Gradle plugin version bumping

[TobiasRoland]

Yesterday when running the gradle versions plugin I noticed that dependabot does not bump my spring plugin version which was defined in the build.gradle plugin block

plugins {
    // would expect the below to be bumped to 2.1.4.RELEASE
    id "org.springframework.boot" version "2.1.3.RELEASE"
}

Would be great if it dependabot could update this, too

[joshuatcasey]

This would be great for us too! We're using an ext block to set the Spring boot version for both the plugin and the BOM.

https://github.com/cloudfoundry/uaa/blob/develop/dependencies.gradle

[ColtonIdle]

@TobiasRoland how do you get the gradle versions plugin and dependabot working together?

[busches]

This is working for me today, appears to be added quite a while back https://github.com/dependabot/dependabot-core/commit/e571c5c6f3a812c0c51973ca063438d3cad71238

[zbynek]

@TobiasRoland is this still reproducable? If yes, could you share a link to the repo you're trying to update?

[koppor]

Does not work here.

Expected diff:

- id("org.openrewrite.rewrite") version("6.0.0")
+ id("org.openrewrite.rewrite") version("6.1.4")

Nothing happens.

All releases of the plugin are given there: https://github.com/openrewrite/rewrite-gradle-plugin/releases

Repository: https://github.com/jabref/jabref

[zbynek]

@koppor it seems the regex used to find plugin version declaration is not generic enough. To allow dependabot to update that plugin you can just remove parentheses around plugin ID and version.

[koppor]

Interestingly, the plugin was not updated from 6.1.25 to 6.2.4 - even though that version is available: https://docs.openrewrite.org/reference/gradle-plugin-configuration

id 'org.openrewrite.rewrite' version '6.1.25'

version: 2
updates:
  - package-ecosystem: gradle
    directory: "/"
    schedule:
      interval: weekly
    labels:
      - "dependencies"
    ignore:
      - dependency-name: com.microsoft.azure:applicationinsights-core
        versions:
          - ">= 2.5.a" # Blocked by https://github.com/microsoft/ApplicationInsights-Java/issues/1155
      - dependency-name: com.microsoft.azure:applicationinsights-logging-log4j2
        versions:
          - ">= 2.5.a" # Blocked by https://github.com/microsoft/ApplicationInsights-Java/issues/1155

[zbynek]

@koppor which repository are you talking about? Seems OK in https://github.com/JabRef/jabref/commit/2a5a23b09725c5e1ec06bb7c41c6a69f6e3e8322

[koppor]

@zbynek Thank you for checking. Must have been a bad timing on my side (working on branch and in parallel to dependabot updates being merged automatically). They also release at fast pace (see https://github.com/openrewrite/rewrite-gradle-plugin/releases), thus my assumption that 6.1.25 was older than two weeks was wrong.

[zbynek]

@jurre maybe this issue can be closed now?

[koppor]

Maybe someone could do some RegEx magic to support " too 😅

[zbynek]

@koppor I don't want to discourage you from poposing a PR, but personally I won't make one because the regexp based solution will never be perfect and might get completely replaced by https://github.com/dependabot/dependabot-core/issues/1164 anyway.

[koppor]

Thank you for the link. Then, this one can surely be closed!