Grouping Gradle Kotlin and Detekt Plugins in Dependabot
detekt is provides great insight via static code analysis for Kotlin projects. But according to the detekt documentation
detekt is tightly coupled to the Kotlin compiler and requires a specific version to be available at runtime to perform its analysis.
So, if you utilize detekt in your pipeline and update Kotlin to latest and greatest via Dependabot, you probably already know this error message:
Execution failed for task ':detekt'.
> detekt was compiled with Kotlin 1.9.22 but is currently running with 1.9.23.
This is not supported. See https://detekt.dev/docs/gettingstarted/gradle#dependencies for more information.If not configured otherwise this will give you two pull requests (PRs) by Dependabot: one for the Kotlin version and one for detekt. Both will fail and need to be combined to work.
To avoid that, Dependabot supports grouping of dependency updates. Unfortunately, the examples in the docs left me guessing what I need to put in dependabot.yml in order to group these two.
My build.gradle.kts defines the Kotlin version as a variable as it would otherwise be defined in multiple places across the file.
plugins {
java
jacoco
val kotlinVersion = "1.9.23"
kotlin("jvm") version kotlinVersion
kotlin("plugin.spring") version kotlinVersion
kotlin("plugin.jpa") version kotlinVersion
id("io.gitlab.arturbosch.detekt") version "1.23.6"
// …
}
// …So, what should I use to identify the dependencies in the Dependabot group?
- Is it
kotlin*andio.gitlab.arturbosch.detekt? - Or can I use the name of the variable
kotlinVersion? - Or do I need to group
jvm,plugin.spring,plugin.jpaand detekt?
I tried option 1 and 2 and they both failed.
I assume option 3 would work, but I decided to not try it as I sometimes use a different set of plugins and I’d need to keep track of all of them.
In the end I changed the plugin coordinates to use Gradle’s generic id definition instead of the kotlin shorthand:
plugins {
java
jacoco
val kotlinVersion = "1.9.23"
id("org.jetbrains.kotlin.jvm") version kotlinVersion
id("org.jetbrains.kotlin.plugin.spring") version kotlinVersion
id("org.jetbrains.kotlin.plugin.jpa") version kotlinVersion
id("io.gitlab.arturbosch.detekt") version "1.23.6"
// …
}
// …Now I could group the Kotlin plugins with the simple pattern org.jetbrains.kotlin* in the dependabot.yml:
version: 2
updates:
- package-ecosystem: gradle
directory: /
schedule:
interval: daily
groups:
kotlin:
patterns:
- "org.jetbrains.kotlin*"
- "io.gitlab.arturbosch.detekt"Which finally worked and created one PR for Kotlin and detekt:
