chore(ci): expand dependabot coverage and add Java/Android CI#66
Merged
Conversation
…workflows Close gaps where dep bumps were either never proposed or merged without a CI gate: - dependabot.yml: add npm entries for vue/* and node/*, maven entries for java/*, nuget entries for dotnet/* - test-java.yml: new workflow auto-discovers pom.xml, runs `mvn -B verify` on JDK 21 — gates maven bumps before auto-merge - test-android.yml: new workflow builds RN Android (assembleDebug) so RN bumps have a native build gate even though they're manual-review only - dependabot-auto-merge.yml: exclude /samples/react-native/* — RN bumps can change native autolinking that `tsc --noEmit` doesn't catch Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previously every workflow triggered on `samples/**`, so a bump in one
framework rebuilt every other framework's matrix. Path filters now match
only the framework each workflow tests:
- test-android: samples/react-native/** + samples/android/**
- test-java: samples/java/**
- test-dotnet: samples/dotnet/**
- test-js: samples/{react,angular,vue,node,react-native}/**
Each workflow also re-triggers when its own file changes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Expands Dependabot coverage across additional sample frameworks (Vue/Node/Java/.NET) and introduces new CI workflows to gate dependency updates with Java Maven verification and React Native Android builds, while preventing auto-merge for React Native updates.
Changes:
- Add
test-java.ymlto discover Maven projects undersamples/**and runmvn -B verifyon each. - Add
test-android.ymlto discover Android Gradle wrapper projects undersamples/**and run./gradlew assembleDebug(including JS dependency install for RN samples). - Update Dependabot + auto-merge rules to cover new ecosystems/directories and exclude React Native directories from patch/minor auto-merge.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/test-java.yml | New CI workflow to matrix-discover pom.xml projects under samples/** and run Maven verify. |
| .github/workflows/test-android.yml | New CI workflow to matrix-discover Android projects under samples/** and build assembleDebug (RN-aware setup). |
| .github/workflows/dependabot-auto-merge.yml | Excludes Dependabot PRs targeting /samples/react-native/** from patch/minor auto-approval/auto-merge. |
| .github/dependabot.yml | Adds Dependabot entries for Vue/Node/React Native (manual review), Maven (Java), and NuGet (.NET) sample directories. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
OpenSAML 4.x (transitive dep of spring-security-saml2-service-provider) is hosted on build.shibboleth.net, not Maven Central — without this repo declared, dependency resolution fails on a clean cache (e.g. CI). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- test-android.yml: install Android SDK 36 / build-tools 36.0.0 to match the RN samples' compileSdkVersion = 36 (was 35, would fail clean runner) - dependabot.yml: clarify that RN auto-merge exclusion is directory-based in the auto-merge workflow, not label-based Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ksroda-sa
requested review from
artursmolarek,
dfranco-sa,
jgutikonda-sa,
jkotiuk,
justintvnguyen,
lgonczarik and
rharasani-sa
jkotiuk
approved these changes
May 4, 2026
ikawalec
approved these changes
May 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
vue/*andnode/*, maven entries forjava/*, nuget entries fordotnet/*— these frameworks were never receiving automated bumpstest-java.ymlso maven bumps have a build+test gate before auto-merge (Temurin JDK 21,mvn -B verify, auto-discovers everypom.xml)test-android.ymlbuilding RN AndroidassembleDebug, so RN bumps have a native build gate even though they remain manual-review/samples/react-native/*from dependabot auto-merge —tsc --noEmitcan't catch native autolinking / API-shape breakageCoverage matrix after this PR
🤖 Generated with Claude Code