Bump com.android.application from 8.7.0 to 9.2.1 in /src/proguard-android#11717
Open
dependabot[bot] wants to merge 15 commits into
Open
Bump com.android.application from 8.7.0 to 9.2.1 in /src/proguard-android#11717dependabot[bot] wants to merge 15 commits into
dependabot[bot] wants to merge 15 commits into
Conversation
Bumps com.android.application from 8.7.0 to 9.2.1. --- updated-dependencies: - dependency-name: com.android.application dependency-version: 9.2.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
requested review from
jonathanpeppers and
simonrozsival
as code owners
dependabot
Bot
added
dependencies
The com.android.application 9.2.1 plugin requires Gradle 9.4.1+. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jcenter() was removed in Gradle 9 and causes: Could not find method jcenter() for arguments [] on repository container Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…/proguard-android/com.android.application-9.2.1 # Conflicts: # src/manifestmerger/build.gradle
jonathanpeppers
force-pushed
the
dependabot/gradle/src/proguard-android/com.android.application-9.2.1
branch
from
c867006 to
5cb8e46
Compare
…irroring The default Compact session token issued by the Azure Artifacts credential provider is rejected by the dnceng dotnet-public-maven feed when ingesting plugin markers (e.g. the AGP plugin from `pluginManagement`). Setting `NUGET_CREDENTIALPROVIDER_VSTS_TOKENTYPE=SelfDescribing` forces a broader-scope token that the feed accepts. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
After bumping the shared build-tools/gradle wrapper to 9.4.1, the
JavaLib gradle fixture under tests/CodeGen-Binding/Xamarin.Android.
LibraryProjectZip-LibBinding/ failed with:
A problem occurred evaluating project ':library'.
> 'org.gradle.api.artifacts.Dependency
org.gradle.api.artifacts.dsl.DependencyHandler.module(java.lang.Object)'
That API was removed in Gradle 9 and is called by AGP 7.4.2. Bump the
fixture to AGP 9.2.1 (the same version proguard-android now uses, which
is already mirrored in the dnceng dotnet-public-maven feed) and apply
the small set of changes AGP 9 requires:
* Use `namespace` in build.gradle instead of `package` in the
manifest.
* Replace removed `compileSdkVersion`/`minSdkVersion` DSL with
`compileSdk`/`minSdk` and bump to API 35 / API 21.
* Drop `testInstrumentationRunner` referencing the removed
`android.support.test` package.
* Use `proguard-android-optimize.txt` instead of the no-longer
supported `proguard-android.txt`.
* Replace `rootProject.buildDir` with `rootProject.layout.buildDirectory`.
Repositories now use the dnceng feed when `RunningOnCI` is set, to
match the centralized scheme used by src/* projects.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Follow the convention from .github/instructions/gradle.instructions.md:
all gradle projects share eng/gradle/plugin-repositories.gradle and
eng/gradle/dependency-repositories.gradle, applied via settings.gradle.
Replace the inlined buildscript/allprojects repositories blocks with
`apply from:` of the shared files, switch to the modern plugins {}
DSL, and load the credprovider plugin in settings.gradle just like the
src/* projects do.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
So future AGP releases get auto-bumped here too, instead of silently diverging from src/proguard-android and breaking with the next Gradle wrapper upgrade. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
When the artifacts-credprovider's VssSessionToken gets 401-rejected by the dnceng feed despite being properly attached (observed with com.android.tools.lint:lint-gradle and its transitive deps for AGP 9.x), fall back to using an Azure DevOps OAuth token from `az account get-access-token` directly via the Authorization Bearer header. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Make the proven flow primary: * az login + Authorization Bearer header is the reliable path; works for plugin markers and transitive deps the credprovider's VssSessionToken trips on. * Document the build -> mirror failed urls -> rebuild loop that converges in a handful of iterations as AGP's resolver walks the dep graph. * Note that ingestion must be triggered from the project that actually needs the new package -- a sibling project's build won't trigger a mirror for someone else's missing dep. * Demote the credprovider plugin path to a fallback. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Wrap the build -> mirror failed URLs -> rebuild loop (which until now was documented as ~20 lines of inline PowerShell in .github/instructions/gradle.instructions.md) into a reusable cross-platform PowerShell script. The helper: * Reads the gradle build log for `Could not GET '<dnceng URL>'` lines. * Re-fetches each failing URL with an Azure DevOps OAuth bearer token from `az account get-access-token`, which causes the feed's upstream connector to pull the package and cache it for anonymous reads. * Loops until the build succeeds or no more 401s appear (capped at 15 iterations -- usually converges in 2-5). Replace the inline how-to in the instructions doc with a short pointer at this script. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The artifacts-credprovider flow has unresolved auth gaps for some packages (notably com.android.tools.lint:lint-gradle), so the az-bearer script is the only reliable path. Keeping the fallback documented just invites people to spin on it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
AGP 9 moved the per-variant classes.jar one directory deeper, under a syncDebugLibJars/ subfolder. Update the InputJar reference in the binding csproj to match. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The previous fix pointed at build/intermediates/aar_main_jar/debug/... which is explicitly an AGP-internal layout that Google reorganizes between major AGP versions (it moved under syncDebugLibJars/ in AGP 9). Instead, register a small extractClassesJar Copy task that unzips classes.jar from the public AAR output (build/outputs/aar/library-debug.aar) into build/libs/classes.jar -- a path we own. The binding csproj references that stable path, so future AGP bumps won't break this test. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jonathanpeppers
added
the
ready-to-review
jonathanpeppers
approved these changes
Jun 26, 2026
Member
|
/review |
|
✅ Android PR Reviewer completed successfully! |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
🤖 Code Review — ⚠️ Needs Changes
What this PR does (independent read): Bumps AGP com.android.application 8.7.0 → 9.2.1 in src/proguard-android, and — well beyond the original Dependabot bump — migrates the LibraryProjectZip-LibBinding Java test fixture to AGP 9 (plugins DSL, namespace, compileSdk 35, manifest package removal), bumps the shared Gradle wrapper 8.12 → 9.4.1, switches the binding's classes.jar source from AGP intermediates/ to a stable build/libs/ path via a new extractClassesJar Gradle task, adds a mirror-dependencies.ps1 feed-seeding helper, and rewrites the 401 docs.
Verdict:
CI: The dotnet-android build is ❌, but the only test failure is Java.InteropTests.JnienvTest.DoNotLeakWeakReferences (Expected: 37 +/- 10, But was: 64) — a known-flaky GC/weak-reference test that this PR does not touch (no runtime or C# changes). The functional changes are actually proven green: build/run Xamarin.Android.JcwGen_Tests — which ProjectReferences this binding and consumes the extracted classes.jar — passed, and the product build compiled r8/manifestmerger under Gradle 9.4.1. Please re-run the failing Package Tests macOS > APKs 2 leg to clear the flake; no code change is needed for it.
Findings (inline):
⚠️ eng/gradle/mirror-dependencies.ps1—BUILD SUCCESSFULdetection only scans the last 5 log lines, which Gradle 9's deprecation footer can push the success line past, misreporting a green build as a failure.- 💡
gradle.instructions.md— the new 401 workflow now diverges from the credprovider workflow still documented ineng/gradle/plugin-repositories.gradle; consolidate to one source of truth.
Nice work: Extracting classes.jar from the built .aar rather than reaching into AGP intermediates/ is the right call — the AAR layout is the documented-stable contract and survives AGP's intermediate-path churn, which is exactly the kind of breakage this AGP 9 bump would otherwise risk. Routing the fixture's settings.gradle through the shared eng/gradle/*-repositories.gradle and adding the fixture to dependabot.yml keeps it consistent with the rest of the repo. The AGP 9 migration itself (namespace, plugins DSL, manifest package removal) is clean and matches the conventions in gradle.instructions.md.
Generated by Android PR Reviewer for issue #11717 · 1.1K AIC · ⌖ 48.7 AIC · ⊞ 40K
Comment /review to run again
- mirror-dependencies.ps1: scan whole log for 'BUILD SUCCESSFUL' instead of only the last 5 lines. Gradle 9 prints a multi-line deprecation footer after the success line which can push it out of the tail and cause the script to misreport a green build as a failure. - plugin-repositories.gradle: drop the duplicated credprovider device-flow instructions and point at the single source of truth in .github/instructions/gradle.instructions.md. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps com.android.application from 8.7.0 to 9.2.1.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)