Onboard Renovate for Develocity plugin and Gradle wrapper upgrades

Adds .github/renovate.json5 so this repo manages its own Develocity Gradle plugin version (across the workflow YAML, build-scan.ts, the setup-gradle docs, the sample settings.gradle / build.gradle files, and the init-script test groovy files) and Gradle wrapper bumps in the five sample directories that previously had wrappers maintained externally. Renovate is scoped narrowly via enabledManagers so it does not overlap with the npm, github-actions, and Maven-coordinate Gradle updates that Dependabot continues to handle through .github/dependabot.yml.
2026-06-01 09:31:59 +00:00 · 2026-05-22 10:08:45 -05:00
14 changed files with 100 additions and 22 deletions
@@ -3,7 +3,7 @@ name: 'Build and upload distribution'
 runs:
  using: "composite"
  steps: 
-    - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
      with:
        node-version: 24
        cache: npm
@@ -23,7 +23,7 @@ runs:
        cp -r sources/dist .

    - name: Upload distribution
-      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: dist
        path: dist/
@@ -0,0 +1,78 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  extends: [
+    "config:recommended",
+    "github>gradle/renovate-agent//presets/dv-automerge-minor.json5",
+    ":disableDependencyDashboard",
+  ],
+  // Renovate is scoped narrowly here: only the Develocity Gradle plugin (custom regex)
+  // and the Gradle wrappers in selected sample directories.
+  // Everything else (npm, github-actions, Maven coordinates) is managed by Dependabot
+  // via .github/dependabot.yml.
+  enabledManagers: ["custom.regex", "gradle-wrapper"],
+  "gradle-wrapper": {
+    fileMatch: [
+      "^\\.github/workflow-samples/gradle-plugin/gradle/wrapper/gradle-wrapper\\.properties$",
+      "^\\.github/workflow-samples/groovy-dsl/gradle/wrapper/gradle-wrapper\\.properties$",
+      "^\\.github/workflow-samples/java-toolchain/gradle/wrapper/gradle-wrapper\\.properties$",
+      "^\\.github/workflow-samples/kotlin-dsl/gradle/wrapper/gradle-wrapper\\.properties$",
+      "^\\.github/workflow-samples/non-executable-wrapper/gradle/wrapper/gradle-wrapper\\.properties$",
+      "^sources/test/init-scripts/gradle/wrapper/gradle-wrapper\\.properties$",
+    ],
+  },
+  customManagers: [
+    {
+      customType: "regex",
+      description: "Bump Develocity Gradle plugin references in files outside Dependabot's coverage",
+      fileMatch: [
+        "^\\.github/workflows/integ-test-inject-develocity\\.yml$",
+        "^sources/src/develocity/build-scan\\.ts$",
+        "^docs/setup-gradle\\.md$",
+        "(^|/)settings\\.gradle$",
+        "(^|/)settings\\.gradle\\.kts$",
+        "(^|/)build\\.gradle$",
+        "(^|/)build\\.gradle\\.kts$",
+        "^sources/test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/BaseInitScriptTest\\.groovy$",
+        "^sources/test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/TestBuildResultRecorder\\.groovy$",
+      ],
+      // Patterns capture any X.Y(.Z) version. The packageRules below filter to
+      // just the current 4.x line and skip the pinned 3.x legacy refs.
+      // When the plugin's major version changes, edit `matchCurrentVersion` and
+      // `allowedVersions` in the packageRules block below — no regex edits here.
+      matchStrings: [
+        "plugin-version:[^\\n]*'(?<currentValue>\\d+\\.\\d+(?:\\.\\d+)?)'",
+        "DEVELOCITY_PLUGIN_VERSION[^\\n]*'(?<currentValue>\\d+\\.\\d+(?:\\.\\d+)?)'",
+        "`v(?<currentValue>\\d+\\.\\d+(?:\\.\\d+)?)`\\s+of\\s+the\\s+\\[Develocity Gradle plugin",
+        "id\\s+['\"]com\\.gradle\\.develocity['\"]\\s+version\\s+['\"](?<currentValue>\\d+\\.\\d+(?:\\.\\d+)?)['\"]",
+        "id\\(['\"]com\\.gradle\\.develocity['\"]\\)\\s+version\\s+['\"](?<currentValue>\\d+\\.\\d+(?:\\.\\d+)?)['\"]",
+      ],
+      depNameTemplate: "com.gradle:develocity-gradle-plugin",
+      datasourceTemplate: "maven",
+      registryUrlTemplate: "https://plugins.gradle.org/m2",
+    },
+  ],
+  packageRules: [
+    {
+      // Skip the legacy 3.16.2 references that are intentionally pinned.
+      matchManagers: ["custom.regex"],
+      matchPackageNames: ["com.gradle:develocity-gradle-plugin"],
+      matchCurrentVersion: "<4.0.0",
+      enabled: false,
+    },
+    {
+      // Current 4.x line. To start tracking the next major (5.x), replace `5.0.0`
+      // with `6.0.0` in both fields below — no regex edits needed.
+      matchManagers: ["custom.regex"],
+      matchPackageNames: ["com.gradle:develocity-gradle-plugin"],
+      matchCurrentVersion: ">=4.0.0 <5.0.0",
+      allowedVersions: "<5.0.0",
+      groupName: "Develocity Gradle plugin",
+      groupSlug: "develocity-gradle-plugin",
+    },
+    {
+      matchManagers: ["gradle-wrapper"],
+      groupName: "Gradle wrappers",
+      groupSlug: "gradle-wrappers",
+    },
+  ],
+}
@@ -19,14 +19,14 @@ jobs:
    steps:
    - name: Checkout sources
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-    - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
      with:
        node-version: 20
        cache: npm
        cache-dependency-path: sources/package-lock.json
    - name: Setup Gradle
      # Use a released version to avoid breakages
-      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
+      uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1
      env:
        ALLOWED_GRADLE_WRAPPER_CHECKSUMS: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # Invalid wrapper jar used for testing
      with:
@@ -21,7 +21,7 @@ jobs:

