build: switch to use bom (#75)

* build: switch to use bom

* chore: add history for autobuild

* ci: push version to bom on publish

* chore: update

Author: aaron-steinfeld

.github/workflows/codeql-analysis.yml

@@ -27,6 +27,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/publish.yml

@@ -4,7 +4,6 @@ on:
   release:
     types: 
       - created
-  workflow_dispatch:
 
 jobs:
   publish-artifacts:
@@ -24,5 +23,28 @@ jobs:
           ORG_GRADLE_PROJECT_maven_repo_url: ${{ secrets.HAR_REPO_URL }}
           ORG_GRADLE_PROJECT_maven_user: ${{ secrets.HAR_PUBLISH_USER }}
           ORG_GRADLE_PROJECT_maven_password: ${{ secrets.HAR_PUBLISH_TOKEN }}
+  post-publish-artifacts:
+    runs-on: ubuntu-24.04
+    needs: [ publish-artifacts ]
+    steps:
+      - name: Get Token from Github App
+        uses: tibdex/github-app-token@v2
+        id: generate-token
+        with:
+          app_id: ${{ secrets.GH_CI_APP_ID }}
+          private_key: ${{ secrets.GH_CI_APP_PRIVATE_KEY }}
+          repositories: >-
+            ["hypertrace-bom"]
+      - name: Auto upgrade BOM
+        uses: peter-evans/repository-dispatch@v3
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          repository: hypertrace/hypertrace-bom
+          event-type: upgrade-version
+          client-payload: |
+            {
+              "repository": "${{ github.repository }}",
+              "version": "${{ github.ref }}"
+            }
 
 

.github/workflows/update-locks.yml

@@ -0,0 +1,30 @@
+name: Update Locks
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '18 22 * * 1'
+jobs:
+  update-versions:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Calculate simple repository name
+        id: repo-basename
+        shell: bash
+        run: |
+          echo "value=`basename ${{ github.repository }}`" >> $GITHUB_OUTPUT
+      - name: Get Token from Github App
+        uses: tibdex/github-app-token@v2
+        id: generate-token
+        with:
+          app_id: ${{ secrets.GH_CI_APP_ID }}
+          private_key: ${{ secrets.GH_CI_APP_PRIVATE_KEY }}
+          repositories: >-
+            [${{ toJson(steps.repo-basename.outputs.value) }}]
+      - name: Update locks if needed
+        uses: hypertrace/github-actions/raise-lock-pr@main
+        with:
+          token: ${{ steps.generate-token.outputs.token }}

build.gradle.kts

@@ -2,17 +2,16 @@ import org.hypertrace.gradle.publishing.HypertracePublishExtension
 import org.hypertrace.gradle.publishing.License
 
 plugins {
-  id("org.hypertrace.repository-plugin") version "0.5.0"
-  id("org.hypertrace.ci-utils-plugin") version "0.4.0"
-  id("org.hypertrace.publish-plugin") version "1.1.1" apply false
-  id("org.hypertrace.jacoco-report-plugin") version "0.3.0" apply false
-  id("org.hypertrace.code-style-plugin") version "2.1.0" apply false
-  id("org.owasp.dependencycheck") version "12.1.0"
+  alias(commonLibs.plugins.hypertrace.repository)
+  alias(commonLibs.plugins.hypertrace.ciutils)
+  alias(commonLibs.plugins.hypertrace.codestyle) apply false
+  alias(commonLibs.plugins.hypertrace.publish) apply false
+  alias(commonLibs.plugins.owasp.dependencycheck)
 }
 
 subprojects {
   group = "org.hypertrace.core.grpcutils"
-  pluginManager.withPlugin("org.hypertrace.publish-plugin") {
+  pluginManager.withPlugin(rootProject.commonLibs.plugins.hypertrace.publish.get().pluginId) {
     configure<HypertracePublishExtension> {
       license.set(License.APACHE_2_0)
     }
@@ -25,7 +24,7 @@ subprojects {
     }
   }
 
