What You'll Learn
Dependency auto-update (Renovate, Dependabot, Version Catalog integration, security updates, PR auto-merge) explained.
Dependabot Setup
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "gradle"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 10
labels:
- "dependencies"
groups:
compose:
patterns:
- "androidx.compose*"
firebase:
patterns:
- "com.google.firebase*"
ignore:
- dependency-name: "com.android.tools.build:gradle"
update-types: ["version-update:semver-major"]
Renovate Setup
// renovate.json
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"packageRules": [
{
"matchPackagePatterns": ["androidx.compose"],
"groupName": "Compose",
"automerge": true,
"automergeType": "pr"
},
{
"matchPackagePatterns": ["com.google.firebase"],
"groupName": "Firebase"
},
{
"matchUpdateTypes": ["patch"],
"automerge": true
},
{
"matchUpdateTypes": ["major"],
"labels": ["breaking-change"],
"automerge": false
}
],
"vulnerabilityAlerts": {
"labels": ["security"],
"automerge": true
}
}
Version Catalog Integration
# gradle/libs.versions.toml
[versions]
compose-bom = "2025.01.01"
kotlin = "2.1.0"
hilt = "2.53.1"
room = "2.6.1"
retrofit = "2.11.0"
[libraries]
compose-bom = { group = "androidx.compose", name = "compose-bom", version.ref = "compose-bom" }
hilt-android = { group = "com.google.dagger", name = "hilt-android", version.ref = "hilt" }
room-runtime = { group = "androidx.room", name = "room-runtime", version.ref = "room" }
retrofit = { group = "com.squareup.retrofit2", name = "retrofit", version.ref = "retrofit" }
Dependabot/Renovate automatically create PRs that update versions in libs.versions.toml.
CI Auto-Test Merge
# .github/workflows/dependency-update.yml
name: Dependency Update Check
on:
pull_request:
paths:
- 'gradle/libs.versions.toml'
- '**/build.gradle.kts'
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- uses: gradle/actions/setup-gradle@v4
- run: ./gradlew build test lint
- name: Auto-merge patch updates
if: contains(github.event.pull_request.labels.*.name, 'dependencies')
uses: peter-evans/enable-pull-request-automerge@v3
with:
merge-method: squash
Summary
| Tool | Strength |
|---|---|
| Dependabot | GitHub standard, simple config |
| Renovate | Advanced, grouping, auto-merge |
| Version Catalog | Centralized version management |
| CI integration | Auto-merge after tests pass |
- Centralize versions in
libs.versions.toml - Dependabot/Renovate create update PRs automatically
- Patch updates auto-merge, major updates manual review
- Security alerts highest priority auto-merge
Ready-Made Android App Templates
8 production-ready Android app templates with Jetpack Compose, MVVM, Hilt, and Material 3.
Browse templates → Gumroad
Top comments (0)