    - name: Get changed files
      id: changed-files
-      uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+      uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
      with:
        files: |
          dist/**
@@ -35,7 +35,7 @@ jobs:

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v3.29.5
+      uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5
      with:
        languages: ${{ matrix.language }}
        config: |
@@ -43,4 +43,4 @@ jobs:
          - sources/src

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v3.29.5
+      uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5
@@ -30,7 +30,7 @@ jobs:
        java-version: 17
    - name: Setup Gradle
      # Use a released version to avoid breakages
-      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
+      uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1
      env:
        ALLOWED_GRADLE_WRAPPER_CHECKSUMS: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # Invalid wrapper jar used for testing
    - name: Run integration tests
@@ -44,7 +44,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: 'Upload artifact'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: SARIF file
          path: results.sarif
@@ -28,7 +28,7 @@ jobs:
        token: ${{ secrets.BOT_GITHUB_TOKEN }}

    - name: Set up Node.js
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
      with:
        node-version: 20
        cache: npm
@@ -12,6 +12,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
+      - uses: gradle/actions/wrapper-validation@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1
        with:
          allow-checksums: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
@@ -62,7 +62,7 @@ jobs:
      run: gradle help
    - name: Check Build Scan url
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
      with:
        script: |
          core.setFailed('No Build Scan detected')   
@@ -105,7 +105,7 @@ jobs:
      run: ./gradlew help
    - name: Check Build Scan url is captured
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
      with:
        script: |
          core.setFailed('No Build Scan detected')
@@ -129,7 +129,7 @@ jobs:
      run: ./gradlew help
    - name: Check Build Scan url is captured
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
      with:
        script: |
          core.setFailed('No Build Scan detected')
@@ -72,7 +72,7 @@ jobs:
      run: gradle help
    - name: Check Build Scan url
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
      with:
        script: |
          core.setFailed('No Build Scan detected')
@@ -129,7 +129,7 @@ jobs:
        run: "[ ${#GRADLE_ENTERPRISE_ACCESS_KEY} -gt 500 ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY does not look like a short lived token'; exit 1)"
      - name: Check Build Scan url
        if: ${{ !steps.gradle.outputs.build-scan-url }}
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            core.setFailed('No Build Scan detected')
@@ -225,7 +225,7 @@ jobs:
        run: gradle help
      - name: Check Build Scan url
        if: ${{ !steps.gradle.outputs.build-scan-url }}
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            core.setFailed('No Build Scan detected')
@@ -77,7 +77,7 @@ jobs:
      run: gradle help
    - name: Check current version output parameter
      if: ${{ !startsWith(steps.gradle-current.outputs.gradle-version , '9.') }}
-      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
      with:
        script: |
          core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.gradle-current.outputs.gradle-version }}"')    
@@ -122,7 +122,7 @@ jobs:
        gradle-version: ${{ matrix.gradle }}
    - name: Check output parameter
      if: ${{ steps.setup-gradle.outputs.gradle-version != matrix.gradle }}
-      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
      with:
        script: |
          core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.setup-gradle.outputs.gradle-version }}"')    
@@ -132,7 +132,7 @@ jobs:
      run: gradle help "-DgradleVersionCheck=${{matrix.gradle}}"
    - name: Check Build Scan url
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
      with:
        script: |
          core.setFailed('No Build Scan detected')    
@@ -22,7 +22,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: 20
          cache: npm
@@ -48,7 +48,7 @@ jobs:

      # If there are no changes, this action will not create a pull request
      - name: Create or update pull request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        with:
          branch: bot/wrapper-checksums-update
          author: bot-githubaction <bot-githubaction@gradle.com>