chore(ci): expand dependabot coverage and add Java/Android CI

.github/dependabot.yml

@@ -40,6 +40,83 @@ updates:
     commit-message:
       prefix: "deps"
 
+  - package-ecosystem: "npm"
+    directory: "/samples/vue/login-pkce"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps"
+
+  - package-ecosystem: "npm"
+    directory: "/samples/vue/token-refresh"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps"
+
+  - package-ecosystem: "npm"
+    directory: "/samples/node/login-auth-code"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps"
+
+  - package-ecosystem: "npm"
+    directory: "/samples/node/saml-sp-login"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps"
+
+  - package-ecosystem: "npm"
+    directory: "/samples/node/token-refresh"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps"
+
+  # React Native samples — the auto-merge workflow excludes
+  # /samples/react-native/* by directory match, so bumps here always require
+  # human review. Dep bumps can break native autolinking / API shapes that
+  # `tsc --noEmit` doesn't catch. The "manual-review" label is informational
+  # only (the workflow filter is directory-based, not label-based).
+  - package-ecosystem: "npm"
+    directory: "/samples/react-native/login-pkce"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "manual-review"
+    commit-message:
+      prefix: "deps"
+
+  - package-ecosystem: "npm"
+    directory: "/samples/react-native/token-refresh"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "manual-review"
+    commit-message:
+      prefix: "deps"
+
   - package-ecosystem: "npm"
     directory: "/scripts"
     schedule:
@@ -50,6 +127,66 @@ updates:
     commit-message:
       prefix: "deps"
 
+  - package-ecosystem: "maven"
+    directory: "/samples/java/login-auth-code"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps"
+
+  - package-ecosystem: "maven"
+    directory: "/samples/java/saml-sp-login"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps"
+
+  - package-ecosystem: "maven"
+    directory: "/samples/java/token-refresh"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps"
+
+  - package-ecosystem: "nuget"
+    directory: "/samples/dotnet/login-auth-code"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps"
+
+  - package-ecosystem: "nuget"
+    directory: "/samples/dotnet/saml-sp-login"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps"
+
+  - package-ecosystem: "nuget"
+    directory: "/samples/dotnet/token-refresh"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps"
+
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:

.github/workflows/dependabot-auto-merge.yml

@@ -17,13 +17,22 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Approve PR
-        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        # Auto-merge patch + minor updates EXCEPT for React Native samples.
+        # RN dep bumps can change native autolinking / API shapes that
+        # `tsc --noEmit` doesn't catch — require manual review.
+        if: |
+          (steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
+           steps.metadata.outputs.update-type == 'version-update:semver-minor') &&
+          !startsWith(steps.metadata.outputs.directory, '/samples/react-native')
         run: gh pr review --approve "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GH_TOKEN: ${{ secrets.GH_SERVICE_ACCOUNT_DEVOPS_2_PAT1 }}
       - name: Enable auto-merge
-        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        if: |
+          (steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
+           steps.metadata.outputs.update-type == 'version-update:semver-minor') &&
+          !startsWith(steps.metadata.outputs.directory, '/samples/react-native')
         run: gh pr merge --auto --squash "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}

