How to verify that lockfile in Git matches the current configuration?

I want to manage lockfiles in Git and make sure that it matches the current build configuration. I.e., when dependencies are changed and committed to Git, lockfiles should also be regenerated and committed to Git.

When developers change dependencies, they may forget to regenerate lockfiles before pushing commits to Git. This would lead to CI/CD build being executed with configuration that doesn’t match with the updated dependencies.

As a solution, I would like to regenerate lockfiles before build and check that there is no diff between Git. The check part I managed to do with following task:

tasks.register('verifyNoLockfileDiff') {
    def hasDiff = exec {
        executable 'git'
        args = ['diff', "--exit-code", "gradle.lockfile", "buildscript-gradle.lockfile"]
        ignoreExitValue true
    if (hasDiff) {
        throw new GradleException("Found diff in lock files. Please run './gradlew dependencies --write-locks' and commit updated lock files.")

However, I couldn’t find a way for regenerating the lockfiles via build.gradle in similar way as ./gradlew dependencies --write-locks. The lockfile must be genereated and checked before build task, because build takes time and I want the build to fail early in case of lockfile mismatch. The only solution I came up with was running gradle twice: once for generating lockfiles, and once for the actual build (including the check). This is inconvenient, and I would like to handle lockfile generation and check as part of the build task instead.

Is there a simpler way to achieve such lockfile check functionality?

Note: lockfile changes must go through code review process, so committing updated lockfile can’t be automatized e.g. via Jenkins.