GitHub Action
Update Gradle Wrapper Action
This action keeps the Gradle Wrapper script in your projects up-to-date to the latest release.
Schedule an automatic daily or weekly workflow: as soon as a new Gradle release is available, the action will open a PR ready to be merged. It's like Dependabot for Gradle Wrapper. 🤖✨
Create a new dedicated workflow file:
.github/workflows/update-gradle-wrapper.yml
Paste this configuration:
name: Update Gradle Wrapper
on:
schedule:
- cron: "0 0 * * *"
jobs:
update-gradle-wrapper:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Update Gradle Wrapper
uses: gradle-update/update-gradle-wrapper-action@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}The action will run every day around midnight, check if a new Gradle version is available and create a Pull Request to update the Gradle Wrapper script.
Check the detailed description of action inputs and some more usage examples.
Gradle Wrapper is the recommended way to setup Gradle in your project. The Wrapper is a script that downloads and invokes a declared Gradle version. By checking the Wrapper into version control you make the build process more standardised, easy and reliable.
Maintaining dependencies up-to-date is regarded as a good practice, and the build system files should be no exception. Unfortunately, often times developers add the Wrapper to the project repository once and just forget about it.
The Update Gradle Wrapper Action aims to help keeping Gradle projects on GitHub polished to high standards and to strengthen the software supply chain in the Gradle ecosystem.
Gradle is under heavy development, with new releases available every few weeks. Projects that stick to old Wrapper versions can't benefit from the tons of features and bug fixes being rolled out.
Updating the build system only once or twice per year might become a tedious task. You will need to walk through longer changelogs and handle any breaking change. Updating frequently helps do less work, take advantage of new features earlier and safely drop deprecated functionality.
This action runs automatically at the declared schedule and creates Pull Requests with detailed information about the version update.
At the hearth of the Gradle Wrapper script is a .jar binary blob of executable
code. Checking that blob into a repository makes the developer experience quite
convenient but has important security implications.
A gradle-wrapper.jar that has been tampered with could execute or fetch any
arbitrary code. Pull Requests that update the Wrapper are genuinely hard to
review, as GitHub will show an empty binary diff.
This action verifies the integrity of the gradle-wrapper.jar file being
updated by comparing its SHA-256 checksum against the official checksum value
published by Gradle authors. Moreover, the action configures the Wrapper so that
the Gradle executable itself can be verified once it is downloaded locally.
This is the list of supported inputs:
| Name | Description | Required | Default |
|---|---|---|---|
repo-token |
GITHUB_TOKEN or a Personal Access Token (PAT) with repo scope. |
Yes | |
reviewers |
List of users to request a review from (comma or newline-separated). | No | (empty) |
labels |
'List of labels to set on the Pull Request (comma or newline-separated). | No | (empty) |
target-branch |
Branch to create Pull Requests against. | No | The default branch name of your repository. |
set-distribution-checksum |
Whether to set the distributionSha256Sum property. |
No | true |
| Name | Description | Required | Default |
|---|---|---|---|
repo-token |
GITHUB_TOKEN or a Personal Access Token (PAT) with repo scope. |
Yes |
This input is needed to allow the action to perform tasks using the GitHub API.
To use the GITHUB_TOKEN that is installed in your repository:
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}Note that, when using the GITHUB_TOKEN, Pull Requests created by the Update
Gradle Wrapper action cannot trigger any workflow run in your repository. This
is a restriction of GitHub Actions to avoid accidentally creating recursive
workflow runs (read
more).
So, for example, if you have any on: pull_request or on: push workflow that
runs CI checks on Pull Requests, they won't be triggered when using
GITHUB_TOKEN.
A recommended workaround is to create a Personal Access Token
(PAT)
with repo scope and add it as a
secret
into your repository.
| Name | Description | Required | Default |
|---|---|---|---|
reviewers |
List of users to request a review from (comma or newline-separated). | No | (empty) |
Request a review from these GitHub usernames (notifications will be triggered).
For example:
with:
reviewers: username1, username2or
with:
reviewers: |
username1
username2| Name | Description | Required | Default |
|---|---|---|---|
labels |
'List of labels to set on the Pull Request (comma or newline-separated). | No | (empty) |
Add custom labels to the Pull Request.
with:
reviewers: automated pr, dependenciesor
with:
reviewers: |
automated pr
dependencies| Name | Description | Required | Default |
|---|---|---|---|
target-branch |
Branch to create Pull Requests against. | No | The default branch name of your repository. |
The name of the branch to pull changes into. By default the repository's "default branch" is used (most commonly master).
For example:
with:
target-branch: unstable| Name | Description | Required | Default |
|---|---|---|---|
set-distribution-checksum |
Whether to set the distributionSha256Sum property. |
No | true |
The Gradle Wrapper provides a way to increase security against attackers
tampering with the Gradle distribuition file you download locally.
If the distributionSha256Sum property is added to
gradle-wrapper.properties, Gradle will report a build failure in case the
specified checksum doesn't match the checksum of the distribution downloaded
from server (this is only performed once, the first time you download a new
Gradle version).
The Update Gradle Wrapper action sets the expected checksum for you. If you
want to disable this behaviour change the set-distribution-checksum input
to false.
It is not recommended to change this value unless you've got a very specific need (e.g. Android Studio warnings).
For example:
with:
set-distribution-checksum: falseYou should run this action on a dedicated workflow using a schedule trigger
event:
on:
schedule:
# every day at 2am
- cron: "0 2 * * *"or
on:
schedule:
# every week on Monday at 8am
- cron: "0 8 * * MON"Use the POSIX cron syntax to specify your preferred time or frequency (tip: check your value is correct with crontab guru).
It is not recommended to run the action more frequently than once a day.
The action will create Pull Requests against the "default branch" of your repository (say, master or any other branch you've configured).
If you want Pull Requests to be created against a non-default branch use the target-branch input:
with:
target-branch: v2-devYou might get a warning message in Android Studio that looks like this:
It is not fully supported to define distributionSha256Sum in gradle-wrapper.properties.
This refers to the presence of the distributionSha256Sum property into
gradle-wrapper.properties, which Update Gradle Wrapper action sets by default
to increase security against the risk of the Gradle distribution being tampered
with.
It is totally safe to disable the warning in Android Studio, just choose the option:
Use "..." as checksum for https://.../gradle-6.6.1-bin.zip and sync project
On the other hand, if for some reason you prefer to avoid the
distributionSha256Sum property being set automatically by the action use the
set-distribution-checksum:
with:
# not recommended
set-distribution-checksum: falseDebug logs are disabled by default in GitHub actions. To see any debug output
in the workflow execution logs, add a
secret
named ACTIONS_STEP_DEBUG with value true in your repository.
The Update Gradle Wrapper Action is licensed under the Apache License 2.0.