Added Gradle Wrapper support #12891
Added Gradle Wrapper support #12891
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
gmazzo
force-pushed
the
gradle-wrapper-support
branch
4 times, most recently
from
1d1fb9a to
bca9d9d
Compare
gmazzo
force-pushed
the
gradle-wrapper-support
branch
3 times, most recently
from
90b0de3 to
ba37efc
Compare
gradle/lib/dependabot/gradle/file_parser/distributions_finder.rb
Outdated
Show resolved
Hide resolved
| module Distributions | ||
| extend T::Sig | ||
|
|
||
| DISTRIBUTIONS_URL = "https://services.gradle.org" |
There was a problem hiding this comment.
Can we detect this from the gradle-wrapper.properties?
In my current configuration, for example, this is pointing to a custom proxy. Example
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionUrl=https://example.com/gradle-distributions/gradle-9.0.0-bin.zip
validateDistributionUrl=true
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists
distributionBuildTime=20250731163512+0000There was a problem hiding this comment.
This is pretty much intentional, because:
- The PR is aiming to support the 95% of the cases (if not more) where people use a standard Gradle distribution
- Even if I manage to infer the base URL for a non standard distribution, there won't be any guarantee that in that same server will exist an equivalent listing endpoint https://services.gradle.org/versions/all, or it will honor it's contact
Therefore the extra complexity to support this edge case won't pay off, at least in the scope of this PR
There was a problem hiding this comment.
That's understandable, but one of the core features of dependabot is the support for private registries, we may need to take that into account
There was a problem hiding this comment.
Thank you for making this change. It would be a great addition!
A few additional points regarding the review:
A key aspect of full Gradle wrapper support is regenerating the wrapper scripts (like gradlew and related files). If only the property file is updated and the scripts aren’t regenerated, it could cause issues.
In my view, a proper Gradle Wrapper upgrade should:
- Update the distribution property file
- Use the native Gradle binary to regenerate the wrapper scripts
- Commit both changes
For reference, see how the Update Gradle Wrapper Action handles this process.
As a side note, considering recent moves to separate ecosystems (such as npm and bum), it might be worth discussing if this should become its own ecosystem. I understand that gradle and the wrapper are related, but the structure and goal are different. Ultimately, however, it will be matter of opinion
I’ll leave that decision to the Dependabot team, as there are both advantages and disadvantages.
Thanks for the review @yeikel ! Let's wait for the maintainers feedback, but IMHO updating the whole set of scripts as that action does is just against the spirit of the tool itself. Not to mention it will be a technical challenge (or a blocker) to implement properly. I dig into this tool a few days ago, so I'm not an expert at all. But based on what I get from experience, it works with a "token replacement" approach. Implementing a proper script updating will require either to run Gradle or to do reverse engineering to the If a full update is required/desired, there are others tools for that or you can just do it manually yourself. There better "Gradle-native" approaches to update dependencies that does not has the flaws the Dependabot has. This tool just provides a static fast approach that fits in the 90% of the cases (again or even more). The wrapper updater just falls under the same pattern IMHO
In my experience, this has never happened. The wrapper API has been pretty stable from Gradle earlier versions
Well, IMHO I disagree. That Gradle has a different set of things to update, does not implies they are different ecosystems. If your thoughts are based on the Renovate approach, I'm not sure why it was implemented like that, but high-level, Gradle is just one. Its wrapper is just another kind of updatable component. |
I appreciate your perspective, though I see things a bit differently. Dependabot aims to align closely with native tools, which is why there’s a growing focus on integrating with each ecosystem’s native tooling, for example, regenerating lock files or running The wrapper-related files are part of the wrapper distribution, which is why the official documentation recommends using Gradle to update the wrapper. Dependabot should aim to create pull requests that are ready for immediate merging, without requiring manual intervention to finalize them. In this case, that'd would include all the related files to the wrapper
Yes, I'd think we should run gradle to execute the upgrade after we identify the version we are trying to upgrade to. From the docs: ./gradlew wrapper --gradle-version {gradleVersion}
