diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs index aead1172..58f44dd3 100644 --- a/.git-blame-ignore-revs +++ b/.git-blame-ignore-revs @@ -3,3 +3,9 @@ # Scala Steward: Reformat with scalafmt 3.10.3 d8af028d2cd271ab7f3adec9842f07cce86a2ac3 + +# Scala Steward: Reformat with scalafmt 3.10.7 +83b819003b44835b1792e3ef8263da91a5b6d4ba + +# Scala Steward: Reformat with scalafmt 3.11.1 +5a8f52d4aeff3380e4e38e5cd8e63626711b2f86 diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index a427ec6f..26c11bfb 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@v4 id: changes with: filters: | diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml new file mode 100644 index 00000000..c223994b --- /dev/null +++ b/.github/workflows/auto-merge.yml @@ -0,0 +1,41 @@ +name: auto-merge +# pull_request_target runs in the base-branch context, which is required so +# that GITHUB_TOKEN gets the write permissions declared below even for PRs +# opened by Dependabot (which would otherwise receive a read-only token on +# regular pull_request events). This workflow never checks out PR head code, +# so the usual pull_request_target injection risk does not apply. +on: pull_request_target + +permissions: + contents: write + pull-requests: write + +jobs: + auto-merge-dependabot: + name: Auto-Merge Dependabot PRs + runs-on: ubuntu-latest + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + steps: + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + - name: Enable auto-merge for non-major updates + if: ${{ steps.metadata.outputs.update-type != 'version-update:semver-major' }} + run: gh pr merge --squash --auto "${{ github.event.pull_request.html_url }}" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + auto-merge-scala-steward: + name: Auto-Merge Scala Steward PRs + runs-on: ubuntu-latest + if: ${{ github.event.pull_request.user.login == 'scala-steward' }} + steps: + # Skip auto-merge if the PR carries a semver-major label. Note: this repo + # does not yet apply semver labels to Scala Steward PRs, so this guard is + # a no-op until early-semver-* labels are added to the repo and Scala + # Steward is configured to apply them. + - name: Enable auto-merge for non-major updates + if: ${{ !contains(github.event.pull_request.labels.*.name, 'semver-major') && !contains(github.event.pull_request.labels.*.name, 'early-semver-major') }} + run: gh pr merge --squash --auto "${{ github.event.pull_request.html_url }}" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.scalafmt.conf b/.scalafmt.conf index d30b0537..5190ffa6 100644 --- a/.scalafmt.conf +++ b/.scalafmt.conf @@ -1,4 +1,4 @@ -version = 3.10.3 +version = 3.11.1 project.layout = StandardConvention runner.dialect = scala3 maxColumn = 100 diff --git a/build.sbt b/build.sbt index 4d72279e..233abf0c 100644 --- a/build.sbt +++ b/build.sbt @@ -3,7 +3,7 @@ Global / onChangedBuildSource := ReloadOnSourceChanges // For performance testing, ensure each test run one-by-one Global / concurrentRestrictions := Seq(Tags.limit(Tags.Test, 1)) -val AIRFRAME_VERSION = "2025.1.22" +val AIRFRAME_VERSION = "2026.1.7" // Use dynamic snapshot version strings for non tagged versions ThisBuild / dynverSonatypeSnapshots := true @@ -92,14 +92,12 @@ val buildSettings = Seq[Setting[?]]( // Style check config: (sbt-jchekcstyle) jcheckStyleConfig := "facebook", // Run jcheckstyle both for main and test codes - Compile / compile := - ((Compile / compile) dependsOn (Compile / jcheckStyle)).value, - Test / compile := - ((Test / compile) dependsOn (Test / jcheckStyle)).value + Compile / compile := ((Compile / compile) dependsOn (Compile / jcheckStyle)).value, + Test / compile := ((Test / compile) dependsOn (Test / jcheckStyle)).value ) -val junitJupiter = "org.junit.jupiter" % "junit-jupiter" % "5.14.1" % "test" -val junitVintage = "org.junit.vintage" % "junit-vintage-engine" % "5.14.1" % "test" +val junitJupiter = "org.junit.jupiter" % "junit-jupiter" % "5.14.4" % "test" +val junitVintage = "org.junit.vintage" % "junit-vintage-engine" % "5.14.4" % "test" // Project settings lazy val root = Project(id = "msgpack-java", base = file(".")) @@ -127,6 +125,7 @@ lazy val msgpackCore = Project(id = "msgpack-core", base = file("msgpack-core")) "org.msgpack.value", "org.msgpack.value.impl" ), + OsgiKeys.importPackage := Seq("!android.os", "!sun.