Photo by Roman Synkevych on Unsplash
As Android engineers, one of the key challenges we face is keeping our project’s dependencies up-to-date. Doing it is time-consuming and as long as we wait, as long as it will be complicated to migrate dependencies to the latest version.
Fortunately, there are powerful tools available to simplify this process and ensure app is using the latest and most secure libraries.
Today I want to share how Gradle Version Catalog and Github’s Dependabot saved me a lot of work in my Android projects.
Disclaimer: the repository needs to be hosted on Github
Version Catalog
Gradle Version Catalog is a feature that provides a centralized and consistent way to manage dependency versions. It has been released as an experimental feature in version Gradle 7.0 and promoted to stable in version 7.4.
Create a Version Catalog
To get started we need to create a libs.versions.toml
file in root project’s gradle
folder.
libs
is the default name but we can have multiple version catalogs and/or use another name but it will require more config and won’t be covered in this article.
Version Catalog file has 4 sections:
[versions] | |
[libraries] | |
[bundles] | |
[plugins] |
- In the versions section, define variables that hold the versions of dependencies and plugins. Variables can be shared between multiple dependencies.
- In the libraries, define dependencies
- In the bundles, define group of dependencies
- In the plugins, define plugin
In this article, we will focus on versions
and libraries
. Check documentation for more info.
Declare dependencies
Now we need to declare dependencies:
[versions] | |
kotlin-coroutines = "1.7.0" | |
junit = "5.10.0" | |
[libraries] | |
kotlin-coroutines-core = { module = "org.jetbrains.kotlinx:kotlinx-coroutines-core", version.ref = "kotlin-coroutines" } | |
kotlin-coroutines-test = { module = "org.jetbrains.kotlinx:kotlinx-coroutines-test", version.ref = "kotlin-coroutines" } | |
junit-bom = { module = "org.junit:junit-bom", version.ref = "junit" } |
Job Offers
The recommended naming is kebab case. Such as kotlin-coroutines-core and not camel case kotlinCoroutinesCore. Type-safe accessors `kotlin-coroutines-core` will be converted to `kotlin.coroutines.core`
Use Version Catalog
Before using Version Catalog, we will need to sync project to make Gradle generate type-safe accessors.
Open app or module build.gradle(.kts)
and update the dependencies block:
dependencies { | |
implementation(libs.kotlin.coroutines.core) | |
testImplementation(libs.kotlin.coroutines.test) | |
} |
That’s it!
Dependabot
GitHub Dependabot is an automated dependency management tool provided by GitHub. It monitors a project’s dependencies and notifies about outdated versions.
It generates pull requests with information on the updates available.
Dependabot helps to ensure projects are using the latest dependencies.
Since march-23 Dependabot has an official support of Gradle Version Catalog.
How to configure it
To enable version updates, we need to create a dependabot.yml
file inside a root project’s .github
directory.
This config file tells Dependabot which dependencies management tools we are using and how often it should check for updates.
version: 2 | |
updates: | |
- package-ecosystem: "gradle" | |
directory: "/" | |
schedule: | |
interval: "weekly" | |
day: "monday" |
Check documentation for all settings.
What’s pull request looks like
Once Dependabot detects new dependencies version it creates a pull request that looks like this:
Coroutines pull request from Dependabot
Pull request description contents release note, change log, and commit to help us identify -breaking- changes.
Dependabot groups all dependencies that use the same version on our Version Catalog.
By default, Dependabot will open up to 5 pull requests with news updates per week but we can change this with the `open-pull-requests-limit` setting.
Dependabot action comments
To be able to easily manage Dependabot’s pull requests, we can use pull requests comment to ask Dependabot to run some actions:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after CI passes on it@dependabot squash
and merge will squash and merge this PR after CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block auto merging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot from recreating it (Same result by closing it manually)@dependabot ignore this major version
will close this PR and stop Dependabot from creating any more for this major version (unless we reopen the PR or upgrade to it ourself)@dependabot ignore this minor version
will close this PR and stop Dependabot from creating any more for this minor version. (unless we reopen the PR or upgrade to it ourself)@dependabot ignore this dependency
will close this PR and stop Dependabot from creating any more for this dependency (unless we reopen the PR or upgrade to it ourself)
Conclusion
By combining the power of Gradle Version Catalog and GitHub’s Dependabot, we can significantly streamline the process of managing dependencies for our Android projects. Centralizing version management with Gradle Version Catalog ensures consistency and ease of updates, while Dependabot automates the detection and application of the latest library releases.
This article was previously published on proandrdoiddev.com