apache · malliaridis · Nov 20, 2024 · Nov 20, 2024 · Nov 20, 2024 · Nov 21, 2024
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,83 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  # 1. Security updates (daily, no PR limit)
+  # This configuration is used for security-critical dependency updates.
+  - package-ecosystem: "gradle"
+    directory: "/"
+    # Add target-branch as a workaround to allow two configurations of
+    # the same package-ecosystem, directory and branch
+    target-branch: main
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "[SECURITY]"
+    labels:
+      - "dependencies"
+      - "cat:security"
+    groups:
+      all-dependencies:
+        applies-to: security-updates
+        patterns:
+          - "*"
+
+  # 2. Non-security updates (bi-weekly, max 100 PRs)
+  # This configuration is used for regular dependency updates.
+  - package-ecosystem: "gradle"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day:
+        - "tuesday"
+        - "friday"
+    commit-message:
+      prefix: "[DEPENDENCY]"
+    labels:
+      - "dependencies"
+    open-pull-requests-limit: 100
+    groups:
+      # Group calcite dependencies together in same PR
+      calcite:
+        applies-to: version-updates
+        patterns:
+          - "org.apache.calcite*"
+      # Group httpcomponents dependencies together in same PR
+      httpcomponents:
+        applies-to: version-updates
+        patterns:
+          - "org.apache.httpcomponents*"
+      all-dependencies:
+        applies-to: version-updates
+        patterns:
+          - "*"
+    ignore:
+      # Ignore noisy dependencies in weekly checks
+      # TODO Enable ignores after https://github.com/dependabot/dependabot-core/issues/1778
+      #- dependency-name: "software.amazon.awssdk*"
+      #- dependency-name: "com.google.cloud*"
+      # Ignore major version upgrades for Jetty (requires manual update)
+      - dependency-name: "org.eclipse.jetty*"
+        update-types: ["version-update:semver-major"]
+
+  # TODO Enable "noisy updates" configuration once
+  # https://github.com/dependabot/dependabot-core/issues/1778 is fixed
+
+  # 3. Noisy non-security updates (monthly, max 100 PRs)
+  # This configuration is used for all dependencies with very frequent updates.
+#  - package-ecosystem: "gradle"
+#    directory: "/"
+#    schedule:
+#      interval: "monthly"
+#    commit-message:
+#      prefix: "[DEPENDENCY]"
+#    labels:
+#      - "dependencies"
+#    open-pull-requests-limit: 100
+#    allow:
+#      #  Dependencies added here have to be ignored in 2. configuration
+#      - dependency-name: "software.amazon.awssdk*"
+#      - dependency-name: "com.google.cloud*"
diff --git a/.github/renovate.json b/.github/renovate.json
diff --git a/.github/workflows/gradle-precommit.yml b/.github/workflows/gradle-precommit.yml
@@ -1,23 +1,91 @@
 name: Gradle Precommit
 
-on: 
+on:
   pull_request:
     branches:
       - 'main'
       - 'branch_*'
 
 jobs:
+  # Dependabot job that runs only for dependabot PRs
+  # This job is writing locks, updates checksums, and commits the changes on the dependabot PRs.
+  lockAndVerify:
+    name: Lock and verify
+
+    runs-on: ubuntu-latest
+
+    # Run only on dependabot PRs (see dependabot-actions.yml)
+    if: github.actor == 'dependabot[bot]'
+
+    env:
+      DEVELOCITY_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
+
+    # Give the default GITHUB_TOKEN write permission to commit
+    # and push the changed files back to the repository.
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout project
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+
+      - name: Set up JDK
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 21
+          java-package: jdk
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v4
+
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+
+      - name: Use Gradle cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.gradle/caches
+          key: ${{ runner.os }}-gradle-precommit-${{ hashFiles('versions.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-gradle-precommit-
+            ${{ runner.os }}-gradle-
+
+      - name: Write locks
+        run: ./gradlew writeLocks
+
+      - name: Update licenses / checksums
+        run: ./gradlew updateLicenses
+
+      - name: Commit and push changes
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          git add .
+          git commit -m "Write locks and update checksums"
+          git push origin ${{ github.head_ref }}
+
   test:
     name: gradle check
 
     runs-on: ubuntu-latest
 
+    # Run after "dependabot" job, regardless if skipped or successful
+    needs: lockAndVerify
+    if: always()
+
     env:
       DEVELOCITY_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
 
     steps:
     # Setup
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ github.head_ref }}
+        fetch-depth: 0
 
     - name: Set up JDK
       uses: actions/setup-java@v4