Gradle Plugin Portal Approval Policy Update

Table of Contents

Introduction

Gradle is updating the plugin approval policy for plugins submitted to the Gradle Plugin Portal, effective today, to begin adding stronger security safeguards for plugin consumers.

First off, this does not affect plugins already on the plugin portal, just new plugins. Gradle builds that use plugins will not be affected in any way.

Portal acceptance criteria in a nutshell #

Gradle will check the following for new plugins submitted to plugins.gradle.org:

  • Description and project URL are valid and not misleading
  • The group ID and artifact ID are valid and not misleading

In addition to these changes, plugins with a valid open-source repo URL will be prioritized over other plugins for approval. Those that apply a SPDX-compatible license properly, even more so.

If your plugin doesn’t meet these requirements, we’ll let you know as soon as possible and give you a chance to re-submit when it does. If your plugin cannot comply, please publish it to an alternative repository and use the pluginManagement {} DSL to configure where your plugins {} are resolved from.

What happens to plugins that don’t adhere to this criteria #

These checks do not yet apply for subsequent versions of a given plugin, and aren’t yet going to be retroactively enforced.

In the longer term, we will begin showing warnings on the plugin portal for plugins that don’t adhere to this policy, and may introduce additional automated checks to give plugin consumers information about plugins they’re viewing.

If you have questions or concerns, we encourage you to discuss in the plugin-portal category on the Gradle forum. For any support requests, please open a GitHub issue.

Discuss