.github/workflows/test-android.yml

@@ -0,0 +1,102 @@
+name: Test Android Builds
+
+on:
+  push:
+    paths:
+      - "samples/react-native/**"
+      - "samples/android/**"
+      - ".github/workflows/test-android.yml"
+  pull_request:
+    paths:
+      - "samples/react-native/**"
+      - "samples/android/**"
+      - ".github/workflows/test-android.yml"
+  schedule:
+    - cron: "0 9 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  find-projects:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.find.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v6
+      - id: find
+        # Discover any sample with an Android Gradle wrapper. Today: react-native
+        # samples; future: native android samples will surface automatically.
+        run: |
+          DIRS=$(find samples -name "gradlew" -not -path "*/node_modules/*" -not -path "*/build/*" -exec dirname {} \; 2>/dev/null \
+            | sort | jq -R -s -c 'split("\n") | map(select(. != ""))')
+          echo "matrix=$DIRS" >> "$GITHUB_OUTPUT"
+
+  build:
+    needs: find-projects
+    if: ${{ needs.find-projects.outputs.matrix != '[]' }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        android_dir: ${{ fromJson(needs.find-projects.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v5
+        with:
+          distribution: "temurin"
+          java-version: "17"
+
+      - name: Set up Android SDK
+        uses: android-actions/setup-android@v3
+        with:
+          packages: "platform-tools platforms;android-36 build-tools;36.0.0"
+
+      # React Native samples need their JS deps installed first so autolinking
+      # can resolve native modules from node_modules. Detect by walking up to
+      # the directory that owns package.json.
+      - uses: actions/setup-node@v6
+        with:
+          node-version: "22"
+      - name: Enable Corepack
+        run: corepack enable
+
+      - name: Install JS dependencies (RN samples)
+        run: |
+          # ${{ matrix.android_dir }} is e.g. "samples/react-native/login-pkce/android".
+          # Walk up until we find a package.json or hit the repo root.
+          dir="${{ matrix.android_dir }}"
+          while [ "$dir" != "." ] && [ "$dir" != "/" ]; do
+            if [ -f "$dir/package.json" ]; then
+              echo "Installing JS deps in $dir"
+              (cd "$dir" && yarn install --immutable)
+              break
+            fi
+            dir=$(dirname "$dir")
+          done
+
+      - name: Generate debug keystore
+        # The committed sample doesn't ship debug.keystore (gitignored).
+        # Generate a throwaway one so Gradle's `validateSigningDebug` passes.
+        run: |
+          keytool -genkeypair -v \
+            -keystore "${{ matrix.android_dir }}/app/debug.keystore" \
+            -storepass android -alias androiddebugkey -keypass android \
+            -keyalg RSA -keysize 2048 -validity 10000 \
+            -dname "CN=Android Debug,O=Android,C=US"
+
+      - name: Cache Gradle
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.gradle/caches
+            ~/.gradle/wrapper
+          key: gradle-${{ runner.os }}-${{ hashFiles(format('{0}/gradle/wrapper/gradle-wrapper.properties', matrix.android_dir), format('{0}/build.gradle*', matrix.android_dir), format('{0}/app/build.gradle*', matrix.android_dir)) }}
+          restore-keys: gradle-${{ runner.os }}-
+
+      - name: assembleDebug
+        working-directory: ${{ matrix.android_dir }}
+        run: ./gradlew assembleDebug --no-daemon

.github/workflows/test-dotnet.yml

@@ -3,10 +3,12 @@ name: Test .NET Frameworks
 on:
   push:
     paths:
-      - "samples/**"
+      - "samples/dotnet/**"
+      - ".github/workflows/test-dotnet.yml"
   pull_request:
     paths:
-      - "samples/**"
+      - "samples/dotnet/**"
+      - ".github/workflows/test-dotnet.yml"
   schedule:
     - cron: "0 8 * * 1"
   workflow_dispatch:

.github/workflows/test-java.yml

@@ -0,0 +1,48 @@
+name: Test Java Frameworks
+
+on:
+  push:
+    paths:
+      - "samples/java/**"
+      - ".github/workflows/test-java.yml"
+  pull_request:
+    paths:
+      - "samples/java/**"
+      - ".github/workflows/test-java.yml"
+  schedule:
+    - cron: "0 8 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  find-projects:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.find.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v6
+      - id: find
+        run: |
+          DIRS=$(find samples -name "pom.xml" -not -path "*/target/*" -not -path "*/node_modules/*" -exec dirname {} \; 2>/dev/null | sort | jq -R -s -c 'split("\n") | map(select(. != ""))')
+          echo "matrix=$DIRS" >> "$GITHUB_OUTPUT"
+
+  test:
+    needs: find-projects
+    if: ${{ needs.find-projects.outputs.matrix != '[]' }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        project: ${{ fromJson(needs.find-projects.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-java@v5
+        with:
+          distribution: "temurin"
+          java-version: "21"
+          cache: "maven"
+      - name: Build and test
+        working-directory: ${{ matrix.project }}
+        run: mvn -B verify

.github/workflows/test-js.yml

@@ -3,10 +3,20 @@ name: Test JS Frameworks
 on:
   push:
     paths:
-      - "samples/**"
+      - "samples/react/**"
+      - "samples/angular/**"
+      - "samples/vue/**"
+      - "samples/node/**"
+      - "samples/react-native/**"
+      - ".github/workflows/test-js.yml"
   pull_request:
     paths:
-      - "samples/**"
+      - "samples/react/**"
+      - "samples/angular/**"
+      - "samples/vue/**"
+      - "samples/node/**"
+      - "samples/react-native/**"
+      - ".github/workflows/test-js.yml"
   schedule:
     - cron: "0 8 * * 1"
   workflow_dispatch:

samples/java/saml-sp-login/pom.xml

@@ -20,6 +20,15 @@
         <java.version>21</java.version>
     </properties>
 
+    <!-- OpenSAML (transitive dep of spring-security-saml2-service-provider) is
+         hosted on Shibboleth's repo, not Maven Central. -->
+    <repositories>
+        <repository>
+            <id>shibboleth</id>
+            <url>https://build.shibboleth.net/maven/releases/</url>
+        </repository>
+    </repositories>
+
     <dependencies>
         <dependency>
             <groupId>org.springframework.boot</groupId>