From 68f952c41505b7d8113cfea9767598a98b9f4854 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoann=20Rodi=C3=A8re?= Date: Thu, 19 Jun 2025 10:28:18 +0200 Subject: [PATCH 1/2] Enable dependabot for most dependencies The idea is that we'd merge updates in the "build-dependencies" group as-is, without a Jira issue. **We would still have to adjust/re-create other update PRs** (such as Jandex) to assign them a Jira issue. We could consider limiting the dependencies covered by dependabot, but I find that grouping, at least, allows a fairly manageable rate of dependabot PRs. Runtime dependency updates should be more rare anyway, as their number is limited and they're generally less active (e.g. Jakarta Persistence doesn't release a micro every week). The most important ones are the runtime ones, e.g. bytebuddy, so we could consider ignoring/limiting build dependency updates if necessary. --- .github/dependabot.yml | 130 +++++++++++++++++++++++++++++-- .github/hibernate-github-bot.yml | 4 + .github/workflows/ci.yml | 8 ++ 3 files changed, 134 insertions(+), 8 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4fd3b32379c6..0a48658c7a3c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,14 +6,6 @@ registries: username: dummy # Required by dependabot password: dummy # Required by dependabot updates: - - package-ecosystem: "gradle" - directory: "/" - allow: - - dependency-name: "com.gradle*" - registries: - - gradle-plugin-portal - schedule: - interval: "weekly" - package-ecosystem: github-actions directory: "/" schedule: @@ -25,3 +17,125 @@ updates: allow: - dependency-name: "actions/*" - dependency-name: "redhat-actions/*" + - package-ecosystem: "gradle" + directory: "/" + registries: + - gradle-plugin-portal + schedule: + interval: "weekly" + day: "wednesday" + open-pull-requests-limit: 20 + groups: + # These are used in tooling we publish (Gradle, Ant, Maven plugins) + # and thus must be treated as runtime dependencies, + # which cannot be included in the build-dependencies group below. + tooling-dependencies: + update-types: ["minor", "patch"] + patterns: + # Note: Gradle tooling dependencies seem to be tied to the version of Gradle we use for building. + - "org.apache.ant*" + - "org.apache.maven:maven-plugin-api" + - "org.apache.maven:maven-project" + - "org.apache.maven.shared:file-management" + - "org.apache.maven.plugin-tools:maven-plugin-annotations" + # This group combines all build-only dependencies. Published artifacts do not depend on them. + # Grouping such dependencies will make Dependabot create PRs with a branch name + # following the pattern (`dependabot/maven/build-dependencies-.*`) + # and with a title like `Bump the build-dependencies group with 8 updates` that we can easily + # use for Hibernate Bot rules. + build-dependencies: + patterns: + # Gradle plugins: + - "com.gradle*" + - "org.moditect*" + - "de.thetaphi*" + - "org.gradlex*" + - "org.hibernate.build*" + - "org.hibernate.orm.build*" + - "org.hibernate.orm.database-service*" + - "org.hibernate.orm.antlr*" + - "io.github.gradle-nexus*" + - "biz.aQute.bnd*" + - "org.checkerframework*" + - "org.jetbrains.gradle*" + - "com.dorongold*" + - "org.asciidoctor*" + - "com.diffplug.spotless*" + # Local build plugin dependencies: + - "org.apache.maven*" + - "org.apache.httpcomponents*" + # DB drivers: + - "com.h2database:h2" + - "org.orbisgis:h2gis" + - "org.hsqldb:hsqldb" + - "org.apache.derby*" + - "org.postgresql:*" + - "com.mysql:mysql-connector-j" + - "org.mariadb.jdbc:mariadb-java-client" + - "com.oracle.database.*" + - "com.microsoft.sqlserver:mssql-jdbc" + - "com.ibm.db2:jcc" + - "com.sap.cloud.db.jdbc:ngdbc" + - "net.sourceforge.jtds:jtds" + - "com.ibm.informix:jdbc" + - "org.firebirdsql.jdbc:jaybird" + - "com.altibase:altibase-jdbc" + # Other test dependencies + - "org.apache.groovy:groovy-jsr223" # used for scripting maven plugin + - "org.apache.commons:commons-lang3" # used in hibernate-search-util-common tests + - "org.apache.commons:commons-math3" # used to solve dependency convergence for Wiremock + - "org.openjdk.jmh:*" # performance testing dependency + - "com.google.guava:guava" # Guava is used in our test utils + - "org.asciidoctor:*" # Asciidoctor is used for rendering the documentation + - "org.jboss.marshalling:jboss-marshalling" # JBeret IT dependency + - "org.wildfly.security:wildfly-security-manager" # JBeret IT dependency + - "org.springframework.boot:*" # Spring is only for ITs + - "io.agroal:agroal-spring-boot-starter" # part of Spring dependencies, is only for ITs + - "dev.snowdrop:narayana-spring-boot-starter" # part of Spring dependencies, is only for ITs + - "org.mockito:*" + - "org.hamcrest:*" + - "org.apache.logging.log4j:*" + - "org.assertj:*" + - "org.jsoup:*" + - "org.junit*" + - "org.jboss.weld.se:*" + - "org.jboss.narayana.