Grunt Support?

Geoff_B_ · ‎03-15-2016

I am currently using Phonegap Build to build my iOS and Android apps. However, I'm running into a limitation where PGB doesn't allow cordova plugins to use cordova hooks. That means I can't use plugins like this: https://github.com/nordnet/cordova-universal-links-plugin.

I like the thought of using something like XDK but don't know if I can. I do several builds for different environments from a single code base (dev/stage/prod) which are essentially three different apps I can install side by side. I'm currently doing this through grunt which compiles the JS/HTML files and does any necessary environment substitutions and ships it off to PGB. I am not wedded to grunt but I have a lot of experience and it works.

The question is does XDK support grunt integration into its builds, or is there an alternative in XDK for doing builds for different environments while substituting out environment variables in the HTML and CSS?

If not, XDK is basically a non-starter for us.

Geoff_B_ · ‎03-15-2016

I figured out how to make this work. I inserted the grunt build step before XDK even sees the target folder. Basically XDK is only ever going to use the compiled, build ready files. Each app is going to be a separate build target loaded into XDK which can then build. It's more work, but it seems to do the trick.

PaulF_IntelCorp · ‎03-15-2016

Geoff -- one note, our build system also does not allow plugins with hook scripts...

Geoff_B_ · ‎03-15-2016

You have got to be kidding me... How is someone without a mac supposed to do cross platform builds without a tool like toold like XDK or phonegap build? Why does nothing support the hooks? What is the point of them?

PaulF_IntelCorp · ‎03-15-2016

Unfortunately, the hooks (and gradle scripts in some Android plugins) represent a significant security and stability risk to the backend system and to user accounts. This is why we cannot support them. We are working on a build system that would isolate this risk in order to support these aspects of Cordova plugins. Until that system is in place, they are disabled. That build system is a significant project, so it will be a while to get it into place.

Geoff_B_ · ‎03-15-2016

Thanks for the clarification. I appreciate the responsiveness. Is there any place I can track that project? Or subscribe to alerts or something. Also, do you have any resources that outline why exactly it's a security issue? I admittedly don't know as much about the plugin construction as I should.

PaulF_IntelCorp · ‎03-16-2016

We don't publish forwarding looking roadmaps or release info, so the best place to find out what is going on is simply via the release note, the forum and the twitter feed (which shows up in the XDK). Newer features tend to show up first in the Early Access release (aka EA). This one will take a while, but one of the other drivers for it is more efficient use of the build servers, so that should help move it along.

Those scripts are a security issue because they allow you to run any command on the server you want to. The scripts are not limited to build-only commands, they can be anything. So that means that an unscrupulous user could create a custom plugin that includes scripts intent on taking down the server or finding holes in the server and its associated network interfaces or uncovering personal information.