fix(gradle): honor replaces-base for Maven Central fallback

[thavaahariharangit]

What are you trying to accomplish?

Before this change, teams often had to rely on settings.gradle to reliably prevent public fallback during Dependabot Gradle updates.

This fix makes that behavior explicit: when a Maven credential is marked with replaces-base: true, Dependabot treats that private registry as the base source and avoids default fallback to Maven Central.

Note:
If a project explicitly declares additional public repositories in Gradle configuration, those declarations still need to be governed by repository policy (for example, via settings.gradle repository mode).

Anything you want to highlight for special attention from reviewers?

This PR ensures that replaces-base: true is honored for Gradle dependency resolution — when a private registry is configured with this flag, Dependabot will no longer fall back to the public Maven Central registry.

A follow-up PR is planned to improve the behavior further: even without replaces-base: true, Dependabot should prefer configured registries before falling back to maven central(default) ones. This is particularly important for projects with multiple registries, where the current behavior requires teams to rely on settings.gradle to control resolution order.

How will you know you've accomplished your goal?

Validation was done using this workflow run:: https://github.com/thavaahariharangit/java-private-registry-test-13249-1/actions/runs/24915740405/job/72967316407

Before this change, even with replaces-base: true, Gradle resolution still fell back to the public registry and proposed an update to 1.3.6:

updater | 2026/04/24 23:03:08 INFO Results:
+-----------------------------------------------------------------+
|               Changes to Dependabot Pull Requests               |
+---------+-------------------------------------------------------+
| created | commons-logging:commons-logging ( from 1.0 to 1.3.6 ) |
+---------+-------------------------------------------------------+

After this fix, with replaces-base: true, Dependabot no longer falls back to the public registry, and the proposed update comes from the private registry path (1.2):

updater | 2026/04/24 23:05:13 INFO Results:
updater | +---------------------------------------------------------------+
updater | |              Changes to Dependabot Pull Requests              |
updater | +---------+-----------------------------------------------------+
updater | | created | commons-logging:commons-logging ( from 1.0 to 1.2 ) |
updater | +---------+-----------------------------------------------------+

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Updates Gradle’s repository resolution so that when a Maven credential is marked replaces-base: true, Dependabot treats that private registry as the “base” repository and avoids default Maven Central fallback.

Changes:

• Add credentials support to Gradle::FileParser::RepositoriesFinder and use it to replace Maven Central with the replaces-base registry.
• Wire credentials through PackageDetailsFetcher when determining dependency repository URLs.
• Add/update specs to verify repository selection and source URLs when replaces-base is present.

Show a summary per file

File	Description
gradle/lib/dependabot/gradle/file_parser/repositories_finder.rb	Adds credential-aware “central” URL resolution and maps mavenCentral()/fallback to a replaces-base registry.
gradle/lib/dependabot/gradle/package/package_details_fetcher.rb	Passes credentials into RepositoriesFinder when building repository details for version lookups.
gradle/spec/dependabot/gradle/file_parser/repositories_finder_spec.rb	Adds coverage for replaces-base behavior in repository URL discovery (including mavenCentral() mapping).
gradle/spec/dependabot/gradle/package/package_details_fetcher_spec.rb	Adds coverage ensuring version source URLs reflect the replaces-base registry.

Copilot's findings

• Files reviewed: 4/4 changed files
• Comments generated: 1

[thavaahariharangit]

confirmed working as expected in the workflow: https://github.com/thavaahariharangit/java-private-registry-test-13249-1/actions/runs/24988250907/job/73166950498