Add support for private registries for Gradle's distribution URL

[yeikel]

Is there an existing issue for this?

• I have searched the existing issues

Background

In #12891, we introduced the ability to update the Gradle Wrapper

For the initial release, we are hardcoding the distribution URL to Gradle's public mirror:

dependabot-core/gradle/lib/dependabot/gradle/distributions.rb

Line 9 in 51a1f03

DISTRIBUTION_REPOSITORY_URL = "https://services.gradle.org"

Some users work behind proxies that redirect https://services.gradle.org/ to internal endpoints such as https://myCompany/gradle-services/

Since this redirection is not specified in the wrapper files, Dependabot cannot automatically detect it. To address this, the distribution API endpoint should be configurable dynamically, for example, through a private registry.

Suggestion

Consider supporting a new registry type in the Dependabot configuration to allow customization of the Gradle distribution URL.
For example, one idea could be the following

version: 2
registries:
  gradle-distributions:
    type: gradle-distribution # Defaults to https://services.gradle.org if not provided
    url: https://myCompany/gradle/
    username: octocat # optional
    password: ${{secrets.MY_PASSWORD}} # optional
updates:
  - package-ecosystem: "gradle"
    directory: "/"
    registries: "*"
    schedule:
      interval: "monthly"

An alternative could be to use the existing maven-repository registry type; however, since their structure and function differ, this approach may lead to confusion and generate unnecessary traffic.

Additional context

See #13501

[marcindabrowski]

I'm concerned that the proposed solution may not work universally, as it assumes the default distribution URL always follows the pattern https://services.gradle.org/distributions/gradle-9.2.0-bin.zip, where distributions/ is consistently part of the path.

However, different organizations may use different path structures. For example:

• Our organization uses: https://company.artifactory.com/artifactory/remote-services-gradle-repository/distributions/gradle-9.2.0-bin.zip
• Other organizations might use: https://company.artifactory.com/gradle-distributions/gradle-9.2.0-bin.zip

Please ensure the solution is flexible enough to accommodate various URL structures.

*Additional settings

We add the following entry to gradle.properties:

systemProp.org.gradle.internal.services.base.url=https\://company.artifactory.com/artifactory/remote-services-gradle-repository

With this property set, it's possible to update the wrapper from the command line using:

./gradlew wrapper --gradle-version=9.2.0 && ./gradlew wrapper

However, org.gradle.internal.services.base.url appears to be an undocumented feature, which raises concerns about its long-term reliability and support, but maybe it can be used for the update mechanism.

[sastorsl]

We are hitting this.
If I add the following to gradle.properties

systemProp.org.gradle.internal.services.base.url=https\://private.repo.host/repository/gradle-distributions

Then try and update with ./gradlew wrapper --gradle-version=9.1.0

> Task :wrapper FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':wrapper'.
> Test of distribution url https://private.repo.host/repository/gradle-distributions/distributions/gradle-9.1.0-bin.zip failed. Please check the values set with --gradle-distribution-url and --gradle-version.

Since gradlew appends distributions/ to the URL path, and our repo does not have that URL.

While the following (of course) works

./gradlew wrapper --gradle-version=9.2.1 --gradle-distribution-url=https\://private.repo.host/repository/gradle-distributions/gradle-9.2.1-bin.zip

BUILD SUCCESSFUL in 2s
1 actionable task: 1 executed
Consider enabling configuration cache to speed up this build: https://docs.gradle.org/9.2.1/userguide/configuration_cache_enabling.html

[marcindabrowski]

@sastorsl I think if you want gradle wrapper to not add distributions/ to the url in systemProp.org.gradle.internal.services.base.url you should add an issue to Gradle project, not here.

[sastorsl]

@sastorsl I think if you want gradle wrapper to not add distributions/ to the url in systemProp.org.gradle.internal.services.base.url you should add an issue to Gradle project, not here.

@marcindabrowski you are absolutely right. Hit this issue when searching for a fix but did not check the project I must admit.
Perhaps my comment can be left if that can help somebody?

Ref gradle/gradle#4210

[marcindabrowski]

Since basic Gradle suppport is done, when do you plan to do this?