From fe500edeb9fc6a7b1d31c5a6c933e05fc08788ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamila=20=C5=9Aroda?= Date: Mon, 4 May 2026 14:14:01 +0200 Subject: [PATCH 1/4] chore(ci): expand dependabot coverage and add test-java/test-android workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Close gaps where dep bumps were either never proposed or merged without a CI gate: - dependabot.yml: add npm entries for vue/* and node/*, maven entries for java/*, nuget entries for dotnet/* - test-java.yml: new workflow auto-discovers pom.xml, runs `mvn -B verify` on JDK 21 — gates maven bumps before auto-merge - test-android.yml: new workflow builds RN Android (assembleDebug) so RN bumps have a native build gate even though they're manual-review only - dependabot-auto-merge.yml: exclude /samples/react-native/* — RN bumps can change native autolinking that `tsc --noEmit` doesn't catch Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 135 ++++++++++++++++++++ .github/workflows/dependabot-auto-merge.yml | 13 +- .github/workflows/test-android.yml | 104 +++++++++++++++ .github/workflows/test-java.yml | 46 +++++++ 4 files changed, 296 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/test-android.yml create mode 100644 .github/workflows/test-java.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 10e0c0f..0bebf22 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -40,6 +40,81 @@ updates: commit-message: prefix: "deps" + - package-ecosystem: "npm" + directory: "/samples/vue/login-pkce" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + commit-message: + prefix: "deps" + + - package-ecosystem: "npm" + directory: "/samples/vue/token-refresh" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + commit-message: + prefix: "deps" + + - package-ecosystem: "npm" + directory: "/samples/node/login-auth-code" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + commit-message: + prefix: "deps" + + - package-ecosystem: "npm" + directory: "/samples/node/saml-sp-login" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + commit-message: + prefix: "deps" + + - package-ecosystem: "npm" + directory: "/samples/node/token-refresh" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + commit-message: + prefix: "deps" + + # React Native samples — labelled "manual-review" so the auto-merge workflow + # skips them. Dep bumps here can break native autolinking / API shapes that + # `tsc --noEmit` doesn't catch; require human eyes on every update. + - package-ecosystem: "npm" + directory: "/samples/react-native/login-pkce" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "manual-review" + commit-message: + prefix: "deps" + + - package-ecosystem: "npm" + directory: "/samples/react-native/token-refresh" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "manual-review" + commit-message: + prefix: "deps" + - package-ecosystem: "npm" directory: "/scripts" schedule: @@ -50,6 +125,66 @@ updates: commit-message: prefix: "deps" + - package-ecosystem: "maven" + directory: "/samples/java/login-auth-code" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + commit-message: + prefix: "deps" + + - package-ecosystem: "maven" + directory: "/samples/java/saml-sp-login" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + commit-message: + prefix: "deps" + + - package-ecosystem: "maven" + directory: "/samples/java/token-refresh" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + commit-message: + prefix: "deps" + + - package-ecosystem: "nuget" + directory: "/samples/dotnet/login-auth-code" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + commit-message: + prefix: "deps" + + - package-ecosystem: "nuget" + directory: "/samples/dotnet/saml-sp-login" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + commit-message: + prefix: "deps" + + - package-ecosystem: "nuget" + directory: "/samples/dotnet/token-refresh" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + commit-message: + prefix: "deps" + - package-ecosystem: "github-actions" directory: "/" schedule: diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index debe7fb..f04fa51 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -17,13 +17,22 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} - name: Approve PR - if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' + # Auto-merge patch + minor updates EXCEPT for React Native samples. + # RN dep bumps can change native autolinking / API shapes that + # `tsc --noEmit` doesn't catch — require manual review. + if: | + (steps.metadata.outputs.update-type == 'version-update:semver-patch' || + steps.metadata.outputs.update-type == 'version-update:semver-minor') && + !startsWith(steps.metadata.outputs.directory, '/samples/react-native') run: gh pr review --approve "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} GH_TOKEN: ${{ secrets.GH_SERVICE_ACCOUNT_DEVOPS_1_PAT1 }} - name: Enable auto-merge - if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' + if: | + (steps.metadata.outputs.update-type == 'version-update:semver-patch' || + steps.metadata.outputs.update-type == 'version-update:semver-minor') && + !startsWith(steps.metadata.outputs.directory, '/samples/react-native') run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} diff --git a/.github/workflows/test-android.yml b/.github/workflows/test-android.yml new file mode 100644 index 0000000..e96aad7 --- /dev/null +++ b/.github/workflows/test-android.yml @@ -0,0 +1,104 @@ +name: Test Android Builds + +on: + push: + paths: + - "samples/**/android/**" + - "samples/**/package.json" + - "samples/**/yarn.lock" + - ".github/workflows/test-android.yml" + pull_request: + paths: + - "samples/**/android/**" + - "samples/**/package.json" + - "samples/**/yarn.lock" + - ".github/workflows/test-android.yml" + schedule: + - cron: "0 9 * * 1" + workflow_dispatch: + +permissions: + contents: read + +jobs: + find-projects: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.find.outputs.matrix }} + steps: + - uses: actions/checkout@v6 + - id: find + # Discover any sample with an Android Gradle wrapper. Today: react-native + # samples; future: native android samples will surface automatically. + run: | + DIRS=$(find samples -name "gradlew" -not -path "*/node_modules/*" -not -path "*/build/*" -exec dirname {} \; 2>/dev/null \ + | sort | jq -R -s -c 'split("\n") | map(select(. != ""))') + echo "matrix=$DIRS" >> "$GITHUB_OUTPUT" + + build: + needs: find-projects + if: ${{ needs.find-projects.outputs.matrix != '[]' }} + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + android_dir: ${{ fromJson(needs.find-projects.outputs.matrix) }} + steps: + - uses: actions/checkout@v6 + + - name: Set up JDK 17 + uses: actions/setup-java@v5 + with: + distribution: "temurin" + java-version: "17" + + - name: Set up Android SDK + uses: android-actions/setup-android@v3 + with: + packages: "platform-tools platforms;android-35 build-tools;35.0.0" + + # React Native samples need their JS deps installed first so autolinking + # can resolve native modules from node_modules. Detect by walking up to + # the directory that owns package.json. + - uses: actions/setup-node@v6 + with: + node-version: "22" + - name: Enable Corepack + run: corepack enable + + - name: Install JS dependencies (RN samples) + run: | + # ${{ matrix.android_dir }} is e.g. "samples/react-native/login-pkce/android". + # Walk up until we find a package.json or hit the repo root. + dir="${{ matrix.android_dir }}" + while [ "$dir" != "." ] && [ "$dir" != "/" ]; do + if [ -f "$dir/package.json" ]; then + echo "Installing JS deps in $dir" + (cd "$dir" && yarn install --immutable) + break + fi + dir=$(dirname "$dir") + done + + - name: Generate debug keystore + # The committed sample doesn't ship debug.keystore (gitignored). + # Generate a throwaway one so Gradle's `validateSigningDebug` passes. + run: | + keytool -genkeypair -v \ + -keystore "${{ matrix.android_dir }}/app/debug.keystore" \ + -storepass android -alias androiddebugkey -keypass android \ + -keyalg RSA -keysize 2048 -validity 10000 \ + -dname "CN=Android Debug,O=Android,C=US" + + - name: Cache Gradle + uses: actions/cache@v4 + with: + path: | + ~/.gradle/caches + ~/.gradle/wrapper + key: gradle-${{ runner.os }}-${{ hashFiles(format('{0}/gradle/wrapper/gradle-wrapper.properties', matrix.android_dir), format('{0}/build.gradle*', matrix.android_dir), format('{0}/app/build.gradle*', matrix.android_dir)) }} + restore-keys: gradle-${{ runner.os }}- + + - name: assembleDebug + working-directory: ${{ matrix.android_dir }} + run: ./gradlew assembleDebug --no-daemon diff --git a/.github/workflows/test-java.yml b/.github/workflows/test-java.yml new file mode 100644 index 0000000..afa562e --- /dev/null +++ b/.github/workflows/test-java.yml @@ -0,0 +1,46 @@ +name: Test Java Frameworks + +on: + push: + paths: + - "samples/**" + pull_request: + paths: + - "samples/**" + schedule: + - cron: "0 8 * * 1" + workflow_dispatch: + +permissions: + contents: read + +jobs: + find-projects: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.find.outputs.matrix }} + steps: + - uses: actions/checkout@v6 + - id: find + run: | + DIRS=$(find samples -name "pom.xml" -not -path "*/target/*" -not -path "*/node_modules/*" -exec dirname {} \; 2>/dev/null | sort | jq -R -s -c 'split("\n") | map(select(. != ""))') + echo "matrix=$DIRS" >> "$GITHUB_OUTPUT" + + test: + needs: find-projects + if: ${{ needs.find-projects.outputs.matrix != '[]' }} + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + project: ${{ fromJson(needs.find-projects.outputs.matrix) }} + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-java@v5 + with: + distribution: "temurin" + java-version: "21" + cache: "maven" + - name: Build and test + working-directory: ${{ matrix.project }} + run: mvn -B verify From 37a3301b47892bfc5f47182e31a7d5818afaccaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamila=20=C5=9Aroda?= Date: Mon, 4 May 2026 14:26:49 +0200 Subject: [PATCH 2/4] chore(ci): narrow workflow path filters to per-framework subtrees Previously every workflow triggered on `samples/**`, so a bump in one framework rebuilt every other framework's matrix. Path filters now match only the framework each workflow tests: - test-android: samples/react-native/** + samples/android/** - test-java: samples/java/** - test-dotnet: samples/dotnet/** - test-js: samples/{react,angular,vue,node,react-native}/** Each workflow also re-triggers when its own file changes. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/test-android.yml | 10 ++++------ .github/workflows/test-dotnet.yml | 6 ++++-- .github/workflows/test-java.yml | 6 ++++-- .github/workflows/test-js.yml | 14 ++++++++++++-- 4 files changed, 24 insertions(+), 12 deletions(-) diff --git a/.github/workflows/test-android.yml b/.github/workflows/test-android.yml index e96aad7..6e397b2 100644 --- a/.github/workflows/test-android.yml +++ b/.github/workflows/test-android.yml @@ -3,15 +3,13 @@ name: Test Android Builds on: push: paths: - - "samples/**/android/**" - - "samples/**/package.json" - - "samples/**/yarn.lock" + - "samples/react-native/**" + - "samples/android/**" - ".github/workflows/test-android.yml" pull_request: paths: - - "samples/**/android/**" - - "samples/**/package.json" - - "samples/**/yarn.lock" + - "samples/react-native/**" + - "samples/android/**" - ".github/workflows/test-android.yml" schedule: - cron: "0 9 * * 1" diff --git a/.github/workflows/test-dotnet.yml b/.github/workflows/test-dotnet.yml index ad27138..eea8d5f 100644 --- a/.github/workflows/test-dotnet.yml +++ b/.github/workflows/test-dotnet.yml @@ -3,10 +3,12 @@ name: Test .NET Frameworks on: push: paths: - - "samples/**" + - "samples/dotnet/**" + - ".github/workflows/test-dotnet.yml" pull_request: paths: - - "samples/**" + - "samples/dotnet/**" + - ".github/workflows/test-dotnet.yml" schedule: - cron: "0 8 * * 1" workflow_dispatch: diff --git a/.github/workflows/test-java.yml b/.github/workflows/test-java.yml index afa562e..a87dea9 