chore: revert github configuration to match main

Author: dschwartz-ftadvisory

.github/renovate.json

@@ -53,26 +53,18 @@
       ]
     },
     {
-      "description": "Always open PRs immediately and prioritize Renovate GitHub Action updates",
-      "matchManagers": ["github-actions"],
-      "matchPackageNames": ["renovatebot/github-action"],
+      "description": "Always open PRs immediately for Renovate GitHub Action updates",
+      "matchManagers": [
+        "github-actions"
+      ],
+      "matchPackageNames": [
+        "renovatebot/github-action"
+      ],
       "prCreation": "immediate",
-      "prPriority": 100,
-      "stabilityDays": 0,
       "minimumReleaseAge": "0 days",
-      "schedule": ["at any time"]
-    },
-    {
-      "description": "Automerge safe GitHub Actions patch updates",
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["patch"],
-      "automerge": true,
-      "automergeType": "pr"
-    },
-    {
-      "description": "Require dashboard approval for major updates",
-      "matchUpdateTypes": ["major"],
-      "dependencyDashboardApproval": true
+      "schedule": [
+        "at any time"
+      ]
     }
   ]
 }

.github/workflows/build-and-test.yml

@@ -17,12 +17,12 @@ on:
 
 
 jobs:
-  build-and-test:
+  build-and-testExpected:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -47,4 +47,7 @@ jobs:
           cache: pip
 
       - name: Run Python Unit Tests
-        run: test/python_unit_tests/run_python_unit_tests.sh
+        run: |
+          test/python_unit_tests/run_python_unit_tests.sh
+
+

.github/workflows/release.yml

@@ -6,9 +6,9 @@ on:
   workflow_dispatch:
     inputs:
       dry_run:
-        description: "Do not push/tag or create a GitHub Release"
+        description: "DRY RUN: Do not push/tag or create a GitHub Release"
         type: boolean
-        default: true
+        default: false
       base_ref:
         description: "Branch to release from (for testing)"
         type: string
@@ -30,7 +30,7 @@ jobs:
       artifact_id: ${{ steps.get_artifact_id.outputs.artifact_id }}
     steps:
       - name: Checkout base branch
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
           ref: ${{ github.event.inputs.base_ref || 'main' }}
@@ -116,16 +116,11 @@ jobs:
             exit 0
           fi
 
-          mvn -q -B versions:set -DnewVersion="${TAG_NAME}" -DgenerateBackupPoms=false
-          if ! git diff --quiet; then
-            git config user.name "github-actions[bot]"
-            git config user.email "github-actions[bot]@users.noreply.github.com"
-            git add -A
-            git commit -m "Release ${TAG_NAME}: set project version to ${TAG_NAME}"
-          else
-            echo "No changes to commit (version already ${TAG_NAME})."
-          fi
+           # We skip committing changes to the repo. Use versions:set only in the build step ephemerally.
+           echo "Skipping persistent version bump in pom.xml to avoid branch protection issues."
 
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
           git fetch --prune --tags origin
           if git rev-parse "${TAG_NAME}" >/dev/null 2>&1; then
             echo "Tag ${TAG_NAME} already exists. Exiting."
@@ -141,14 +136,14 @@ jobs:
     steps:
     - name: Checkout the tag (real release)
       if: ${{ github.event.inputs.dry_run != 'true' }}
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
       with:
         fetch-depth: 0
         ref: ${{ needs.prepare-release.outputs.tag_name }}
 
     - name: Checkout the base branch (dry run)
       if: ${{ github.event.inputs.dry_run == 'true' }}
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
       with:
         fetch-depth: 0
         ref: ${{ github.event.inputs.base_ref || 'main' }}
@@ -160,15 +155,13 @@ jobs:
         java-version: 21
         cache: maven
 
-    - name: In dry run - set project version to computed tag (no commit)
-      if: ${{ github.event.inputs.dry_run == 'true' }}
+    - name: Set project version for build (ephemeral)
       env:
         TAG_NAME: ${{ needs.prepare-release.outputs.tag_name }}
       shell: bash
       run: |
         set -euo pipefail
         mvn -q -B versions:set -DnewVersion="${TAG_NAME}" -DgenerateBackupPoms=false
-        # No commit; only adjust the working tree so the built artifact names match
 
     - name: Build JARs
       shell: bash
@@ -190,7 +183,7 @@ jobs:
 
     - name: In dry run - upload build outputs as workflow artifacts
       if: ${{ github.event.inputs.dry_run == 'true' }}
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: dry-run-${{ needs.prepare-release.outputs.tag_name }}
         path: |

.github/workflows/renovate.yml

@@ -26,11 +26,11 @@ jobs:
       security-events: read    # read Dependabot vulnerability alerts
     steps:
       # Checks out the repository under $GITHUB_WORKSPACE
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       # Runs the Renovate GitHub Action
       - name: Renovate
-        uses: renovatebot/github-action@v43.0.18
+        uses: renovatebot/github-action@v44.2.4
         with:
           token: ${{ secrets.GITHUB_TOKEN }} # required to create PRs/issues
           configurationFile: .github/renovate.json

.github/workflows/scan-cve.yml

@@ -6,19 +6,26 @@ on:
   push:
     branches:
       - main
+  workflow_dispatch:
+
 
 # Cancel previous jobs
 concurrency:
   group: cve-scan-${{ github.ref }}
   cancel-in-progress: true
+
+permissions:
+  contents: read
+  security-events: write
+
 
 jobs:
   depchecktest:
     runs-on: ubuntu-latest
     name: depecheck_test
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Setup JDK 21
         uses: actions/setup-java@v5
         with:
@@ -32,6 +39,7 @@ jobs:
         id: Depcheck
         env:
           JAVA_HOME: /opt/jdk
+
         with:
           project: ${{github.repository}}
           path: '.'
@@ -45,7 +53,7 @@ jobs:
             --out ./reports
       - name: Upload Test results
         if: ${{ always() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: Depcheck report
           path:  ${{github.workspace}}/reports

.github/workflows/scan-license.yml

@@ -5,6 +5,8 @@ name: License Scanning for Maven
 on:
   schedule:
     - cron: '0 8,18 * * 1-5'
+  workflow_dispatch:
+
   push:
     paths:
       - './pom.xml'
@@ -49,11 +51,15 @@ env:
     "
   REPORT_PATH: "target/generated-resources/licenses.xml"
 
+permissions:
+  contents: read
+
+
 jobs:
   scan:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
     - name: Set up JDK 21
       uses: actions/setup-java@v5
       with:
@@ -76,7 +82,7 @@ jobs:
         if [ $LINES_FOUND -gt 1 ]; then echo $LICENSE_REPORT ; exit -1; fi
       working-directory: .
     - name: Upload license XML reports
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v6
       with:
         name: license-xml-report
         path: './**/${{ env.REPORT_PATH }}'