*"), testFrameworks += new TestFramework("wvlet.airspec.Framework"), Test / javaOptions ++= Seq( @@ -163,7 +162,7 @@ lazy val msgpackJackson = Project(id = "msgpack-jackson", base = file("msgpack-j OsgiKeys.exportPackage := Seq("org.msgpack.jackson", "org.msgpack.jackson.dataformat"), libraryDependencies ++= Seq( - "com.fasterxml.jackson.core" % "jackson-databind" % "2.18.4", + "com.fasterxml.jackson.core" % "jackson-databind" % "2.20.0", junitJupiter, junitVintage, "org.apache.commons" % "commons-math3" % "3.6.1" % "test" diff --git a/plans/2026-05-05-auto-merge.md b/plans/2026-05-05-auto-merge.md new file mode 100644 index 00000000..0b43e132 --- /dev/null +++ b/plans/2026-05-05-auto-merge.md @@ -0,0 +1,84 @@ +# Add auto-merge GitHub Actions workflow + +## Goal + +Add a workflow that automatically enables auto-merge on PRs from trusted bots +(Dependabot and Scala Steward) for non-major version bumps, mirroring the +pattern used in `wvlet/uni/.github/workflows/auto-merge.yml`. + +## Context + +- Recent PR history shows the repo regularly receives many bot PRs: + - `dependabot[bot]` — for GitHub Actions version bumps + - `scala-steward` — for Scala/sbt/Java library updates +- These currently require manual merge from the maintainer. +- Repo settings already allow auto-merge (`allow_auto_merge: true`) and squash + is the default merge method. +- CI passes branch-protection checks on PRs; once a PR is approved and CI is + green, GitHub will merge it automatically. + +## Differences from wvlet/uni + +- **No GitHub App token.** wvlet/uni uses a GitHub App (`APP_ID` + + `APP_PRIVATE_KEY`) to bypass the read-only `GITHUB_TOKEN` that GitHub + hands to `pull_request` workflows triggered by Dependabot. msgpack/msgpack-java + doesn't have that App configured, so this workflow uses + `on: pull_request_target` instead — that event runs in the base-branch + context where the workflow's declared `permissions:` block actually grants + write access to `GITHUB_TOKEN`. We never check out PR head code, so the + usual `pull_request_target` injection risk does not apply. +- **Scala Steward actor is `scala-steward`**, not wvlet/uni's + `scala-steward-wvlet[bot]` or `xerial-bot` (visible in `gh pr list`). +- **Filter on `github.event.pull_request.user.login`**, not `github.actor`, + because under `pull_request_target` the latter can resolve to the merger + rather than the PR author. + +## Plan + +1. Add `.github/workflows/auto-merge.yml` with two jobs: + - **auto-merge-dependabot**: triggers when + `github.event.pull_request.user.login == 'dependabot[bot]'`, uses + `dependabot/fetch-metadata@v2` to read the update type, and runs + `gh pr merge --squash --auto` only when the update is **not** + `version-update:semver-major`. + - **auto-merge-scala-steward**: triggers when + `github.event.pull_request.user.login == 'scala-steward'` and + auto-merges unless the PR carries a `semver-major` or + `early-semver-major` label. +2. Set workflow-level `permissions` to the minimum required: + `contents: write` and `pull-requests: write`. +3. Use `GITHUB_TOKEN` directly via `env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}`. + +### Scala Steward label caveat + +This repo's current Scala Steward PRs only carry `library-update` (and +sometimes `internal`) — no semver labels are configured upstream, so the +`semver-major` / `early-semver-major` guard is effectively a no-op until: +- The labels are added to the repo (Scala Steward only applies labels that + already exist), and +- Scala Steward is configured (e.g. via `.scala-steward.conf`) to attach + them. + +This matches the same caveat in the wvlet/uni reference implementation, +which uses `semver-spec-major` against `github.event.issue.labels` (not even +the right field on a PR event) — so its guard is also effectively a no-op +in practice. We accept the same trade-off here: most Scala Steward PRs are +patch/minor library updates, CI runs across JDK 8/11/17/21/24 and will fail +the merge-readiness checks if anything regresses, and a major bump that +slips through can be reverted. A follow-up could tighten this by setting up +proper semver labels. + +## Out of scope + +- Setting up a GitHub App for elevated bot identity. +- Auto-approving PRs (a human approval may still be required by branch + protection — auto-merge will simply wait for it). +- Changing branch protection rules. +- Configuring Scala Steward to apply semver labels (see caveat above). + +## Validation + +- Lint the YAML by checking the file parses (visual review + actionlint if + available). +- After merge, watch the next dependabot/scala-steward PR to confirm + auto-merge gets enabled. diff --git a/project/build.properties b/project/build.properties index b1b10405..12583871 100755 --- a/project/build.properties +++ b/project/build.properties @@ -1,2 +1,2 @@ -sbt.version=1.11.7 +sbt.version=1.12.12 diff --git a/project/plugins.sbt b/project/plugins.sbt index a7594c7a..2d12cde5 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -4,7 +4,7 @@ addSbtPlugin("com.github.sbt" % "sbt-pgp" % "2.3.1") //addSbtPlugin("com.github.sbt" % "sbt-jacoco" % "3.3.0") addSbtPlugin("org.xerial.sbt" % "sbt-jcheckstyle" % "0.2.1") addSbtPlugin("com.github.sbt" % "sbt-osgi" % "0.10.0") -addSbtPlugin("org.scalameta" % "sbt-scalafmt" % "2.5.6") +addSbtPlugin("org.scalameta" % "sbt-scalafmt" % "2.6.1") addSbtPlugin("com.github.sbt" % "sbt-dynver" % "5.1.1") scalacOptions ++= Seq("-deprecation", "-feature")