Simplify gradle installation and automate upgrades #12934
Conversation
yeikel
changed the title
yeikel
force-pushed
the
gradle-docker
branch
2 times, most recently
from
0a48f31 to
26a199e
Compare
yeikel
changed the title
yeikel
changed the title
yeikel
force-pushed
the
gradle-docker
branch
2 times, most recently
from
47a1b7a to
1de201b
Compare
| - package-ecosystem: "docker" | ||
| directory: "/gradle" | ||
| schedule: | ||
| interval: "weekly" | ||
| day: "sunday" | ||
| time: "16:00" |
There was a problem hiding this comment.
Sample pull request https://github.com/yeikel/dependabot-core/pull/84/files
We can consider limiting this to only minor or patch upgrades. I am open for feedback
| RUN apt-get update && apt-get install -y --no-install-recommends \ | ||
| openjdk-21-jdk \ | ||
| ca-certificates-java \ | ||
| wget \ |
There was a problem hiding this comment.
wget is no longer needed
yeikel
force-pushed
the
gradle-docker
branch
3 times, most recently
from
dcb4ee7 to
3c1683d
Compare
yeikel
force-pushed
the
gradle-docker
branch
2 times, most recently
from
06a7d9f to
697b995
Compare
yeikel
force-pushed
the
gradle-docker
branch
3 times, most recently
from
2bc32bb to
58ac6a3
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| patterns: | ||
| - "regclient/regctl*" | ||
| - "sigstore/cosign/cosign*" | ||
| - package-ecosystem: "docker" |
Check warning
Code scanning / zizmor
insufficient cooldown in Dependabot updates Warning
yeikel
force-pushed
the
gradle-docker
branch
from
02ea9ee to
9382580
Compare
yeikel
force-pushed
the
gradle-docker
branch
4 times, most recently
from
3795b12 to
7fc8479
Compare
yeikel
force-pushed
the
gradle-docker
branch
4 times, most recently
from
432e5c4 to
8253645
Compare
| RUN set -o errexit -o nounset \ | ||
| && echo "Testing Gradle installation" \ | ||
| && gradle --version |
There was a problem hiding this comment.
This is tested via the existing tests
yeikel
force-pushed
the
gradle-docker
branch
6 times, most recently
from
51fd628 to
cd3f380
Compare
|
|
||
| FROM ghcr.io/dependabot/dependabot-updater-core | ||
|
|
||
| # Install Java |
There was a problem hiding this comment.
This is self-explanatory and the comment was just a distraction
yeikel
force-pushed
the
gradle-docker
branch
2 times, most recently
from
17bcc7f to
e72007f
Compare
yeikel
force-pushed
the
gradle-docker
branch
2 times, most recently
from
ba2985e to
402945c
Compare
yeikel
force-pushed
the
gradle-docker
branch
from
402945c to
7e32396
Compare
There was a problem hiding this comment.
Pull request overview
This PR simplifies Gradle installation by switching from manual download and installation to using the official Gradle Docker image, and adds Dependabot configuration to automate future Gradle version updates. This follows the same pattern established in PR #12717 for Maven.
Key changes:
- Replaces manual Gradle installation (wget, sha256 verification, unzip) with the official
gradle:8.14.3-jdk21-ubi-minimalDocker image - Adds Dependabot configuration for weekly automated updates of the Gradle Docker image
- Updates from Gradle 8.14.2 to 8.14.3
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| gradle/Dockerfile | Refactors to use official Gradle Docker image with multi-stage build pattern, removes manual installation logic, updates Java installation cleanup, and adjusts GRADLE_HOME/PATH configuration |
| .github/dependabot.yml | Adds weekly Dependabot monitoring for the gradle Dockerfile to automate Gradle version updates |
gradle/Dockerfile
Outdated
| # By using dependabot-updater-core as the builder, we inherit $DEPENDABOT_HOME | ||
| # We also need to include it below for the final build, and using it as a builder should not negatively impact build time | ||
| FROM ghcr.io/dependabot/dependabot-updater-core AS builder | ||
|
|
||
| # Copying all files from `$DEPENDABOT_HOME` with a builder consolidates the final copy into a single Docker layer | ||
| COPY --from=gradle /opt/gradle $DEPENDABOT_HOME/gradle-installation | ||
|
|
||
| COPY --chown=dependabot:dependabot --parents gradle maven common $DEPENDABOT_HOME | ||
| COPY --chown=dependabot:dependabot updater $DEPENDABOT_HOME/dependabot-updater |
There was a problem hiding this comment.
The builder pattern used here differs from the Maven Dockerfile which uses a simpler approach. The Maven Dockerfile (lines 3-16) directly copies from the maven image in the final stage without an intermediate builder. This adds complexity with the builder stage that may not be necessary.
Consider simplifying to match the Maven pattern:
FROM docker.io/gradle:8.14.3-jdk21-ubi-minimal@sha256:... AS gradle
FROM ghcr.io/dependabot/dependabot-updater-core
# ... apt-get install ...
COPY --from=gradle /opt/gradle $DEPENDABOT_HOME/gradle-installation
USER dependabot
ARG GRADLE_HOME=$DEPENDABOT_HOME/gradle-installation
ENV PATH=$GRADLE_HOME/bin:$PATH
COPY --chown=dependabot:dependabot --parents gradle maven common $DEPENDABOT_HOME/
COPY --chown=dependabot:dependabot updater $DEPENDABOT_HOME/dependabot-updaterThis would consolidate the COPY operations and eliminate the need for the intermediate builder stage, making it more consistent with the Maven approach.
There was a problem hiding this comment.
The builder is used to avoid unnecessary layers which improves the pull time
gradle/Dockerfile
Outdated
| && echo "Testing Gradle installation" \ | ||
| && gradle --version | ||
| COPY --from=builder $DEPENDABOT_HOME $DEPENDABOT_HOME | ||
|
|
There was a problem hiding this comment.
The Gradle installation is no longer verified after installation. The previous version included a verification step that ran gradle --version to ensure the installation was successful. While the official Docker image is presumably tested, it would be safer to verify that Gradle is accessible on the PATH and functioning correctly in this environment.
Consider adding a verification step similar to what was removed, either as a RUN command or ensuring that the build process validates Gradle is available.
| # Verify that Gradle is installed correctly and available on PATH | |
| RUN gradle --version |
There was a problem hiding this comment.
This happens via our existing tests
gradle/Dockerfile
Outdated
| # Copying all files from `$DEPENDABOT_HOME` with a builder consolidates the final copy into a single Docker layer | ||
| COPY --from=gradle /opt/gradle $DEPENDABOT_HOME/gradle-installation |
There was a problem hiding this comment.
The comment states "Copying all files from $DEPENDABOT_HOME with a builder consolidates the final copy into a single Docker layer", but this actually creates MORE layers, not fewer. The Maven Dockerfile accomplishes the same result with fewer stages and layers by directly copying from the maven image in the final stage.
The claim about layer consolidation appears to be incorrect since the builder pattern here adds an extra stage without reducing the number of COPY operations in the final image.
There was a problem hiding this comment.
It seems that Copilot is right about this one. I reverted that additional change for now
yeikel
force-pushed
the
gradle-docker
branch
2 times, most recently
from
ccf72ed to
d9665ca
Compare
|
@kbukum1 I applied all of Copilot's feedback. Could you please take a second look? |
1 participant
Same idea as #12717