Grouping Gradle Kotlin and Detekt Plugins in Dependabot

Michael Kutz
2 min readMar 25, 2024

detekt is provides great insight via static code analysis for Kotlin projects. But according to the detekt documentation

detekt is tightly coupled to the Kotlin compiler and requires a specific version to be available at runtime to perform its analysis.

So, if you utilize detekt in your pipeline and update Kotlin to latest and greatest via Dependabot, you probably already know this error message:

Execution failed for task ':detekt'.
> detekt was compiled with Kotlin 1.9.22 but is currently running with 1.9.23.
This is not supported. See https://detekt.dev/docs/gettingstarted/gradle#dependencies for more information.

If not configured otherwise this will give you two pull requests (PRs) by Dependabot: one for the Kotlin version and one for detekt. Both will fail and need to be combined to work.

To avoid that, Dependabot supports grouping of dependency updates. Unfortunately, the examples in the docs left me guessing what I need to put in dependabot.yml in order to group these two.

My build.gradle.kts defines the Kotlin version as a variable as it would otherwise be defined in multiple places across the file.

plugins {
java
jacoco

val kotlinVersion = "1.9.23"
kotlin("jvm") version kotlinVersion
kotlin("plugin.spring") version kotlinVersion
kotlin("plugin.jpa") version kotlinVersion

id("io.gitlab.arturbosch.detekt") version "1.23.6"

// …
}

// …

So, what should I use to identify the dependencies in the Dependabot group?

  1. Is it kotlin* and io.gitlab.arturbosch.detekt?
  2. Or can I use the name of the variable kotlinVersion?
  3. Or do I need to group jvm, plugin.spring, plugin.jpa and detekt?

I tried option 1 and 2 and they both failed.

I assume option 3 would work, but I decided to not try it as I sometimes use a different set of plugins and I’d need to keep track of all of them.

In the end I changed the plugin coordinates to use Gradle’s generic id definition instead of the kotlin shorthand:

plugins {
java
jacoco

val kotlinVersion = "1.9.23"
id("org.jetbrains.kotlin.jvm") version kotlinVersion
id("org.jetbrains.kotlin.plugin.spring") version kotlinVersion
id("org.jetbrains.kotlin.plugin.jpa") version kotlinVersion

id("io.gitlab.arturbosch.detekt") version "1.23.6"

// …
}

// …

Now I could group the Kotlin plugins with the simple pattern org.jetbrains.kotlin* in the dependabot.yml:

version: 2
updates:
- package-ecosystem: gradle
directory: /
schedule:
interval: daily
groups:
kotlin:
patterns:
- "org.jetbrains.kotlin*"
- "io.gitlab.arturbosch.detekt"

Which finally worked and created one PR for Kotlin and detekt:

Screenshot of the GitHub pull request containing all three Kotlin dependencies and detekt.

--

--

Michael Kutz

I've been a software engineer since 2009, worked in various agile projects & got a taste for quality assurance. Today I'm a quality engineer at REWE digital.