https://github.com/peter-evans/gradle-auto-dependency-updates

How to automate Gradle dependency updates with GitHub Actions
https://github.com/peter-evans/gradle-auto-dependency-updates

automation create-pull-request dependency-updates github-actions gradle lockfile

Last synced: 4 months ago
JSON representation

How to automate Gradle dependency updates with GitHub Actions

• Host: GitHub
• URL: https://github.com/peter-evans/gradle-auto-dependency-updates
• Owner: peter-evans
• License: mit
• Created: 2020-06-05T03:46:52.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2022-01-28T03:11:10.000Z (almost 4 years ago)
• Last Synced: 2025-04-01T01:42:28.351Z (7 months ago)
• Topics: automation, create-pull-request, dependency-updates, github-actions, gradle, lockfile
• Language: Kotlin
• Size: 86.9 KB
• Stars: 6
• Watchers: 2
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Automating Gradle dependency updates with GitHub Actions

[](https://peterevans.dev/posts/how-to-automate-gradle-dependency-updates-with-github-actions/)

Using Gradle's [dependency locking](https://docs.gradle.org/current/userguide/dependency_locking.html) feature we can create an automated process to periodically create a pull request for dependency updates.

See an [example pull request](https://github.com/peter-evans/gradle-auto-dependency-updates/pull/2) to update the dependencies of the example app in this repository.

## Configuring dependency locking

1. Firstly, make sure the gradle wrapper is up to date. This is necessary in order to use the feature preview in the next step.

    ```

    gradle wrapper --gradle-version 6.5

    ```

2. Enable the `ONE_LOCKFILE_PER_PROJECT` feature preview in *settings.gradle.kts*. You can read more about this feature [here](https://docs.gradle.org/current/userguide/dependency_locking.html#single_lock_file_per_project).

    ```

    rootProject.name = "example-api"

    enableFeaturePreview("ONE_LOCKFILE_PER_PROJECT")

    ```

3. Add the following section to *build.gradle.kts* to version lock all configurations. See the [documentation here](https://docs.gradle.org/current/userguide/dependency_locking.html#enabling_locking_on_configurations) if you would like to customise this for specific configurations.

    ```

    dependencyLocking {

        lockAllConfigurations()

    }

    ```

4. **Optionally**, add the following if you would like to create a lockfile for the `buildscript` section. This can be used to version lock plugins.

    ```diff

    buildscript {

        repositories {

            mavenCentral()

            jcenter()

        }

        dependencies {

            classpath("com.jfrog.bintray.gradle:gradle-bintray-plugin:1.8.+")

        }

    +    configurations.classpath {

    +        resolutionStrategy.activateDependencyLocking()

    +    }

    }

    apply(plugin = "com.jfrog.bintray")

    ```

5. Write a `gradle.lockfile` for your current dependencies. If you followed step 4, you will also have a `buildscript-gradle.lockfile`.

    ```

    ./gradlew dependencies --write-locks

    ```

6. Check the lockfiles into source control. The lockfiles will now make sure that `./gradlew build` uses strict versions from the lockfile.

7. Specify [version ranges](https://docs.gradle.org/current/userguide/single_versions.html) for your dependencies. The range should include all versions that you are happy to accept version updates for. For example, `1.2.+` for just patch updates, `1.+` for minor updates, and `+` to include major version updates.

## Automate dependency updates

Add the following GitHub Actions workflow to periodically create a pull request containing dependency updates.

The following example uses the [create-pull-request](https://github.com/peter-evans/create-pull-request) action and executes once a week.

Note that if you want pull requests created by this action to trigger checks then a repo scoped [PAT](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) should be used instead of the default `GITHUB_TOKEN`.

It is *highly recommended* to make sure checks run and build the new pull request in CI.

This will verify that the dependency versions in the new lockfile will build and pass tests.

```yml

name: Update Dependencies

on:

  schedule:

    - cron:  '0 1 * * 1'

jobs:

  update-dep:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v2

      - uses: actions/setup-java@v1

        with:

          java-version: 1.8

      - name: Grant execute permission for gradlew

        run: chmod +x gradlew

      - name: Perform dependency resolution and write new lockfiles

        run: ./gradlew dependencies --write-locks

      - name: Create Pull Request

        uses: peter-evans/create-pull-request@v2

        with:

            token: ${{ secrets.PAT }}

            commit-message: Update dependencies

            title: Update dependencies

            body: |

              - Dependency updates

  

              Auto-generated by [create-pull-request][1]

  

              [1]: https://github.com/peter-evans/create-pull-request

            branch: update-dependencies

```

## License

[MIT](LICENSE)