Add support for updating gradle wrapper

[rahulsom]

Hi!

This is an amazing way to manage dependencies.

It would be awesome if it could also send PRs for gradle wrapper updates. Typically this involves

1. Find the latest version of gradle published at

https://api.github.com/repos/gradle/gradle/releases/latest

2. Run

./gradlew wrapper --gradle-version ${VERSION} --distribution-type all

3. Send a PR.

Some projects using maven also use a wrapper - https://github.com/takari/maven-wrapper but that can be a separate issue.

[greysteil]

Thanks for the kind words @rahulsom!

Looking through these docs it does look like it would be pretty straightforward for Dependabot to update Gradle wrapper versions. I'm not going to add it straight away (I'm swamped with a few other updates) but I'll leave this open and come back to it.

[klara-l]

This would be awesome!

[rahulsom]

Hi @greysteil! Any chance to prioritize this?

[greysteil]

At the moment I'm afraid we have more than we can handle just integrating with GitHub. We'd love to get to this, but unless it's an open source contribution it's going to take some time.

[robstoll]

@greysteil do you have pointers where and how it needs to be implemented? I could take a look into it.

[robstoll]

@feelepxyz maybe you have some pointers?

[FireMasterK]

Any progress on this?

[robstoll]

@infin8x do you have some pointers where this needs to be implemented, I would still take a look

[infin8x]

@robstoll I don't at the moment, sorry. We're a bit swamped at the moment and can't commit to giving your PR the requisite attention.

[robstoll]

@infin8x I don't need a commitment, just a pointer where I should start looking. There is a lot of code and I don't have time either, so if I spend time helping you out then I want to do it as efficiently as possible. I think it would be enough, if you can point me to the file where the analysis for updates takes place. Thanks in advance

[JavierSegoviaCordoba]

Poke, should be great someone who knows the project can help @robstoll to get this working.

[sehenst]

Poke, should be great someone who knows the project can help @robstoll to get this working.

@asciimike ?

[jameswald]

I have been using https://github.com/marketplace/actions/update-gradle-wrapper-action to implement this feature. Gets the job done for now although it would be better if this were supported by dependabot.

[asciimike]

https://github.com/dependabot/dependabot-core#dependabot-package-manager is a good place to start, as it has a good explanation of how the various pieces fit together, and links to READMEs on how to implement the required methods.

https://github.com/dependabot/dependabot-core/tree/main/gradle/lib/dependabot/gradle is probably where most of the additions will happen. I'd expect you'd have to modify the update checker as well as the file updater.

[robstoll]

I am afraid, but I don't have the time any more to look at it but it hopefully helps someone else

[james-s-w-clark]

I've been reading about this and have opened https://github.com/IdiosApps/dependabot-gradlewrapper-test. It gives some context/summary of the problem, and a few gradle dependencies so we can test any changes to dependabot-core with a dry run on it.

I'll try to find time to look into this repo later, thanks for the links @asciimike

[mustafaozhan]

Really looking forward to seeing this too!

[eirnym]

I'm looking forward to support Gradle Wrapper updates. Update-gradle-wrapper-action mentioned above has too many problems. I'm going to replace it using https://services.gradle.org/ at least till the dependabot will support it

[eirnym]

https://github.com/marketplace/actions/upgrade-gradle is the closest implementation to what I have locally

[xtermi2]

Really disappointing, no progress here. I'm waiting for years for this feature. Renovate can do this since years: https://docs.renovatebot.com/modules/manager/gradle-wrapper/

[GregJohnStewart]

Bump!

Sad to see it's not supported already :(

[FunkyMuse]

any hope on this?

[deivid-rodriguez]

Hello! We'll make sure to update this issue once there's movement. In the meantime, please use reactions instead of +1 comments to show support for the request. Thanks!

[DPUkyle]

https://services.gradle.org/versions/current is a great endpoint with easy-to-consume json.

[britter]

@DPUkyle I think the main problem here is that in order to upgrade the wrapper jar and shell scripts completely one needs to run the Gradle build. I'm not sure that is supported by dependabot.

[Thunderforge]

Aren't the wrapper jar and shell scripts known quantities for each release, used the same by everyone? Instead of running gradlew wrapper, is it possible to have Dependabot

1. Find/replace in gradle/wrapper/gradle.properties
   • If the URL is not the publicly available Gradle wrapper, such as for private distributions, then abort
2. Supply pre-built wrapper files (jar and shell scripts) for the requested version
   • Maybe make use of the Gradle Wrapper Validation GitHub Action, which validates that the wrapper files have the correct hash.
3. Create a PR

EDIT: I see now that this would ignore any configuration in build.gradle such as

tasks.named('wrapper') {
    distributionType = Wrapper.DistributionType.ALL
}

But this might be an acceptable limitation, since I'm guessing it's pretty rarely used. Just see whether gradle/wrapper/gradle.properties currently uses -all or -bin and do the same.