I have a Gradle (v6.6.1) platform module that I publish to our internal maven repo. It's a constraints-only platform, and intended to be used by a large number of projects in my org so that we can standardize on versions of common dependencies.
So far it's working fine: I periodically review each dependency to look for an updated release, update those versions in my build.gradle.kts file, bump the version number of the platform itself (major or minor, depending on the changes), and publish that new platform to the maven repo.
However, doing so is a time-consuming and manual process. I'd much rather specify my version range constraints in build.gradle.kts (for example, latest patch version, or the latest minor version), and then use dependency locking to update the recommended version to for each dependency to a new specific version.
The problem is, Gradle seems to forbid this. Even when I use the following, it will only produce an empty api.lockfile:
dependencyLocking {
lockAllConfigurations()
}
task("resolveAndLockAll") {
doFirst {
require(gradle.startParameter.isWriteDependencyLocks,
{ "You must specify `--write-locks` to update the dependency version lock" })
configurations["api"].setCanBeResolved(true) // `api` not resolvable by default
}
doLast {
configurations.forEach {
println("Reviewing configuration ${it}...")
if (it.isCanBeResolved && it.name != "archives" && it.name != "default") {
it.resolve()
}
}
}
}
dependencies {
constraints {
api("com.google.guava:guava:${ property("guavaVersion") }")
api("com.google.inject:guice:${ property("guiceVersion") }")
... // many more
}
}
I think I understand the logic behind this: my platform only publishes constraints (not dependencies) so dependency locking doesn't apply. However, I want to specify exact constraints, allowing the consuming projects to jump from release to release of my platform project with exact versions recommended to them.
I also understand that those consuming projects can use dependency locking to get reproducible builds (and they do), but again, I want to specify exact constraints so that everyone on version, say, 17.4 of my platform is using exactly the same dependencies, and they can coordinate on issues they encounter.
Workaround(s)
The best idea I've got is to have a second, private module that defines the same set of dependencies (as actual dependencies) but with broader version ranges (e.g. [1.1, 2.0) instead of 1.4.3). I can use that module to generate a lock file, and then write a script that will update the platform's build.gradle.kts file with the newly-resolved specific dependency versions.