-  apply(plugin = "org.hypertrace.code-style-plugin")
+  apply(plugin = rootProject.commonLibs.plugins.hypertrace.codestyle.get().pluginId)
 }
 
 dependencyCheck {

gradle/libs.versions.toml

@@ -0,0 +1,5 @@
+[versions]
+[libraries]
+resilience4j-circuitbreaker = { module = "io.github.resilience4j:resilience4j-circuitbreaker", version = "1.7.1" }
+auth0-jwt = { module = "com.auth0:java-jwt", version = "4.4.0" }
+auth0-jwks-rsa = { module = "com.auth0:jwks-rsa", version = "0.22.0" }

grpc-circuitbreaker-utils/build.gradle.kts

@@ -1,28 +1,26 @@
 plugins {
   `java-library`
   jacoco
-  id("org.hypertrace.publish-plugin")
-  id("org.hypertrace.jacoco-report-plugin")
+  alias(commonLibs.plugins.hypertrace.publish)
+  alias(commonLibs.plugins.hypertrace.jacoco)
 }
 
 dependencies {
+  api(commonLibs.grpc.api)
+  api(projects.grpcContextUtils)
 
-  api(platform("io.grpc:grpc-bom:1.68.3"))
-  api("io.grpc:grpc-api")
-  api(project(":grpc-context-utils"))
+  implementation(commonLibs.slf4j2.api)
+  implementation(localLibs.resilience4j.circuitbreaker)
+  implementation(commonLibs.typesafe.config)
+  implementation(commonLibs.guava)
+  implementation(commonLibs.jakarta.inject.api)
 
-  implementation("org.slf4j:slf4j-api:1.7.36")
-  implementation("io.github.resilience4j:resilience4j-circuitbreaker:1.7.1")
-  implementation("com.typesafe:config:1.4.2")
-  implementation("com.google.guava:guava:32.0.1-jre")
-  implementation("jakarta.inject:jakarta.inject-api:2.0.1")
+  annotationProcessor(commonLibs.lombok)
+  compileOnly(commonLibs.lombok)
 
-  annotationProcessor("org.projectlombok:lombok:1.18.24")
-  compileOnly("org.projectlombok:lombok:1.18.24")
-
-  testImplementation("org.junit.jupiter:junit-jupiter:5.8.2")
-  testImplementation("org.mockito:mockito-core:5.8.0")
-  testImplementation("org.mockito:mockito-junit-jupiter:5.8.0")
+  testImplementation(commonLibs.junit.jupiter)
+  testImplementation(commonLibs.mockito.core)
+  testImplementation(commonLibs.mockito.junit)
 }
 
 tasks.test {

grpc-circuitbreaker-utils/gradle.lockfile

@@ -0,0 +1,61 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+com.auth0:java-jwt:4.4.0=runtimeClasspath,testRuntimeClasspath
+com.auth0:jwks-rsa:0.22.0=runtimeClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-annotations:2.16.1=runtimeClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-core:2.16.1=runtimeClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-databind:2.16.1=runtimeClasspath,testRuntimeClasspath
+com.fasterxml.jackson:jackson-bom:2.16.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.android:annotations:4.1.1.4=runtimeClasspath,testRuntimeClasspath
+com.google.code.findbugs:jsr305:3.0.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.code.gson:gson:2.13.1=runtimeClasspath,testRuntimeClasspath
+com.google.errorprone:error_prone_annotations:2.28.0=compileClasspath,testCompileClasspath
+com.google.errorprone:error_prone_annotations:2.38.0=runtimeClasspath,testRuntimeClasspath
+com.google.guava:failureaccess:1.0.1=compileClasspath,testCompileClasspath
+com.google.guava:failureaccess:1.0.2=runtimeClasspath,testRuntimeClasspath
+com.google.guava:guava-parent:32.1.2-jre=compileClasspath,testCompileClasspath
+com.google.guava:guava:32.1.2-jre=compileClasspath,testCompileClasspath
+com.google.guava:guava:33.2.1-android=runtimeClasspath,testRuntimeClasspath
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.j2objc:j2objc-annotations:2.8=compileClasspath,testCompileClasspath
+com.typesafe:config:1.4.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.github.resilience4j:resilience4j-circuitbreaker:1.7.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.github.resilience4j:resilience4j-core:1.7.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-api:1.68.3=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-bom:1.68.3=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-context:1.68.3=runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-core:1.68.3=runtimeClasspath,testRuntimeClasspath
+io.netty:netty-bom:4.1.118.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.perfmark:perfmark-api:0.27.0=runtimeClasspath,testRuntimeClasspath
+io.vavr:vavr-match:0.10.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.vavr:vavr:0.10.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+jakarta.inject:jakarta.inject-api:2.0.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy-agent:1.14.10=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy:1.14.10=testCompileClasspath,testRuntimeClasspath
+org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
+org.checkerframework:checker-qual:3.33.0=compileClasspath,testCompileClasspath
+org.checkerframework:checker-qual:3.42.0=runtimeClasspath,testRuntimeClasspath
+org.codehaus.mojo:animal-sniffer-annotations:1.24=runtimeClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-bom:11.0.24=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.hypertrace.bom:hypertrace-bom:0.3.52=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.hypertrace.core.kafkastreams.framework:kafka-bom:0.6.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.10.0=testCompileClasspath
+org.junit.jupiter:junit-jupiter-api:5.10.1=testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.10.1=testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-params:5.10.0=testCompileClasspath
+org.junit.jupiter:junit-jupiter-params:5.10.1=testRuntimeClasspath
+org.junit.jupiter:junit-jupiter:5.10.0=testCompileClasspath
+org.junit.jupiter:junit-jupiter:5.10.1=testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.10.0=testCompileClasspath
+org.junit.platform:junit-platform-commons:1.10.1=testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.10.1=testRuntimeClasspath
+org.junit:junit-bom:5.10.0=testCompileClasspath
+org.junit:junit-bom:5.10.1=testRuntimeClasspath
+org.mockito:mockito-core:5.8.0=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-junit-jupiter:5.8.0=testCompileClasspath,testRuntimeClasspath
+org.objenesis:objenesis:3.3=testRuntimeClasspath
+org.opentest4j:opentest4j:1.3.0=testCompileClasspath,testRuntimeClasspath
+org.projectlombok:lombok:1.18.30=annotationProcessor,compileClasspath
+org.slf4j:slf4j-api:2.0.7=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+empty=

