Remove lockfiles, manage Gradle dependencies with Dependabot (#1535)

Dependabot currently does not update lockfiles in multi-module projects (see https://github.com/dependabot/dependabot-core/issues/14633) To work around this issue, we will simply remove our lockfiles, and change our version catalog to use fully specified versions. The removal of lockfiles introduces two issues: 1. It is less visible what our dependency graph is 2. Our builds are potentially non-reproducible To work around this, two mitigations are in place: 1. Enable `failOnDynamicVersions()`, which causes Gradle to fail the build if any dependencies declare a version range 2. Enable GitHub dependency submission, which provides insight into the project SBOM
2026-05-03 21:54:19 +02:00 · 2026-04-20 09:29:33 -07:00
parent 9046221e03
commit 07c68239b9
26 changed files with 40 additions and 1683 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,5 +1,10 @@
 version: 2
 updates:
+- package-ecosystem: gradle
+  cooldown:
+    default-days: 7
+  schedule:
+    interval: weekly
 - package-ecosystem: github-actions
  cooldown:
    default-days: 7
--- a/.github/index.pkl
+++ b/.github/index.pkl
@@ -224,3 +224,17 @@ release {
      }
    } |> toWorkflowJobs
 }
+
+dependabot {
+  updates {
+    new {
+      `package-ecosystem` = "gradle"
+      schedule {
+        interval = "weekly"
+      }
+      cooldown {
+        `default-days` = 7
+      }
+    }
+  }
+}