available on Gradle's distributions server. The version upgrade from 8.1.1 is reasonable, and switching to the -all distribution is appropriate for IDE integration.

secretsvaultplugin/src/main/kotlin/com/commencis/secretsvaultplugin/KeepSecretsTask.kt (2)

61-61: Excellent: Constructor injection for configuration cache compatibility.

The use of @Inject constructor with ProjectLayout is the correct approach for configuration cache compatibility.

---

165-165: LGTM: Correct property usage for configuration cache.

All property accesses follow configuration cache best practices:

• Properties are accessed via .get() only during task execution time
• File properties are properly resolved using .asFile
• Optional properties are handled correctly with .orNull
• Path resolution uses projectDirectory.file(...) instead of direct File access

This implementation correctly ensures that all property evaluation happens during task execution, not during configuration.

Also applies to: 180-180, 266-268, 281-282, 285-285, 299-299, 302-302, 307-307, 310-310, 334-334, 360-360, 363-364, 410-410, 415-415, 421-421, 512-512, 518-518

sampleapp/src/main/kotlin/com/commencis/secretsvaultplugin/sampleapp/MainActivity.kt (1)

9-11: LGTM!

The imports are appropriate for implementing edge-to-edge window insets handling.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

secretsvaultplugin/src/main/kotlin/com/commencis/secretsvaultplugin/SecretsVaultPlugin.kt (2)

60-77: Wire pluginSourceFolder directly from the unzip task’s output directory

Right now you convert destinationDir to an absolute String and then back to a Directory via projectDirectory.dir(...). You can keep things simpler and better connected to the producing task by wiring the DirectoryProperty directly from the Copy task:

-            pluginSourceFolder.set(
-                project.layout.projectDirectory.dir(
-                    unzipTaskProvider.map { task -> task.destinationDir.absolutePath }
-                )
-            )
+            pluginSourceFolder.set(
+                unzipTaskProvider.flatMap { task -> task.destinationDirectory }
+            )

This avoids the string round‑trip and keeps the consumer input tied to the producer’s output property, which is more idiomatic and plays nicer with task dependencies and incremental behavior.

Please double‑check this against the Gradle 8.14 Copy API and your local build to ensure destinationDirectory is available and correctly annotated as an output directory.

---

79-90: Confirm behavior for explicitly blank secretsVaultExtension.packageName

The new provider chain:

packageName.set(
    secretsVaultExtension.packageName.orElse(
        project.provider {
            project.extensions.findByType(CommonExtension::class.java)?.namespace.orEmpty()
        }
    )
)

changes semantics slightly compared to the earlier getOrElse(EMPTY_STRING).ifEmpty { namespace } approach: if someone explicitly sets packageName = "" in the extension, it will now remain "" instead of falling back to the Android namespace.

If no one relies on “blank string means use namespace”, this is fine but might be worth a brief doc note. If that behavior is still desired for backward compatibility, you may want an extra mapping step so that blank values also route to the namespace provider.

Please verify how existing build scripts use secretsVaultExtension.packageName (if at all) to decide whether preserving or restoring the old “blank means fallback” behavior is necessary.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c03aa93 and 461af11.

📒 Files selected for processing (1)

• secretsvaultplugin/src/main/kotlin/com/commencis/secretsvaultplugin/SecretsVaultPlugin.kt (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

🔇 Additional comments (1)

secretsvaultplugin/src/main/kotlin/com/commencis/secretsvaultplugin/SecretsVaultPlugin.kt (1)

117-117: Good move to base secretsFile on ProjectLayout

Using secretsFile.convention(project.layout.projectDirectory.file(DEFAULT_SECRETS_FILE_NAME)) aligns with Gradle’s file abstractions and is configuration‑cache‑friendly. No issues here.