Skip to content

Java Dependency Updates

Renovate can update Gradle and Maven dependencies. This includes libraries and plugins as well as the Gradle Wrapper.

LTS releases

The config:recommended preset includes the workarounds:javaLTSVersions preset. The workaround limits Renovate to upgrade to LTS versions of the Java runtime only.

If you want Renovate to offer all major Java updates then add workarounds:javaLTSVersions to the ignorePreset array:

{
  "extends": ["config:recommended"],
  "ignorePresets": ["workarounds:javaLTSVersions"]
}

Gradle

Renovate detects versions that are specified in a string 'group:artifact:version' and those specified in a map (group:groupName, name:ArtifactName, version:Version).

Gradle File Support

Renovate can update:

  • *.gradle/*.gradle.kts files
  • Dependencies with version definitions in gradle.properties files
  • Gradle lockfiles stored in *.lockfile files
  • *.versions.toml files in any directory or *.toml files inside the gradle directory (Gradle Version Catalogs docs)
  • versions.props and versions.lock from the gradle-consistent-versions plugin

Renovate does not support:

  • Android projects that require extra configuration to run (e.g. setting the Android SDK)
  • Catalogs with version ranges
  • Catalog versions using reject, and rejectAll constraints
  • Catalog versions using more than one of require, strictly, prefer in a single declaration
  • Catalogs with custom names that do not end in .toml
  • Catalogs outside the gradle folder whose names do not end in .versions.toml (unless overridden via fileMatch configuration)

Gradle Plugin Support

Renovate can also update Gradle plugins. It supports the id(<pluginId>) syntax as well as the kotlin(<kotlinPluginId>) shortcut for id(org.jetbrains.kotlin.<kotlinPluginId>).

For specifying packageRules it is important to know how depName and packageName are defined for a Gradle plugin:

  • The depName field is equal to <pluginId>
  • The packageName field is equal to <pluginId>:<pluginId>.gradle.plugin

This is a direct consequence of the Plugin Marker Artifact naming convention.

Gradle Wrapper

Renovate can update the Gradle Wrapper of a project.

This includes the source declaration inside the gradle/wrapper/gradle-wrapper.properties as well as accompanied files such as gradlew, gradlew.bat, and gradle/wrapper/gradle-wrapper.jar.

How It Works

Renovate extracts the Gradle Wrapper version used from the distributionUrl inside the gradle-wrapper.properties. Once the version is determined, Renovate will look for newer versions from the gradle-version datasource. Renovate will then invoke the Gradle Wrapper to update itself, as recommended by Gradle.

For the extraction to work, the distributionUrl must point to a file of type .zip, which includes the version in its name, and defines one of the official distribution types (bin, all).

Support for mirrors and custom distributions

As Renovate takes the distributionUrl defined inside the gradle-wrapper.properties as basis for its update, source declarations other than to the official Gradle Wrapper are supported.

This can be used for hosting the official distributions with a proxy server, an offline mirror or even providing a custom distribution of the Gradle Wrapper, e.g. to provide a company-wide base configuration for all Gradle projects.

But the gradle-version datasource is used to determine available versions. In case the available versions at the defined source differ from those available from Gradle or the default datasource cannot be reached, e.g. due to network restrictions, the datasource may be reconfigured via a packageRule:

{
  "packageRules": [
    {
      "matchDatasources": ["gradle-version"],
      "registryUrls": [
        "https://domain.tld/repository/custom-gradle-wrapper/versions.json"
      ]
    }
  ]
}

Maven

Renovate can update dependency versions found in Maven pom.xml files.

Maven File Support

Renovate will search repositories for all pom.xml files and processes them independently.

Renovate will also parse settings.xml files in the following locations:

  • .mvn/settings.xml
  • .m2/settings.xml
  • settings.xml

Any repository URLs found within will be added as registryUrls to extracted dependencies.

Custom registry support, and authentication

The manager for Gradle makes use of the maven datasource. Renovate can be configured to access more repositories and access repositories authenticated.

This example shows how you can use a config.js file to configure Renovate for use with Artifactory. We're using environment variables to pass the Artifactory username and password to Renovate bot.

config.js
module.exports = {
  hostRules: [
    {
      hostType: 'maven',
      matchHost: 'https://artifactory.yourcompany.com/',
      username: process.env.ARTIFACTORY_USERNAME,
      password: process.env.ARTIFACTORY_PASSWORD,
    },
  ],
};

You can overwrite the repositories to use for version lookup through configuration.

module.exports = {
  packageRules: [
    {
      matchDatasources: ['maven'],
      registryUrls: ['https://repo-a.tld/repo', 'https://repo-b.tld/repo'],
    },
  ],
};

Google Artifact Registry

There are multiple ways to configure Renovate to access Artifact Registry.

Using Application Default Credentials / Workload Identity (Self-Hosted only)

Configure ADC or Workload Identity as normal and don't provide a username, password or token. Renovate will automatically retrieve the credentials using the google-auth-library.

Using long-lived service account credentials

To access the Google Artifact Registry, use the JSON service account with Basic authentication, and use the:

  • _json_key_base64 as username
  • full Google Cloud Platform service account JSON as password

To avoid JSON-in-JSON wrapping, which can cause problems, encode the JSON service account beforehand.

  1. Download your JSON service account and store it on your machine. Make sure that the service account has read (and only read) permissions to your artifacts
  2. Base64 encode the service account credentials by running cat service-account.json | base64
  3. Add the encoded service account to your configuration file

  4. If you want to add it to your self-hosted configuration file:

    {
      "hostRules": [
        {
          "matchHost": "europe-maven.pkg.dev",
          "username": "_json_key_base64",
          "password": "<base64 service account>"
        }
      ]
    }
    
  5. If you want to add it to your repository Renovate configuration file, encrypt it and then add it:

    {
      "hostRules": [
        {
          "matchHost": "europe-maven.pkg.dev",
          "username": "_json_key_base64",
          "encrypted": {
            "password": "<encrypted base64 service account>"
          }
        }
      ]
    }
    
  6. Add the following to the packageRules in your repository Renovate configuration file:

{
  "matchManagers": ["maven", "gradle"],
  "registryUrls": [
    "https://europe-maven.pkg.dev/<my-gcp-project>/<my-repository>"
  ]
}