Your experience may be limited to specific cases, but Gradle often makes changes for important reasons, such as updating the binary, improving Java version detection, or other enhancements. These updates go beyond simply keeping the wrapper functional; they are all part of the same distribution, and ensuring alignment across these components is essential. Keeping them out of sync may introduce issues that are hard to troubleshoot That said, the Dependabot team may welcome this initial version and use it to gather feedback. I would be among the first to raise an issue to ensure these files are generated for a more complete release. It doesn’t need to be included in the first iteration; we can release now and improve it over time. That's also a valid strategy
Although this is a subjective view, I believe there is a meaningful separation between the Gradle wrapper and application library dependencies. The wrapper and libraries follow different lifecycles: their versions are managed and detected in distinct ways, updated through separate processes, and the wrapper does not interact with registries or dependency resolution like application libraries do. Still, both are important parts of the Gradle ecosystem as you mentioned, and there are reasonable arguments for treating them together or separately depending on the situation. Ultimately, there are advantages and disadvantages to both approaches, and your perspective is valid as well |
Thanks for pointing that out, @yeikel. I just noted there are effective piece of code that run native tools, like I was originally reluctant to propose a solution like that, because running Now I think a complementary step may be added to use Let me see what I can do, or it can be done in a follow-up PR too. I'd like to get feedback from the maintainers about this as well. |
The good news is that both Java and Gradle come pre-installed in the Gradle containers, so no fallback is required. See dependabot-core/gradle/Dockerfile Lines 4 to 25 in 7da4bdd |
gmazzo
force-pushed
the
gradle-wrapper-support
branch
from
ba37efc to
47f7faa
Compare
Awesome, thank you! I think that before this is reviewed, you should make sure that all the tests are passing as that'll be the first feedback you'll get 🙏 As of right now, the e2e smoke tests are failing |
I coudn't find documentation on how to work with the smoke tests. They are in a different repo. I have a PR for them as well, but changing Edit: |
gmazzo
force-pushed
the
gradle-wrapper-support
branch
4 times, most recently
from
06fb136 to
05127fe
Compare
gmazzo
force-pushed
the
gradle-wrapper-support
branch
from
cec4148 to
06d21c8
Compare
| def versions | ||
| if Distributions.distribution_requirements?(dependency.requirements) | ||
| return DistributionsFinder.available_versions | ||
| end |
There was a problem hiding this comment.
There are a few issues here that need to be addressed:
-
Consolidate version fetching logic:
Package::PackageDetailsFetcheris designed to fetch package versions, so the distribution fetching should be moved intoPackageDetailsFetcheras well. This way we have a single method to fetch all versions. -
Add feature flag check: We need to check
Experiments.enabled?(:gradle_wrapper_updater)before fetching distributions, just like we did in the file parsing logic. -
Include
released_atfield: The current format is missing thereleased_atfield, which means cooldown functionality won't work for Gradle wrapper updates.
Current format:
{
version: version,
source_url: source_url
}Should match the format used by PackageDetailsFetcher:
{
version: version,
released_at: released_at,
source_url: source_url
}There was a problem hiding this comment.
Point 1 seems to be the most challenging, let me see what I do
There was a problem hiding this comment.
Ok, @kbukum1, I think I covered all the feedback. I still kept some of the new logic isolated out from PackageDetailsFetcher (in a DistributionsFetcher sibling) but it's definitely integrated into it now.
I think this is better because it won't unnecessary pollute the PackageDetailsFetcher (which is more Maven related) with this, but let me know what you think ;)
PS: the new gradle-wrapper smoke test run is here in a companion PR on my fork repo
gmazzo
force-pushed
the
gradle-wrapper-support
branch
from
41b689b to
56e59ed
Compare
gmazzo
force-pushed
the
gradle-wrapper-support
branch
from
56e59ed to
d4259fb
Compare
| updated_files = T.let([], T::Array[Dependabot::DependencyFile]) | ||
| buildfiles_processed.each do |_, buildfile| | ||
| if Dependabot::Experiments.enabled?(:gradle_lockfile_updater) | ||
| lockfile_updater = LockfileUpdater.new(dependency_files: files) | ||
| updated_files += lockfile_updater.update_lockfiles(buildfile) | ||
| end | ||
| if Dependabot::Experiments.enabled?(:gradle_wrapper_updater) | ||
| wrapper_updater = WrapperUpdater.new(dependency_files: files, dependency: dependency) | ||
| updated_files += wrapper_updater.update_files(buildfile) | ||
| end | ||
| end | ||
|
|
||
| updated_files.each do |file| | ||
| existing_file = files.find { |f| f.name == file.name && f.directory == file.directory } | ||
| if existing_file.nil? | ||
| files << file | ||
| else | ||
| files[T.must(files.index(existing_file))] = file |
There was a problem hiding this comment.
