Start updating Gradle lockfiles

[ryanbrandenburg]

What are you trying to accomplish?

Many Gralde Repositories check their gradle.lockfile's into the repository for build reproducibility, so if they get a Dependabot PR which updates their gradle.build files without updating the gradle.lockfile's it's liable to cause build failures which they will have to resolve by updating the lockfiles themselves. By running gradle build when the repo has checked in lockfiles we can hopefully avoid that scenerio, and if for whatever reason it doesn't work than people are back to being able to update the lockfile themselves.

#2222

Anything you want to highlight for special attention from reviewers?

• I'm not a Gradle expert so it's entirely possible I've missed something important or done things in a way that's not idiomatic.
• The Gradle CLI won't currently use any credentials for private registries.

How will you know you've accomplished your goal?

We'll know this works if we can run a successful package upgrade against a repo which uses a lockfile and the lockfile updates.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull Request Overview

This PR adds support for updating Gradle lockfiles when bumping dependencies, including fixtures, a new LockfileUpdater, tests, and Docker/DevContainer updates to enable lockfile generation.

• Introduces complete Gradle project fixtures with lockfiles and wrapper scripts for testing
• Implements LockfileUpdater and integrates it into FileUpdater, with Sorbet type signatures and new tests
• Updates the Docker image to install Java and Gradle and pins Rust in the DevContainer

Reviewed Changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
gradle/spec/fixtures/buildfiles/lockfile/**	Adds a full sample Gradle project with lockfiles
gradle/spec/dependabot/gradle/file_updater_spec.rb	Adds specs for lockfile-aware dependency updates
gradle/lib/dependabot/gradle/file_updater/property_value_updater.rb	Adds Sorbet signatures and null-safety improvements
gradle/lib/dependabot/gradle/file_updater/lockfile_updater.rb	Implements lockfile regeneration via gradle build --write-locks
gradle/lib/dependabot/gradle/file_updater.rb	Integrates the lockfile updater into the main updater
gradle/Dockerfile	Installs OpenJDK and Gradle for lockfile generation
.devcontainer/devcontainer.json	Pins Rust version to 1.86.0 for the dev environment

Comments suppressed due to low confidence (2)

gradle/Dockerfile:28

• The Dockerfile invokes unzip gradle.zip but the unzip package is not installed. Add unzip to the apt-get install list to ensure the command succeeds.

&& unzip gradle.zip \

gradle/lib/dependabot/gradle/file_updater/property_value_updater.rb:45

• [nitpick] Using T.must on file_to_update.content is redundant since content is always a non-nil String; consider removing T.must for clarity.

updated_content = T.must(file_to_update.content).sub(

[ljacomet]

Hey,

Gradle engineer here, having implemented lock files for it.

I am a strong +1 in adding support for upgrading lockfiles for Dependabot when they are present. @ryanbrandenburg has the right justification.

While I can't really comment on the details of the code - ruby is not my specialty - I left one main comment, on the update approach itself.

[ryanbrandenburg]

@kbukum1 looks like you might be the representative for dependabot/maintainers on this one? Would love to get your review.

[kbukum1]

@kbukum1 looks like you might be the representative for dependabot/maintainers on this one? Would love to get your review.

@ryanbrandenburg, yes, I am currently reviewing this. I will let you know when I am done. Thanks for the contribution.

[kbukum1]

Testing the changes

[kbukum1]

Hi @ryanbrandenburg ,

Thanks for adding feature flag. I am currently testing it. I will let you know if there is any issue. I also created feature flag on our api side so we can use it for rollout.

Locally seems like it is doing properly. After a few more tests I will test it on a direct repository.

dependabot@c4cbffdded91:~/dependabot-updater$ bin/run update_files
warning: parser/current is loading parser/ruby34, which recognizes 3.4.0-dev-compliant syntax, but you are running 3.4.4.
Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
2025/06/13 19:26:45 INFO Starting job processing
2025/06/13 19:26:45 INFO Starting update job for dsp-testing/gradle_with_lock_file
2025/06/13 19:26:45 INFO Checking all dependencies for version updates...
2025/06/13 19:26:45 INFO Checking if com.google.guava:guava 33.2.0-jre needs updating
2025/06/13 19:26:45 INFO Filtered out 27 pre-release versions
2025/06/13 19:26:45 INFO Filtered out 76 non-jre classifier versions
2025/06/13 19:26:45 INFO Latest version is 33.4.8-jre
2025/06/13 19:26:45 INFO Requirements to unlock own
2025/06/13 19:26:45 INFO Requirements update strategy 
2025/06/13 19:26:45 INFO Updating com.google.guava:guava from 33.2.0-jre to 33.4.8-jre
2025/06/13 19:26:49 INFO Submitting com.google.guava:guava pull request for creation
2025/06/13 19:26:50 INFO Cooldown metrics collection is disabled.
2025/06/13 19:26:50 INFO Checking if jvm 2.0.0 needs updating
2025/06/13 19:26:50 INFO Filtered out 120 pre-release versions
2025/06/13 19:26:50 INFO Latest version is 2.1.21
2025/06/13 19:26:50 INFO Requirements to unlock own
2025/06/13 19:26:50 INFO Requirements update strategy 
2025/06/13 19:26:50 INFO Updating jvm from 2.0.0 to 2.1.21
2025/06/13 19:26:54 INFO Submitting jvm pull request for creation
2025/06/13 19:27:21 INFO Cooldown metrics collection is disabled.
2025/06/13 19:27:21 INFO Finished job processing
2025/06/13 19:27:21 INFO Results:
+--------------------------------------------------------------------+
|                Changes to Dependabot Pull Requests                 |
+---------+----------------------------------------------------------+
| created | com.google.guava:guava ( from 33.2.0-jre to 33.4.8-jre ) |
| created | jvm ( from 2.0.0 to 2.1.21 )                             |
+---------+----------------------------------------------------------+
dependabot@c4cbffdded91:~/dependabot-updater$ 

Local test is done and working properly in dry-run mode.

[kbukum1]

Nicely done! @ryanbrandenburg — thank you for considering all perspectives and keeping the change behind a feature flag. Also, appreciate you adding the Sorbet typings!