*:*" + - "org.wildfly.transaction:*" + - "org.jboss:jboss-transaction-spi" + - "org.jboss.shrinkwrap*" + - "org.jboss.byteman*" + hibernate: + patterns: + - "org.hibernate*" + jakarta: + patterns: + - "jakarta.*" + - "org.glassfish*" + - "org.eclipse:yasson" + ignore: + # Avoid non-patch updates for complex dependencies and their implementation, even if we only use them for tests. + - dependency-name: "org.hibernate*" + update-types: ["version-update:semver-major", "version-update:semver-minor"] + - dependency-name: "jakarta.*" + update-types: ["version-update:semver-major", "version-update:semver-minor"] + - dependency-name: "org.jboss.narayana*" + update-types: ["version-update:semver-major", "version-update:semver-minor"] + - dependency-name: "org.jboss.weld*" + update-types: ["version-update:semver-major", "version-update:semver-minor"] + - dependency-name: "org.wildfly*" + update-types: ["version-update:semver-major", "version-update:semver-minor"] + - dependency-name: "org.glassfish*" + update-types: ["version-update:semver-major", "version-update:semver-minor"] + - dependency-name: "org.eclipse:yasson" + update-types: ["version-update:semver-major", "version-update:semver-minor"] + - dependency-name: "org.apache.maven*" + update-types: ["version-update:semver-major", "version-update:semver-minor"] + - dependency-name: "org.apache.ant*" + update-types: ["version-update:semver-major", "version-update:semver-minor"] + # Sticking to SLF4J 1.x for now since later versions require upgrading providers + # (Log4j, ... see https://www.slf4j.org/faq.html#changesInVersion200), + # and also because we only need this dependency for Maven, + # which is currently still on SLF4J 1.x + # (see https://central.sonatype.com/artifact/org.apache.maven/maven-embedder/3.9.9/dependencies) + - dependency-name: "org.slf4j:*" + update-types: ["version-update:semver-major"] diff --git a/.github/hibernate-github-bot.yml b/.github/hibernate-github-bot.yml index c2c29e23df50..f66b99d93e5e 100644 --- a/.github/hibernate-github-bot.yml +++ b/.github/hibernate-github-bot.yml @@ -2,6 +2,10 @@ jira: projectKey: "HHH" insertLinksInPullRequests: true + ignore: + # See the `build-dependencies` group in Dependabot's configuration file + - user: dependabot[bot] + titlePattern: "Bump.*the (build-dependencies|workflow-actions) group.*+" ignoreFiles: # Git - ".git*" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1aaf7b380605..7f606e60a65f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,10 +3,18 @@ name: GH Actions CI on: push: branches: + # Pattern order matters: the last matching inclusion/exclusion wins - 'main' + # We don't want to run CI on branches for dependabot, just on the PR. + - '!dependabot/**' pull_request: branches: - 'main' + # Ignore dependabot PRs that are not just about build dependencies or workflows; + # we'll reject such PRs and send one ourselves. + - '!dependabot/**' + - 'dependabot/maven/build-dependencies-**' + - 'dependabot/github_actions/workflow-actions-**' permissions: { } # none From cde3c182c52b0b46796195ace181cc88f23a3db8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 19 Jun 2025 09:39:45 +0000 Subject: [PATCH 2/2] Bump io.smallrye:jandex from 3.1.2 to 3.3.1 Bumps [io.smallrye:jandex](https://github.com/smallrye/jandex) from 3.1.2 to 3.3.1. - [Release notes](https://github.com/smallrye/jandex/releases) - [Changelog](https://github.com/smallrye/jandex/blob/main/RELEASE_PROCEDURE.md) - [Commits](https://github.com/smallrye/jandex/compare/3.1.2...3.3.1) --- updated-dependencies: - dependency-name: io.smallrye:jandex dependency-version: 3.3.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- local-build-plugins/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local-build-plugins/build.gradle b/local-build-plugins/build.gradle index e56d6de3131b..bbc206e93a34 100644 --- a/local-build-plugins/build.gradle +++ b/local-build-plugins/build.gradle @@ -21,7 +21,7 @@ dependencies { implementation "jakarta.inject:jakarta.inject-api:2.0.0" - implementation 'io.smallrye:jandex:3.1.2' + implementation 'io.smallrye:jandex:3.3.1' implementation 'org.apache.httpcomponents:httpclient:4.5.13' implementation 'jakarta.json.bind:jakarta.json.bind-api:2.0.0' implementation 'jakarta.json:jakarta.json-api:2.0.1'