diff --git a/.fossa.yml b/.fossa.yml new file mode 100644 index 00000000..f13f5fe6 --- /dev/null +++ b/.fossa.yml @@ -0,0 +1,11 @@ +version: 3 + +targets: + only: + - type: gradle + +experimental: + gradle: + configurations-only: + # consumer will only be exposed to these dependencies + - runtimeClasspath diff --git a/.github/renovate.json5 b/.github/renovate.json5 index c7aa002e..70548b4d 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -12,7 +12,8 @@ "groupName": "github actions" }, { - // pin opentelemetry-api dependency to: avoid churn, for conservative api version requirement, and because opentelemetry-api is a compileOnly dependency + // pin opentelemetry-api dependency to: avoid churn, for conservative api version requirement, + // and because opentelemetry-api is a compileOnly dependency "matchPackageNames": ["io.opentelemetry:opentelemetry-api"], "matchCurrentVersion": "1.33.0", "enabled": false diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml new file mode 100644 index 00000000..23cabfc6 --- /dev/null +++ b/.github/workflows/fossa.yml @@ -0,0 +1,19 @@ +name: FOSSA + +on: + push: + branches: + - main + +permissions: + contents: read + +jobs: + fossa: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0 + with: + api-key: ${{secrets.FOSSA_API_KEY}} diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts index cde2d212..85308a8f 100644 --- a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts +++ b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts @@ -136,6 +136,8 @@ testing { suites.withType(JvmTestSuite::class).configureEach { dependencies { implementation(project(project.path)) + implementation(enforcedPlatform("org.junit:junit-bom:5.11.4")) + implementation(enforcedPlatform("org.assertj:assertj-bom:3.27.3")) implementation("org.junit.jupiter:junit-jupiter-api") implementation("org.junit.jupiter:junit-jupiter-params") diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts index de384d27..2feb5bb1 100644 --- a/dependencyManagement/build.gradle.kts +++ b/dependencyManagement/build.gradle.kts @@ -2,35 +2,19 @@ plugins { `java-platform` } -data class DependencySet(val group: String, val version: String, val modules: List) - -val dependencyVersions = hashMapOf() -rootProject.extra["versions"] = dependencyVersions - -val DEPENDENCY_BOMS = listOf( - "org.assertj:assertj-bom:3.27.3", - "org.junit:junit-bom:5.11.4", -) - -val DEPENDENCIES = listOf( - "io.opentelemetry:opentelemetry-api:1.33.0" -) - javaPlatform { allowDependencies() } dependencies { - for (bom in DEPENDENCY_BOMS) { - api(enforcedPlatform(bom)) - val split = bom.split(':') - dependencyVersions[split[0]] = split[2] - } + // boms that are only used by tests should be added in otel.java-conventions.gradle.kts + // under JvmTestSuite so they don't show up as runtime dependencies in license and vulnerability scans + // (the constraints section below doesn't have this issue, and will only show up + // as runtime dependencies if they are actually used as runtime dependencies) + constraints { - for (dependency in DEPENDENCIES) { - api(dependency) - val split = dependency.split(':') - dependencyVersions[split[0]] = split[2] - } + // pinned to: avoid churn, for conservative api version requirement, + // and because opentelemetry-api is a compileOnly dependency + api("io.opentelemetry:opentelemetry-api:1.33.0") } }