-
Notifications
You must be signed in to change notification settings - Fork 244
/
Copy pathdependabot.yml
192 lines (191 loc) · 9.23 KB
/
dependabot.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
registries:
dockerhub:
type: docker-registry
url: https://registry.hub.docker.com
username: ${{secrets.DOCKERHUB_USERNAME}}
password: ${{secrets.DOCKERHUB_TOKEN}}
replaces-base: true
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
- package-ecosystem: "maven"
directory: "/"
schedule:
interval: "weekly"
day: "tuesday"
assignees: ["marko-bekhta"]
# We don't trigger Jenkins or GitHub Actions builds on pull requests from dependabot,
# so we can safely use a high limit here.
open-pull-requests-limit: 20
groups:
# This group combines all build-only dependencies. Published artifacts do not depend on them.
# Grouping such dependencies will make Dependabot create PRs with a branch name
# following the pattern (`dependabot/maven/build-dependencies-.*`)
# and with a title like `Bump the build-dependencies group with 8 updates` that we can easily
# use for Hibernate Bot rules.
build-dependencies:
patterns:
# Maven extensions:
- "*-maven-extension"
- "org.hibernate.infra.develocity:*"
# Maven plugins:
- "*maven*plugin*"
- "org.apache.maven*:*"
- "*surefire*"
- "*forbiddenapis*"
- "*owasp*"
- "io.github.gitflow-incremental-builder:*"
- "com.puppycrawl.tools:*"
# DB drivers:
- "com.h2database:h2"
- "org.apache.derby:derby"
- "org.postgresql:postgresql"
- "org.mariadb.jdbc:mariadb-java-client"
- "com.mysql:mysql-connector-j"
- "com.ibm.db2:jcc"
- "com.oracle.database.jdbc:ojdbc*"
- "com.microsoft.sqlserver:mssql-jdbc"
# Other test dependencies
- "org.apache.groovy:groovy-jsr223" # used for scripting maven plugin
- "org.apache.commons:commons-lang3" # used in hibernate-search-util-common tests
- "org.apache.commons:commons-math3" # used to solve dependency convergence for Wiremock
- "org.openjdk.jmh:*" # performance testing dependency
- "com.google.guava:guava" # Guava is used in our test utils
- "org.asciidoctor:*" # Asciidoctor is used for rendering the documentation
- "org.jboss.marshalling:jboss-marshalling" # JBeret IT dependency
- "org.wildfly.security:wildfly-security-manager" # JBeret IT dependency
- "org.springframework.boot:*" # Spring is only for ITs
- "org.mockito:*"
- "org.hamcrest:*"
- "org.apache.logging.log4j:*"
- "org.assertj:*"
- "org.awaitility:*"
- "org.skyscreamer:*"
- "com.github.tomakehurst:*"
- "org.jsoup:*"
- "org.ow2.asm:*" # for Surefire/Failsafe plugins to support builds on latest JDKs
- "org.testcontainers:testcontainers-bom"
- "org.junit:*"
- "org.jboss.weld.se:*"
# Eclipse compiler
- "org.codehaus.plexus:*"
- "org.eclipse.jdt:*"
# We only use the version of WildFly for a link in the documentation
- "org.wildfly.bom:wildfly"
ignore:
# These dependencies are updated manually
- dependency-name: "org.hibernate:*"
- dependency-name: "org.hibernate.*:*"
# AWS SDK releases way too often (every week?); ignore all patch updates
- dependency-name: "software.amazon.awssdk:*"
update-types: ["version-update:semver-patch"]
# Groovy is only used during the build; ignore all patch updates
- dependency-name: "org.apache.groovy:groovy-jsr223"
update-types: [ "version-update:semver-patch" ]
# We don't care that much about being on the very latest version of some integration test dependencies
- dependency-name: "org.springframework.boot:*"
update-types: [ "version-update:semver-patch" ]
# We strictly align these dependencies on the version used in Hibernate ORM.
- dependency-name: "io.smallrye:jandex"
- dependency-name: "jakarta.persistence:jakarta.persistence-api"
- dependency-name: "jakarta.enterprise:jakarta.enterprise.cdi-api"
- dependency-name: "jakarta.xml.bind:jakarta.xml.bind-api"
- dependency-name: "net.bytebuddy:*"
# Because we stay on a particular version of CDI that matches the one in ORM
# we don't want always want to get the latest Weld version:
- dependency-name: "org.jboss.weld.se:*"
update-types: ["version-update:semver-major"]
# Sticking to Derby 10.15 for now since later versions require JDK 17+, and we need to test with JDK 11.
# See https://db.apache.org/derby/derby_downloads.html
- dependency-name: "org.apache.derby:*"
update-types: ["version-update:semver-major", "version-update:semver-minor"]
# This dependency uses classifiers (.jre11, -preview, ...) in its version, and dependabot can't decide which versions are relevant.
