June 2026
Table of Contents
Welcome to the June 2026 Gradle Build Tool newsletter! This month, we’re untangling the four Kotlin versions hiding in your Gradle build, unpacking Gradle 9.6.0, and exploring how Netflix runs 358 architectural rules across 5,000+ repositories with Nebula ArchRules.
From the Community
ANDROID GRADLE PLUGIN 9.3.0
AGP 9.3.0 shipped this month, supporting up to API level 37 and continuing the AGP release cadence that has closely tracked the Gradle 9.x line. If you’re on AGP 9.2.x and Gradle 9.5.x, this upgrade pairs cleanly.
SCALING ARCHUNIT
John Burns and Emily Yuan from Netflix’s JVM Ecosystem team detail how they turned ArchUnit (normally a per-repo, JUnit-based architectural-rules tool) into a cross-repo enforcement layer for Netflix’s large fleet of Java repositories.
Two new Gradle plugins do the work: an ArchRules Library Plugin for authoring and publishing rules, and an ArchRules Runner Plugin that automatically picks up bundled rules from dependencies. The system runs 358 rules across 5,000+ repositories, detecting nearly 1 million issues (~1,000 of them high-priority), and ships with OSS rule libraries for nullability, Gradle plugin best practices, deprecated Joda/Guava usage, and known-vulnerable APIs.
MEET TONY ROBALIK
Tony Robalik (@autonomousapps) is a Gradle Fellow and the solo engineer behind a quietly foundational set of JVM build tools worth knowing about: the Dependency Analysis Gradle Plugin for catching unused and misclassified dependencies, the Gradle Best Practices Plugin for plugin-author anti-patterns, the Gradle Dependencies Sorter, and the community-reference Gradle Glossary. If you build with Gradle at scale, at least one or two of these tools will likely look familiar. Tony now consults independently under Faster Builds, LLC.
BEST PRACTICES FOR DEPENDENCY VERIFICATION
Benedikt Ritter distills a year of running Gradle dependency verification across the GradleX projects. Key recommendations: prefer PGP keys over per-artifact checksums, use the armored keyring so diffs are reviewable, disable key-server lookups, annotate the file with confidence indicators, and make dependency resolution reproducible.
From Gradle
GRADLE 9.6.0
Gradle 9.6.0 is out! This release includes:
-
Configuration Cache hit rates improved: Gradle now precisely tracks which
org.gradle.project.*system properties andORG_GRADLE_PROJECT_*environment variables are actually read during the configuration phase, so changing an unused property no longer invalidates the cache. -
Deprecation of implicit lookup in parent projects: implicit property references and explicit
findProperty()/property()/hasProperty()calls now emit deprecation warnings when they resolve from parent projects. - Cloud-runner I/O performance: Significant performance gains on cloud CI runners.
Update your wrapper to get started: ./gradlew wrapper --gradle-version=9.6.0 --gradle-distribution-sha256-sum=bbaeb2fef8710818cf0e261201dab964c572f92b942812df0c3620d62a529a01 && ./gradlew wrapper
4 VERSIONS OF KOTLIN?
Laura Kassovic untangles what’s actually happening when you “set the Kotlin version” in a Gradle build: two compilers, your Kotlin Gradle Plugin and the one Gradle embeds for build logic, each with its own language-version dial, gives you four numbers to keep straight. Gradle 9.6.0 ships embedded Kotlin 2.3.21 pinned to language version 2.2, while your KGP and its language version are yours to set.
The post explains why the separation is deliberate, where the two can safely diverge, and what to expect when you bump the Gradle wrapper.
From Develocity
ARTIFACT CACHE ♥️ ARTIFACTORY
The Develocity Team’s case for treating the CI pipeline as the new GenAI-era bottleneck, backed by concrete numbers. Sonatype reports 83% of Maven Central’s bandwidth flows to just 1% of IPs, one financial institution moves 23 TiB of artifacts in a single day across ~50,000 builds, and Develocity’s projection for a 20,000-developer org is roughly $7M/year in operating savings plus $5M in deferred CapEx.
The recommendation isn’t to rip out Artifactory; it’s to keep it as the system of record and add Develocity Artifact Cache as a build-artifact CDN, with Edge nodes peering at the LAN/AZ level so 95%+ of artifact fetches stay local. A benchmark showed an AndroidX build time dropping from ~50 minutes to 6 minutes.
SUPPLY CHAIN OBSERVABILITY
Bryan Kelly applies the production-observability lens to the software supply chain: stop stitching SBOMs, scanners, and build logs together by hand, start treating each commit, build, scan, and deployment as a signed, queryable fact. Provenance Governor binds Build Scan data, identity claims, and policy results into a triangle of trust — the “what” from Develocity, the “who” from short-lived workload identities, and the “authority” from Provenance Governor itself.
Upcoming events
Meet the Gradle team and fellow community members at these upcoming events! We’d love to connect with you to discuss anything related to Gradle Build Tool, Develocity, Developer Productivity Engineering (DPE), or AI’s evolving impact on software development and delivery.
- October 5–9 — Devoxx Belgium 2026 — Antwerp, Belgium. The original Devoxx — five days, the largest JVM developer conference in Europe. Worth marking the calendar now; tickets and CFP move fast.
- September 2–3 — Javazone 2026 — Lillestrøm, Norway. The biggest community-driven Java conference. Organized by JavaBin and the Norwegian Java User Group.
Spread the word
We encourage you to share highlights from this newsletter.
Find this and previous editions in the Gradle Newsletter Archive or subscribe via RSS.
The Call for Proposals for the July edition is now open!
If you have some news you’d like us to share in the next issue,
let us know using the #community-news channel on the Gradle Community Slack or by mentioning @Gradle on Twitter/X.
Until next time!
— The Gradle Team
 |
||||
|
Gradle Inc. | 2261 Market Street | San Francisco, CA 94114 |
||||
|
