June 2026

Introduction

Welcome to the June 2026 Gradle Build Tool newsletter! This month, we’re untangling the four Kotlin versions hiding in your Gradle build, unpacking Gradle 9.6.0, and exploring how Netflix runs 358 architectural rules across 5,000+ repositories with Nebula ArchRules.

From the Community #

ANDROID GRADLE PLUGIN 9.3.0 #

AGP 9.3.0 shipped this month, supporting up to API level 37 and continuing the AGP release cadence that has closely tracked the Gradle 9.x line. If you’re on AGP 9.2.x and Gradle 9.5.x, this upgrade pairs cleanly.

👉 See the release notes

SCALING ARCHUNIT #

John Burns and Emily Yuan from Netflix’s JVM Ecosystem team detail how they turned ArchUnit (normally a per-repo, JUnit-based architectural-rules tool) into a cross-repo enforcement layer for Netflix’s large fleet of Java repositories.

Two new Gradle plugins do the work: an ArchRules Library Plugin for authoring and publishing rules, and an ArchRules Runner Plugin that automatically picks up bundled rules from dependencies. The system runs 358 rules across 5,000+ repositories, detecting nearly 1 million issues (~1,000 of them high-priority), and ships with OSS rule libraries for nullability, Gradle plugin best practices, deprecated Joda/Guava usage, and known-vulnerable APIs.

👉 Read the post

MEET TONY ROBALIK #

Tony Robalik (@autonomousapps) is a Gradle Fellow and the solo engineer behind a quietly foundational set of JVM build tools worth knowing about: the Dependency Analysis Gradle Plugin for catching unused and misclassified dependencies, the Gradle Best Practices Plugin for plugin-author anti-patterns, the Gradle Dependencies Sorter, and the community-reference Gradle Glossary. If you build with Gradle at scale, at least one or two of these tools will likely look familiar. Tony now consults independently under Faster Builds, LLC.

👉 Find him on GitHub

BEST PRACTICES FOR DEPENDENCY VERIFICATION #

Benedikt Ritter distills a year of running Gradle dependency verification across the GradleX projects. Key recommendations: prefer PGP keys over per-artifact checksums, use the armored keyring so diffs are reviewable, disable key-server lookups, annotate the file with confidence indicators, and make dependency resolution reproducible.

👉 Read the post

From Gradle #

GRADLE 9.6.0 #

Gradle 9.6.0 is out! This release includes:

• Configuration Cache hit rates improved: Gradle now precisely tracks which org.gradle.project.* system properties and ORG_GRADLE_PROJECT_* environment variables are actually read during the configuration phase, so changing an unused property no longer invalidates the cache.
• Deprecation of implicit lookup in parent projects: implicit property references and explicit findProperty() / property() / hasProperty() calls now emit deprecation warnings when they resolve from parent projects.
• Cloud-runner I/O performance: Significant performance gains on cloud CI runners.

Update your wrapper to get started: ./gradlew wrapper --gradle-version=9.6.0 --gradle-distribution-sha256-sum=bbaeb2fef8710818cf0e261201dab964c572f92b942812df0c3620d62a529a01 && ./gradlew wrapper

👉 See the release notes

4 VERSIONS OF KOTLIN? #

Laura Kassovic untangles what’s actually happening when you “set the Kotlin version” in a Gradle build: two compilers, your Kotlin Gradle Plugin and the one Gradle embeds for build logic, each with its own language-version dial, gives you four numbers to keep straight. Gradle 9.6.0 ships embedded Kotlin 2.3.21 pinned to language version 2.2, while your KGP and its language version are yours to set.

The post explains why the separation is deliberate, where the two can safely diverge, and what to expect when you bump the Gradle wrapper.

👉 Read the post

From Develocity #

ARTIFACT CACHE ♥️ ARTIFACTORY #

The Develocity Team’s case for treating the CI pipeline as the new GenAI-era bottleneck, backed by concrete numbers. Sonatype reports 83% of Maven Central’s bandwidth flows to just 1% of IPs, one financial institution moves 23 TiB of artifacts in a single day across ~50,000 builds, and Develocity’s projection for a 20,000-developer org is roughly $7M/year in operating savings plus $5M in deferred CapEx.

The recommendation isn’t to rip out Artifactory; it’s to keep it as the system of record and add Develocity Artifact Cache as a build-artifact CDN, with Edge nodes peering at the LAN/AZ level so 95%+ of artifact fetches stay local. A benchmark showed an AndroidX build time dropping from ~50 minutes to 6 minutes.

👉 Read the post

SUPPLY CHAIN OBSERVABILITY #

Bryan Kelly applies the production-observability lens to the software supply chain: stop stitching SBOMs, scanners, and build logs together by hand, start treating each commit, build, scan, and deployment as a signed, queryable fact. Provenance Governor binds Build Scan data, identity claims, and policy results into a triangle of trust — the “what” from Develocity, the “who” from short-lived workload identities, and the “authority” from Provenance Governor itself.

👉 Read the post

Upcoming events #

Meet the Gradle team and fellow community members at these upcoming events! We’d love to connect with you to discuss anything related to Gradle Build Tool, Develocity, Developer Productivity Engineering (DPE), or AI’s evolving impact on software development and delivery.

• October 5–9 — Devoxx Belgium 2026 — Antwerp, Belgium. The original Devoxx — five days, the largest JVM developer conference in Europe. Worth marking the calendar now; tickets and CFP move fast.
• September 2–3 — Javazone 2026 — Lillestrøm, Norway. The biggest community-driven Java conference. Organized by JavaBin and the Norwegian Java User Group.

Spread the word #

We encourage you to share highlights from this newsletter.

Find this and previous editions in the Gradle Newsletter Archive or subscribe via RSS.

The Call for Proposals for the July edition is now open!

Views