grpc-client-rx-utils/build.gradle.kts

@@ -1,25 +1,19 @@
 plugins {
   `java-library`
   jacoco
-  id("org.hypertrace.publish-plugin")
-  id("org.hypertrace.jacoco-report-plugin")
+  alias(commonLibs.plugins.hypertrace.publish)
+  alias(commonLibs.plugins.hypertrace.jacoco)
 }
 
 dependencies {
-  api(platform("io.grpc:grpc-bom:1.68.3"))
-  api("io.reactivex.rxjava3:rxjava:3.1.4")
-  api("io.grpc:grpc-stub")
-  api(project(":grpc-context-utils"))
-  constraints {
-    api("com.google.protobuf:protobuf-java:3.25.5") {
-      because("https://nvd.nist.gov/vuln/detail/CVE-2024-7254")
-    }
-  }
-  implementation("io.grpc:grpc-context")
+  api(commonLibs.rxjava3)
+  api(commonLibs.grpc.stub)
+  api(projects.grpcContextUtils)
+  implementation(commonLibs.grpc.context)
 
-  testImplementation("org.junit.jupiter:junit-jupiter:5.8.2")
-  testImplementation("org.mockito:mockito-core:5.8.0")
-  testImplementation("org.mockito:mockito-junit-jupiter:5.8.0")
+  testImplementation(commonLibs.junit.jupiter)
+  testImplementation(commonLibs.mockito.core)
+  testImplementation(commonLibs.mockito.junit)
 }
 