100644 --- a/.github/workflows/test-java.yml +++ b/.github/workflows/test-java.yml @@ -3,10 +3,12 @@ name: Test Java Frameworks on: push: paths: - - "samples/**" + - "samples/java/**" + - ".github/workflows/test-java.yml" pull_request: paths: - - "samples/**" + - "samples/java/**" + - ".github/workflows/test-java.yml" schedule: - cron: "0 8 * * 1" workflow_dispatch: diff --git a/.github/workflows/test-js.yml b/.github/workflows/test-js.yml index 2e9147e..772f718 100644 --- a/.github/workflows/test-js.yml +++ b/.github/workflows/test-js.yml @@ -3,10 +3,20 @@ name: Test JS Frameworks on: push: paths: - - "samples/**" + - "samples/react/**" + - "samples/angular/**" + - "samples/vue/**" + - "samples/node/**" + - "samples/react-native/**" + - ".github/workflows/test-js.yml" pull_request: paths: - - "samples/**" + - "samples/react/**" + - "samples/angular/**" + - "samples/vue/**" + - "samples/node/**" + - "samples/react-native/**" + - ".github/workflows/test-js.yml" schedule: - cron: "0 8 * * 1" workflow_dispatch: From b28e8228a5106e67497232e8d9a688024467dc79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamila=20=C5=9Aroda?= Date: Mon, 4 May 2026 14:29:45 +0200 Subject: [PATCH 3/4] fix(java): declare Shibboleth repo in saml-sp-login pom MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenSAML 4.x (transitive dep of spring-security-saml2-service-provider) is hosted on build.shibboleth.net, not Maven Central — without this repo declared, dependency resolution fails on a clean cache (e.g. CI). Co-Authored-By: Claude Opus 4.7 (1M context) --- samples/java/saml-sp-login/pom.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/samples/java/saml-sp-login/pom.xml b/samples/java/saml-sp-login/pom.xml index 43af75e..51f2a8c 100644 --- a/samples/java/saml-sp-login/pom.xml +++ b/samples/java/saml-sp-login/pom.xml @@ -20,6 +20,15 @@ 21 + + + + shibboleth + https://build.shibboleth.net/maven/releases/ + + + org.springframework.boot From 7dd0917047f216a36eb475dc41f0abae778d7634 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamila=20=C5=9Aroda?= Date: Mon, 4 May 2026 14:34:19 +0200 Subject: [PATCH 4/4] chore(ci): address copilot feedback on dependabot/android workflow - test-android.yml: install Android SDK 36 / build-tools 36.0.0 to match the RN samples' compileSdkVersion = 36 (was 35, would fail clean runner) - dependabot.yml: clarify that RN auto-merge exclusion is directory-based in the auto-merge workflow, not label-based Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 8 +++++--- .github/workflows/test-android.yml | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0bebf22..35750bc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -90,9 +90,11 @@ updates: commit-message: prefix: "deps" - # React Native samples — labelled "manual-review" so the auto-merge workflow - # skips them. Dep bumps here can break native autolinking / API shapes that - # `tsc --noEmit` doesn't catch; require human eyes on every update. + # React Native samples — the auto-merge workflow excludes + # /samples/react-native/* by directory match, so bumps here always require + # human review. Dep bumps can break native autolinking / API shapes that + # `tsc --noEmit` doesn't catch. The "manual-review" label is informational + # only (the workflow filter is directory-based, not label-based). - package-ecosystem: "npm" directory: "/samples/react-native/login-pkce" schedule: diff --git a/.github/workflows/test-android.yml b/.github/workflows/test-android.yml index 6e397b2..63f0ac8 100644 --- a/.github/workflows/test-android.yml +++ b/.github/workflows/test-android.yml @@ -53,7 +53,7 @@ jobs: - name: Set up Android SDK uses: android-actions/setup-android@v3 with: - packages: "platform-tools platforms;android-35 build-tools;35.0.0" + packages: "platform-tools platforms;android-36 build-tools;36.0.0" # React Native samples need their JS deps installed first so autolinking # can resolve native modules from node_modules. Detect by walking up to