starred/pkl
1
0
Fork 0
mirror of https://github.com/apple/pkl.git synced 2026-05-25 08:09:17 +02:00
Code Issues 198 Packages Projects Releases 10 Wiki Activity

Remove lockfiles, manage Gradle dependencies with Dependabot (#1535)

Browse Source 
Dependabot currently does not update lockfiles in multi-module projects
(see https://github.com/dependabot/dependabot-core/issues/14633)

To work around this issue, we will simply remove our lockfiles, and
change our version catalog to use fully specified versions.
The removal of lockfiles introduces two issues:

1. It is less visible what our dependency graph is
2. Our builds are potentially non-reproducible

To work around this, two mitigations are in place:

1. Enable `failOnDynamicVersions()`, which causes Gradle to fail the
build if any dependencies declare a version range
2. Enable GitHub dependency submission, which provides insight into the
project SBOM
This commit is contained in:
Daniel Chao
2026-04-20 09:29:33 -07:00
committed by GitHub
parent 9046221e03
commit 07c68239b9
26 changed files with 40 additions and 1683 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/index.pkl
+14
View File
@@ -224,3 +224,17 @@ release {
}
} |> toWorkflowJobs
}
dependabot {
updates {
new {
`package-ecosystem` = "gradle"
schedule {
interval = "weekly"
}
cooldown {
`default-days` = 7
}
}
}
}