{"id":15705617,"url":"https://github.com/peter-evans/gradle-auto-dependency-updates","last_synced_at":"2025-07-05T20:39:46.811Z","repository":{"id":44732862,"uuid":"269524895","full_name":"peter-evans/gradle-auto-dependency-updates","owner":"peter-evans","description":"How to automate Gradle dependency updates with GitHub Actions","archived":false,"fork":false,"pushed_at":"2022-01-28T03:11:10.000Z","size":89,"stargazers_count":6,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-01T01:42:28.351Z","etag":null,"topics":["automation","create-pull-request","dependency-updates","github-actions","gradle","lockfile"],"latest_commit_sha":null,"homepage":null,"language":"Kotlin","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/peter-evans.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-06-05T03:46:52.000Z","updated_at":"2025-02-01T13:40:31.000Z","dependencies_parsed_at":"2022-08-20T12:20:30.222Z","dependency_job_id":null,"html_url":"https://github.com/peter-evans/gradle-auto-dependency-updates","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peter-evans%2Fgradle-auto-dependency-updates","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peter-evans%2Fgradle-auto-dependency-updates/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peter-evans%2Fgradle-auto-dependency-updates/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peter-evans%2Fgradle-auto-dependency-updates/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/peter-evans","download_url":"https://codeload.github.com/peter-evans/gradle-auto-dependency-updates/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253797291,"owners_count":21965861,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","create-pull-request","dependency-updates","github-actions","gradle","lockfile"],"created_at":"2024-10-03T20:17:35.643Z","updated_at":"2025-05-12T18:28:11.477Z","avatar_url":"https://github.com/peter-evans.png","language":"Kotlin","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Automating Gradle dependency updates with GitHub Actions\n[\u003cimg alt=\"The blog of Peter Evans: Automating Gradle dependency updates with GitHub Actions\" title=\"View blog post\" src=\"https://peterevans.dev/img/blog-published-badge.svg\"\u003e](https://peterevans.dev/posts/how-to-automate-gradle-dependency-updates-with-github-actions/)\n\nUsing Gradle's [dependency locking](https://docs.gradle.org/current/userguide/dependency_locking.html) feature we can create an automated process to periodically create a pull request for dependency updates.\n\nSee an [example pull request](https://github.com/peter-evans/gradle-auto-dependency-updates/pull/2) to update the dependencies of the example app in this repository.\n\n## Configuring dependency locking\n\n1. Firstly, make sure the gradle wrapper is up to date. This is necessary in order to use the feature preview in the next step.\n\n    ```\n    gradle wrapper --gradle-version 6.5\n    ```\n\n2. Enable the `ONE_LOCKFILE_PER_PROJECT` feature preview in *settings.gradle.kts*. You can read more about this feature [here](https://docs.gradle.org/current/userguide/dependency_locking.html#single_lock_file_per_project).\n\n    ```\n    rootProject.name = \"example-api\"\n\n    enableFeaturePreview(\"ONE_LOCKFILE_PER_PROJECT\")\n    ```\n\n3. Add the following section to *build.gradle.kts* to version lock all configurations. See the [documentation here](https://docs.gradle.org/current/userguide/dependency_locking.html#enabling_locking_on_configurations) if you would like to customise this for specific configurations.\n\n    ```\n    dependencyLocking {\n        lockAllConfigurations()\n    }\n    ```\n\n4. **Optionally**, add the following if you would like to create a lockfile for the `buildscript` section. This can be used to version lock plugins.\n\n    ```diff\n    buildscript {\n        repositories {\n            mavenCentral()\n            jcenter()\n        }\n        dependencies {\n            classpath(\"com.jfrog.bintray.gradle:gradle-bintray-plugin:1.8.+\")\n        }\n    +    configurations.classpath {\n    +        resolutionStrategy.activateDependencyLocking()\n    +    }\n    }\n\n    apply(plugin = \"com.jfrog.bintray\")\n    ```\n\n5. Write a `gradle.lockfile` for your current dependencies. If you followed step 4, you will also have a `buildscript-gradle.lockfile`.\n\n    ```\n    ./gradlew dependencies --write-locks\n    ```\n\n6. Check the lockfiles into source control. The lockfiles will now make sure that `./gradlew build` uses strict versions from the lockfile.\n\n7. Specify [version ranges](https://docs.gradle.org/current/userguide/single_versions.html) for your dependencies. The range should include all versions that you are happy to accept version updates for. For example, `1.2.+` for just patch updates, `1.+` for minor updates, and `+` to include major version updates.\n\n## Automate dependency updates\n\nAdd the following GitHub Actions workflow to periodically create a pull request containing dependency updates.\nThe following example uses the [create-pull-request](https://github.com/peter-evans/create-pull-request) action and executes once a week.\n\nNote that if you want pull requests created by this action to trigger checks then a repo scoped [PAT](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) should be used instead of the default `GITHUB_TOKEN`.\nIt is *highly recommended* to make sure checks run and build the new pull request in CI.\nThis will verify that the dependency versions in the new lockfile will build and pass tests.\n\n```yml\nname: Update Dependencies\non:\n  schedule:\n    - cron:  '0 1 * * 1'\njobs:\n  update-dep:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v2\n      - uses: actions/setup-java@v1\n        with:\n          java-version: 1.8\n      - name: Grant execute permission for gradlew\n        run: chmod +x gradlew\n      - name: Perform dependency resolution and write new lockfiles\n        run: ./gradlew dependencies --write-locks\n      - name: Create Pull Request\n        uses: peter-evans/create-pull-request@v2\n        with:\n            token: ${{ secrets.PAT }}\n            commit-message: Update dependencies\n            title: Update dependencies\n            body: |\n              - Dependency updates\n  \n              Auto-generated by [create-pull-request][1]\n  \n              [1]: https://github.com/peter-evans/create-pull-request\n            branch: update-dependencies\n```\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpeter-evans%2Fgradle-auto-dependency-updates","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpeter-evans%2Fgradle-auto-dependency-updates","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpeter-evans%2Fgradle-auto-dependency-updates/lists"}