May 23, 2024

Dependency Locking in Gradle Multi-Project setup

It’s good practice to lock dependency versions when building software.

In Gradle projects locking is achieved by generating and maintaining a gradle.lockfile as dependencies are updated. It’s relatively easy to configure it for a single build project, i.e., single build.gradle file.

When using Gradle Multi-Project, it’s more complicated. From Gradle’s dependency locking documentation:

“Note that in a multi project setup, dependencies only is executed on one project, the root one in this case.”

I can’t find any official dependency locking solution for Multi-Project setups, so created a script to address it.

Usage

1. On your root build.gradle, enable dependency locking on all subprojects:

// (...) 

subprojects { subproject ->
    // (...)

    dependencyLocking {
        lockAllConfigurations()
    }
    
    // (...)
}

2. Create an initial lock state (source for script below):

$ sh dependencies-write-locks.sh

This will run ./gradlew dependencies --write-locks per project, therefore creating a gradle.lockfile per Gradle project.

Now, whenever you update or add a dependency, dependencies-write-locks.sh must be run to update the lockfiles. You should add them to Git.

Remarks

• Protip: run ./gradlew projects to list your subprojects
• Is there a Gradle plugin that does this? I’ll maybe create one if there isn’t
• Thanks to Kyle Kelly for inspiration

Appendix

Source for dependencies-write-locks.sh

#!/bin/bash

# Capture the gradle projects as a variable
project_names=$(./gradlew projects | grep 'Project' | awk -F"'" '{print $2}')

for project in $project_names; {
  ./gradlew $project:dependencies --write-locks
}

echo "Updated gradle.lockfiles for $(echo $project_names | wc -w) projects"