# See https://github.com/dependabot/dependabot-core/issues/4028
- dependency-name: "com.microsoft.sqlserver:mssql-jdbc"
# Sticking to SLF4J 1.x for now since later versions require to upgrade providers
# (Log4j, ... see https://www.slf4j.org/faq.html#changesInVersion200),
# and also because we only need this dependency for AWS SDK,
# which is currently still on SLF4J 1.x
# (see https://search.maven.org/artifact/software.amazon.awssdk/aws-sdk-java-pom/2.17.257/pom)
- dependency-name: "org.slf4j:*"
update-types: ["version-update:semver-major"]
# We only define a maven's minimum version, so we don't need it to be updated to the latest:
- dependency-name: "org.apache.maven:maven-core"
# We require JDK 11, so we don't need "-jdk8"
- dependency-name: "org.bsc.maven:maven-processor-plugin"
# Apparently patterns using wildcards are not supported here. Hopefully this will last until they drop these silly -jdk8 packages.
versions: ["5.0-jdk8", "5.1-jdk8", "5.2-jdk8", "5.3-jdk8", "5.4-jdk8", "5.5-jdk8", "5.6-jdk8", "5.7-jdk8", "5.8-jdk8", "5.9-jdk8"]
# We only use the major version of WildFly, and only for a link in the documentation
- dependency-name: "org.wildfly.bom:wildfly"
update-types: [ "version-update:semver-minor", "version-update:semver-patch" ]
# We ignore any plexus-compiler updates that are > 2.14.2 since that's the last version
# with which jboss-logging annotation processor can still work.
# To be removed once we update the AP to the one with a fix.
- dependency-name: "org.codehaus.plexus:*"
# Because of https://github.com/awaitility/awaitility/issues/277 :
- dependency-name: "org.awaitility:awaitility"
versions: [ "4.2.1" ]
# Enable updates after JDK 21 upgrade (as of jsonassert 1.5.2 it requires JDK 21)
- dependency-name: "org.skyscreamer:jsonassert"
# Because of https://github.com/apache/logging-log4j2/issues/3234
- dependency-name: "org.apache.logging.log4j:*"
versions: ["2.24.2"]
- package-ecosystem: "docker"
registries:
- dockerhub
# For dependabot to find Docker files they all should be in the same directory.
# Dependabot is picking any files that has `dockerfile` in them.
#
# This includes only Ryuk container, hence we want it to be checked/updated at the same time when our regular java dependencies are updated
directory: "/build/container/"
schedule:
interval: "weekly"
day: "tuesday"
assignees: ["marko-bekhta"]
groups:
# This group combines all build containers dependencies.
build-containers:
patterns:
# Include all:
- "*"
- package-ecosystem: "docker"
registries:
- dockerhub
# For dependabot to find Docker files they all should be in the same directory.
# Dependabot is picking any files that has `dockerfile` in them.
#
# This will only include database containers, hence we check for updates only once a month:
directory: "/build/container/database"
schedule:
interval: "monthly"
assignees: ["marko-bekhta"]
groups:
# This group combines all database containers dependencies.
database-containers:
patterns:
# Include all:
- "*"
- package-ecosystem: "docker"
registries:
- dockerhub
# For dependabot to find Docker files they all should be in the same directory.
# Dependabot is picking any files that has `dockerfile` in them.
directory: "/build/container/search-backend"
schedule:
interval: "daily"
assignees: ["marko-bekhta"]
groups:
# This group combines all search backends containers dependencies.
# We will still need to create specific tickets to address these updates and do some code changes,
# so we just want to get a notification from the bot that the new versions are available.
search-backend-containers:
patterns:
# Include all:
- "*"