feat(gleam): Run 'gleam deps download' when no lockfile exists

maennchen · sschuberth · commit 4f61c3afe86d · 2026-01-08T09:30:08.000+01:00
When 'allowDynamicVersions' is enabled and no manifest.toml lockfile exists, run 'gleam deps download' to generate it before resolving dependencies. This provides a fallback for projects that haven't committed their lockfile. A WARNING issue is added to indicate the results may not be reproducible. If the command fails, an ERROR issue with the exit code and stderr is reported. Closes #11245. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
diff --git a/plugins/package-managers/gleam/src/funTest/assets/projects/synthetic/no-lockfile-broken/gleam.toml b/plugins/package-managers/gleam/src/funTest/assets/projects/synthetic/no-lockfile-broken/gleam.toml
@@ -0,0 +1,5 @@
+name = "broken_project"
+version = "1.0.0"
+
+[dependencies]
+nonexistent_package_that_does_not_exist = ">= 99.99.99"
diff --git a/plugins/package-managers/gleam/src/funTest/assets/projects/synthetic/no-lockfile-expected-output-allow-dynamic-versions.yml b/plugins/package-managers/gleam/src/funTest/assets/projects/synthetic/no-lockfile-expected-output-allow-dynamic-versions.yml
diff --git a/plugins/package-managers/gleam/src/funTest/kotlin/GleamFunTest.kt b/plugins/package-managers/gleam/src/funTest/kotlin/GleamFunTest.kt
@@ -22,9 +22,17 @@ package org.ossreviewtoolkit.plugins.packagemanagers.gleam
 import com.github.tomakehurst.wiremock.WireMockServer
 import com.github.tomakehurst.wiremock.core.WireMockConfiguration
 
+import io.kotest.core.annotation.Tags
 import io.kotest.core.spec.style.StringSpec
+import io.kotest.engine.spec.tempdir
+import io.kotest.matchers.collections.beEmpty
 import io.kotest.matchers.collections.containExactly
+import io.kotest.matchers.collections.shouldBeSingleton
+import io.kotest.matchers.collections.shouldContain
 import io.kotest.matchers.should
+import io.kotest.matchers.shouldBe
+import io.kotest.matchers.shouldNot
+import io.kotest.matchers.string.shouldContain
 import io.kotest.property.Arb
 import io.kotest.property.arbitrary.file
 import io.kotest.property.arbitrary.single
@@ -35,12 +43,14 @@ import org.ossreviewtoolkit.analyzer.analyze
 import org.ossreviewtoolkit.analyzer.getAnalyzerResult
 import org.ossreviewtoolkit.analyzer.resolveSingleProject
 import org.ossreviewtoolkit.analyzer.withInvariantIssues
+import org.ossreviewtoolkit.model.Severity
 import org.ossreviewtoolkit.model.config.AnalyzerConfiguration
 import org.ossreviewtoolkit.model.toYaml
 import org.ossreviewtoolkit.utils.common.div
 import org.ossreviewtoolkit.utils.test.getAssetFile
 import org.ossreviewtoolkit.utils.test.matchExpectedResult
 
+@Tags("RequiresExternalTool")
 class GleamFunTest : StringSpec({
     val server = WireMockServer(
         WireMockConfiguration.options()
@@ -88,17 +98,36 @@ class GleamFunTest : StringSpec({
     }
 
     "Resolve dependencies for a project without a lockfile if 'allowDynamicVersions' is enabled" {
-        val definitionFile = getAssetFile("projects/synthetic/no-lockfile/gleam.toml")
-        val expectedResultFile =
-            getAssetFile("projects/synthetic/no-lockfile-expected-output-allow-dynamic-versions.yml")
+        val projectDir = tempdir()
+        getAssetFile("projects/synthetic/no-lockfile").copyRecursively(projectDir)
 
         val result = createGleam().resolveSingleProject(
-            definitionFile,
+            projectDir.resolve("gleam.toml"),
             resolveScopes = true,
             allowDynamicVersions = true
         )
 
-        result.withInvariantIssues().toYaml() should matchExpectedResult(expectedResultFile, definitionFile)
+        result.packages shouldNot beEmpty()
+        result.packages.map { it.id.name } shouldContain "gleam_stdlib"
+    }
+
+    "Resolve dependencies fails with error details for broken gleam.toml" {
+        val projectDir = tempdir()
+        getAssetFile("projects/synthetic/no-lockfile-broken").copyRecursively(projectDir)
+
+        val result = createGleam().resolveSingleProject(
+            projectDir.resolve("gleam.toml"),
+            resolveScopes = true,
+            allowDynamicVersions = true
+        )
+
+        result.issues.shouldBeSingleton {
+            it.severity shouldBe Severity.ERROR
+            it.message shouldContain "failed with exit code"
+            it.message shouldContain "Dependency resolution failed"
+        }
+
+        result.packages should beEmpty()
     }
 
     "Resolve dependencies for a project with no dependencies correctly" {
diff --git a/plugins/package-managers/gleam/src/main/kotlin/Gleam.kt b/plugins/package-managers/gleam/src/main/kotlin/Gleam.kt
@@ -112,18 +112,7 @@ class Gleam internal constructor(
 
         val project = createProject(definitionFile, gleamToml)
 
-        val manifest = if (manifestFile.isFile) {
-            parseManifest(manifestFile)
-        } else if (!hasDependencies) {
-            GleamManifest.EMPTY
-        } else {
-            issues += Issue(
-                source = projectType,
-                message = "No lockfile found. No dependencies were resolved. " +
-                    "Run 'gleam deps download' to generate a manifest.toml lockfile."
-            )
-            GleamManifest.EMPTY
-        }
+        val manifest = resolveManifest(manifestFile, hasDependencies, workingDir)
 
         val context = GleamProjectContext(
             hexClient = hexApiClientFactory(),
@@ -159,6 +148,18 @@ class Gleam internal constructor(
     override fun createPackageManagerResult(projectResults: Map<File, List<ProjectAnalyzerResult>>) =
         PackageManagerResult(projectResults, graphBuilder.build(), graphBuilder.packages())
 
+    private fun resolveManifest(manifestFile: File, hasDependencies: Boolean, workingDir: File): GleamManifest =
+        when {
+            manifestFile.isFile -> parseManifest(manifestFile)
+
+            !hasDependencies -> GleamManifest.EMPTY
+
+            else -> {
+                GleamCommand.run(workingDir, "deps", "download").requireSuccess()
+                parseManifest(manifestFile)
+            }
+        }
+
     private fun createProject(definitionFile: File, gleamToml: GleamToml): Project {
         val workingDir = definitionFile.parentFile
 
diff --git a/plugins/package-managers/gleam/src/main/kotlin/GleamCommand.kt b/plugins/package-managers/gleam/src/main/kotlin/GleamCommand.kt
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2025 The ORT Project Copyright Holders <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.packagemanagers.gleam
+
+import java.io.File
+
+import org.ossreviewtoolkit.utils.common.CommandLineTool
+
+internal object GleamCommand : CommandLineTool {
+    override fun command(workingDir: File?) = "gleam"
+
+    override fun getVersionArguments() = "--version"
+
+    override fun transformVersion(output: String) = output.removePrefix("gleam ").trim()
+}