 tasks.test {

grpc-client-rx-utils/gradle.lockfile

@@ -0,0 +1,53 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+com.auth0:java-jwt:4.4.0=runtimeClasspath,testRuntimeClasspath
+com.auth0:jwks-rsa:0.22.0=runtimeClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-annotations:2.16.1=runtimeClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-core:2.16.1=runtimeClasspath,testRuntimeClasspath
+com.fasterxml.jackson.core:jackson-databind:2.16.1=runtimeClasspath,testRuntimeClasspath
+com.fasterxml.jackson:jackson-bom:2.16.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.android:annotations:4.1.1.4=runtimeClasspath,testRuntimeClasspath
+com.google.code.findbugs:jsr305:3.0.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.code.gson:gson:2.13.1=runtimeClasspath,testRuntimeClasspath
+com.google.errorprone:error_prone_annotations:2.28.0=compileClasspath,testCompileClasspath
+com.google.errorprone:error_prone_annotations:2.38.0=runtimeClasspath,testRuntimeClasspath
+com.google.guava:failureaccess:1.0.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.guava:guava:33.2.1-android=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.google.j2objc:j2objc-annotations:3.0.0=compileClasspath,testCompileClasspath
+io.grpc:grpc-api:1.68.3=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-bom:1.68.3=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-context:1.68.3=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.grpc:grpc-core:1.68.3=runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-stub:1.68.3=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.netty:netty-bom:4.1.118.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.perfmark:perfmark-api:0.27.0=runtimeClasspath,testRuntimeClasspath
+io.reactivex.rxjava3:rxjava:3.1.7=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy-agent:1.14.10=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy:1.14.10=testCompileClasspath,testRuntimeClasspath
+org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
+org.checkerframework:checker-qual:3.42.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.codehaus.mojo:animal-sniffer-annotations:1.24=runtimeClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-bom:11.0.24=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.hypertrace.bom:hypertrace-bom:0.3.52=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.hypertrace.core.kafkastreams.framework:kafka-bom:0.6.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.10.0=testCompileClasspath
+org.junit.jupiter:junit-jupiter-api:5.10.1=testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.10.1=testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-params:5.10.0=testCompileClasspath
+org.junit.jupiter:junit-jupiter-params:5.10.1=testRuntimeClasspath
+org.junit.jupiter:junit-jupiter:5.10.0=testCompileClasspath
+org.junit.jupiter:junit-jupiter:5.10.1=testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.10.0=testCompileClasspath
+org.junit.platform:junit-platform-commons:1.10.1=testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.10.1=testRuntimeClasspath
+org.junit:junit-bom:5.10.0=testCompileClasspath
+org.junit:junit-bom:5.10.1=testRuntimeClasspath
+org.mockito:mockito-core:5.8.0=testCompileClasspath,testRuntimeClasspath
+org.mockito:mockito-junit-jupiter:5.8.0=testCompileClasspath,testRuntimeClasspath
+org.objenesis:objenesis:3.3=testRuntimeClasspath
+org.opentest4j:opentest4j:1.3.0=testCompileClasspath,testRuntimeClasspath
+org.reactivestreams:reactive-streams:1.0.4=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.slf4j:slf4j-api:2.0.7=runtimeClasspath,testRuntimeClasspath
+empty=annotationProcessor

grpc-client-utils/build.gradle.kts

@@ -1,33 +1,26 @@
 plugins {
   `java-library`
   jacoco
-  id("org.hypertrace.publish-plugin")
-  id("org.hypertrace.jacoco-report-plugin")
+  alias(commonLibs.plugins.hypertrace.publish)
+  alias(commonLibs.plugins.hypertrace.jacoco)
 }
 
 dependencies {
 
-  api(platform("io.grpc:grpc-bom:1.68.3"))
-  api("io.grpc:grpc-context")
-  api("io.grpc:grpc-api")
-  api("io.grpc:grpc-inprocess")
-  api(platform("io.netty:netty-bom:4.1.118.Final"))
-  constraints {
-    api("com.google.protobuf:protobuf-java:3.25.5") {
-      because("https://nvd.nist.gov/vuln/detail/CVE-2024-7254")
-    }
-  }
+  api(commonLibs.grpc.context)
+  api(commonLibs.grpc.api)
+  api(commonLibs.grpc.inprocess)
 
-  implementation(project(":grpc-context-utils"))
-  implementation("org.slf4j:slf4j-api:1.7.36")
-  implementation("io.grpc:grpc-core")
+  implementation(projects.grpcContextUtils)
+  implementation(commonLibs.slf4j2.api)
+  implementation(commonLibs.grpc.core)
 
-  annotationProcessor("org.projectlombok:lombok:1.18.24")
-  compileOnly("org.projectlombok:lombok:1.18.24")
+  annotationProcessor(commonLibs.lombok)
+  compileOnly(commonLibs.lombok)
 
-  testImplementation("org.junit.jupiter:junit-jupiter:5.8.2")
-  testImplementation("org.mockito:mockito-core:5.8.0")
-  testRuntimeOnly("io.grpc:grpc-netty")
+  testImplementation(commonLibs.junit.jupiter)
+  testImplementation(commonLibs.mockito.core)
+  testRuntimeOnly(commonLibs.grpc.netty)
 }
 
 tasks.test {