Add workflow for Update Gradle Wrapper Action.

[cristiangreco]

Hey there 👋, first of all thanks for your work on Colormath!

I've got a suggested change: would you be willing to use this GitHub Action to automatically keep Gradle Wrapper updated to latest release?

What does "Update Gradle Wrapper Action" do? It can be configured to run at scheduled intervals (e.g. daily or weekly) and will check whether the Wrapper script in the repo is up-to-date to the latest Gradle release: in case a new Gradle version is available, it will create a PR to update the Wrapper. And that's it!

Why is that a good thing? Well, first of all it alleviates the chore of manually updating the Wrapper, as you got a task that keeps track of new Gradle releases for you! More importantly, it boosts security around the Wrapper update and usage processes: this actions verifies that the gradle-wrapper.jar file has not been tampered with (uses checksum comparison), and it sets the distributionSha256Sum property so that the new Gradle binary itself will be verified locally upon download.

Where can I find more about? The README contains quite detailed information!

In this PR I propose adding a new workflow which runs the action every day at midnight (but feel free to adjust the frequency as you prefer). I've verified it works correctly in my fork of the repo: as your Wrapper is already up-to-date in this moment, you can see here that the action detects no changes are needed. However, you can see an example of an automated PR in other projects using the action.

The action is under active development, you can have a look at the list of inputs currently supported. There's new features coming up soon and if you'd like to request any particular change just let me know!

I'd love to see the action used by Colormath and I genuinely hope you can find this useful. Would love your feedback! ❤️

[cristiangreco]

Hey @ajalt, I'd love to hear why you think this PR is spam? Could be a good learning for me next time I propose it to another project!

[ajalt]

Well, you've made this exact same PR trying to add your workflow to dozens of repos over the past couple of days, which is spammy behavior regardless of your intentions.

As for the content of the PR:

There are already existing dependency checkers like dependabot. Adding support for the gradle wrapper to one of them makes more sense than having a separate workflow. Can you imagine if every library required its own workflow to update? That would not be a great situation.

Secondly, I don't use dependabot or similar on any of my repos. Especially, this one, which is low level, stable, and releases infrequently. Gradle releases more frequently than colormath, so I would have to deal with being nagged to update even when no development is happening.

---

My advice would be to fold this functionality into an existing dependency checker like dependabot. That would allow everyone using that service to get this functionality automatically, rather than needing to add and configure a separate workflow.

If you don't want to do that, than I would suggest not spamming repos with PRs. Addressing your PRs takes time, which is a limited resource for OSS maintainers! If nothing else, I think you should only suggest this workflow to repos that already have dependency checking set up.

[cristiangreco]

Thanks for your reply! I see your point wrt the pain of updating the wrapper in a project which is almost stable.

I think you should only suggest this workflow to repos that already have dependency checking set up.

This is a very good point, thanks!