getsentry · runningcode · Jun 3, 2026 · Jun 3, 2026 · Jun 4, 2026 · Jun 9, 2026
@@ -35,4 +35,6 @@ jobs:
       - name: Start server and run integration test for sentry-cli commands
         run: |
           test/integration-test-server-start.sh &
-          ./gradlew -p plugin-build integrationTest --tests "*IntegrationTest"
+          # Verification is disabled here because the standalone `-p plugin-build` build
+          # resolves buildscript-classpath artifacts not captured in the metadata.
+          ./gradlew -p plugin-build integrationTest --tests "*IntegrationTest" --dependency-verification=off
@@ -71,7 +71,9 @@ jobs:
           cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
 
       - name: Build the Release variants and integrationTest
-        run: gradle assembleRelease bundleRelease integrationTest
+        # Verification is disabled here because the matrix deliberately overrides
+        # AGP/Kotlin/Gradle versions, resolving artifacts not in the metadata.
+        run: gradle assembleRelease bundleRelease integrationTest --dependency-verification=off
 
       - name: Check sentry-debug-meta.properties inside APKs
         run: |

@@ -0,0 +1,68 @@
+name: Update Dependency Locks
+
+# Dependabot bumps versions in gradle/libs.versions.toml but cannot regenerate
+# the plugin-build lockfile or verification metadata (it has no support for the
+# latter, and its lockfile support breaks with version catalogs). Without this,
+# every Dependabot Gradle PR fails STRICT-mode locking and checksum verification.
+# This job regenerates both and pushes them back onto the Dependabot branch.
+
+on:
+  pull_request:
+
+# The job pushes via CI_DEPLOY_KEY (SSH), so the GITHUB_TOKEN needs no write
+# scopes. dependabot/fetch-metadata reads PR metadata via the API, which
+# requires pull-requests: read.
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  regenerate:
+    name: Regenerate lockfile and verification metadata
+    # Dependabot-triggered runs read secrets from the Dependabot secret store, so
+    # CI_DEPLOY_KEY must be added there (Settings -> Secrets -> Dependabot), not
+    # only to Actions secrets.
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
+
+      - name: Check out PR branch
+        if: steps.metadata.outputs.package-ecosystem == 'gradle'
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          ref: ${{ github.head_ref }}
+          # Pushing with the deploy key (rather than GITHUB_TOKEN) re-triggers CI
+          # so the regenerated files are validated.
+          ssh-key: ${{ secrets.CI_DEPLOY_KEY }}
+
+      - name: Setup Gradle
+        if: steps.metadata.outputs.package-ecosystem == 'gradle'
+        uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # pin@v6
+
+      - name: Set up Java
+        if: steps.metadata.outputs.package-ecosystem == 'gradle'
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+
+      - name: Regenerate lockfile and verification metadata
+        if: steps.metadata.outputs.package-ecosystem == 'gradle'
+        run: ./gradlew -p plugin-build resolveAndLockAll --write-locks --write-verification-metadata sha256
+
+      - name: Commit and push if changed
+        if: steps.metadata.outputs.package-ecosystem == 'gradle'
+        run: |
+          files="plugin-build/gradle.lockfile plugin-build/settings-gradle.lockfile plugin-build/gradle/verification-metadata.xml"
+          if git diff --quiet -- $files; then
+            echo "No lockfile or verification metadata changes."
+            exit 0
+          fi
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add $files
+          git commit -m "build(plugin): Regenerate dependency locks and verification metadata"
+          git push
@@ -32,6 +32,10 @@
 
 - The `debug` extension property is now typed as `Property<Boolean>` instead of `Property<Boolean?>` ([#1253](https://github.com/getsentry/sentry-android-gradle-plugin/pull/1253))
 
+### Internal Changes 🔧
+
+- Pin the plugin's build dependencies with Gradle dependency locking and SHA-256 dependency verification ([#1256](https://github.com/getsentry/sentry-android-gradle-plugin/pull/1256))
+
 ## 6.9.0
 
 ### Fixes

@@ -7,6 +7,26 @@ We suggest opening an issue to discuss bigger changes before investing on a big
 
 The project currently requires you run JDK version `17` and the Android SDK.
 
+# Updating dependencies in `plugin-build`
+
+The published plugin build (`plugin-build`) pins its full transitive
+dependency graph for supply-chain hardening: resolved versions are recorded
+in `plugin-build/gradle.lockfile` and a SHA-256 checksum for every artifact
+in `plugin-build/gradle/verification-metadata.xml`. Locking runs in STRICT
+mode, so any drift fails the build.
+
+Whenever you add, remove, or bump a dependency in
+`plugin-build/build.gradle.kts`, regenerate both files and commit them:
+
+```bash
+./gradlew -p plugin-build resolveAndLockAll --write-locks --write-verification-metadata sha256
+```
+
+Review the diff before committing — new transitive artifacts should look like
+they belong. The compatibility test matrix overrides AGP/Kotlin/Gradle
+versions via env vars and deliberately skips locking, so you only need to
+regenerate against the canonical build.
+
 # Overriding `sentry-cli` for local development
 
 If you want to use a local version of the sentry-cli for testing integration with the plugin, you can do so by setting the `cli.executable` property in the `sentry.properties` file of the target project.

@@ -67,6 +67,28 @@ dependencies {
   testImplementation(libs.zip4j)
 }
 
+// The compatibility test matrix (test-matrix-agp-gradle.yaml) overrides AGP/Kotlin/Gradle
+// versions via env vars, which deliberately diverges from the lockfile. Only lock the
+// canonical build; matrix builds resolve their own versions.
+val isVersionOverrideBuild =
+  System.getenv("VERSION_AGP") != null || System.getenv("VERSION_KOTLIN") != null
+
+// Regenerate the lockfile and verification metadata after changing dependencies; see
+// CONTRIBUTING.md.
+if (!isVersionOverrideBuild) {
+  dependencyLocking { lockAllConfigurations() }
+}
+
+tasks.register("resolveAndLockAll") {
+  notCompatibleWithConfigurationCache("Filters configurations at execution time")
+  doFirst {
+    require(gradle.startParameter.isWriteDependencyLocks) {
+      "$path must be run from the command line with the `--write-locks` flag"
+    }
+  }
+  doLast { configurations.filter { it.isCanBeResolved }.forEach { it.resolve() } }
+}
+
 java {
   sourceCompatibility = JavaVersion.VERSION_11
   targetCompatibility = JavaVersion.VERSION_11