this lets us get rid of shadow, which
1) lets hub plugins bring their own shadow if they desire without
impacting the build process
2) removes a vulnerable log4j from the build process. This isn't
a huge issue to us because if you can get arbitrary files into the
shadow jar, security is already compromised, so at worst this lets
you escalate
we have to do this as part of a compiler plugin, and not by just looking
at the classes' bytecode, because jls§13.1 requires inlining of certain
constant values, so references to these will not be present in the
bytecode.
We can't do a real shallow clone since GitHub doesn't let you fetch
arbitrary commits. Instead we fetch the whole commit graph, but not the
file trees or file blobs, which are fetched by git checkout on-demand.
This lets us have better control over which dependencies are verified,
as changes to runelite-client's dependencies cause all Hub plugins with
pinned deps to fail, as the new transitive deps aren't pinned. Moving
this file into this repo not only lets us update it in these situations,
but also means individual plugin authors don't need to touch Gradle's
verification and all of it's associated pains. This also allows plugins
to pull a dependency that another plugin pulls already with no extra
work.
not using bash gives us more flexibility and significantly reduces build
times via parallelism. Additionally this includes support for GitHub
Actions which also significantly reduces build times.