This could be now the most "controversial" refactor, so let me explain a bit why.
Before you were just calling LockfileUpdater.update_lockfiles on the buildfile and collecting its affecting files. That's OK.
Now (and to avoid duplicating the logic, but I'd be fine if that's what you want/need) I did:
- Created a
updated_filesarray to collect files from bothLockfileUpdaterand the newWrapperUpdater(they will only run if their experiments are enabled) - Then run the last piece of logic of "affected files" for the resulting collection.
lockfiles.each do |lockfile|was renamed toupdated_files.each do |file|just for semantic coherence. - You may also noted the
buildfiles_processedmap:- This was needed because the actual logic will be run for every
requirementin thedependency. - For Gradle, we never required more than just, just the
versionbump - But in order to fully support Gradle Distribution, I modeled the
dependencywith two requirements:- The
version - And the
distributionSHA
- The
- The thing is, without change, the first run (for the
versionrequirement) of the native tool (gradle wrapper) will update both of time, in thegradle.propertiesfile. - Because of this, a further second run will fail, because no files will be updated. Also a second run will be unnecessary and just a wast of time and resources for the tool.
- So to overcome this, is what I "keep track" of build files were I run the native tools already, so I won't run them again.
- This was needed because the actual logic will be run for every
| package_releases << { | ||
| version: Gradle::Version.new(version), | ||
| released_at: release_date_info.none? ? nil : (release_date_info[version]&.fetch(:release_date) || nil), | ||
| released_at: info[:released_at] || release_date_info[version]&.fetch(:release_date), |
There was a problem hiding this comment.
This change should be equivalent to the code before, except that now if released_at is set directly in info (only applies for distributions) it will take priority. This was to avoid duplicating the release_date_info structure from Maven packages
4 participants
What are you trying to accomplish?
Introduces
Gradle Wrapperbump support forgradlemanagerCloses #2223 (issue open since 2018)
Smoke Tests PR: dependabot/smoke-tests#325
GitHub Docs PR: github/docs#39954
Anything you want to highlight for special attention from reviewers?
Following the same pattern used by
gradle/libs.version.tomlfile, we'll only look (and support) for agradle/wrapper/gradle-wrapper.propertiesin the root of the project.distributionSha256Sumis also supported, and it will only be updated if the original properties file has the property.Note
To minimize the risk of the feature and the impact on other smoke tests, I've introduced a new
gradle_wrapper_updaterfeature flag for this change.JAR binary and script files support
Updating other the
gradle-wrapper.jaror the companion shell scripts is done through the newWrapperUpdaterhelper by leveraging the existingLockfileUpdater.Most of its code was extracted into a new
GradleUpdaterBaseclass, which has two abstract methods:target_file?to tell the given file is meant to be updated by itcommand_argsto collaborate with the finalgradlecommand runNow both
LockfileUpdaterand the newWrapperUpdaterinherit fromGradleUpdaterBase.Note
The update will not attempt to use any configuration for the
wrappertask in the main build script; many of the repos will be broken because they rely on other files or included builds that will take a long time to complete. We limit to copying the wrapper-related files and running a clean, empty build.How will you know you've accomplished your goal?
Running against a sample repo:
produces the desired diff:
Checklist
Important
Do not squash this PR, so we won't the history of
lockfile_updater.rbbeing renamed togradle_updater_base.rband to attribute the original code to its autor.