4Science
diff --git a/‎.github/dependabot.yml‎
Lines changed: 145 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 145 additions & 0 deletions
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 7 additions & 7 deletions b/‎.github/workflows/build.yml‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎.github/workflows/codescan.yml‎
Lines changed: 6 additions & 6 deletions b/‎.github/workflows/codescan.yml‎
Lines changed: 6 additions & 6 deletions
@@ -15,6 +15,10 @@ updates:
     schedule:
       interval: "monthly"
       time: "02:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
     # Allow up to 10 open PRs for dependencies
     open-pull-requests-limit: 10
     # Group together some upgrades in a single PR
@@ -41,6 +45,7 @@ updates:
         applies-to: version-updates
         patterns:
         - "junit:*"
+        - "com.adobe.testing:*"
         - "com.github.stefanbirker:system-rules"
         - "com.h2database:*"
         - "io.findify:s3mock*"
@@ -49,10 +54,19 @@ updates:
         - "org.hamcrest:*"
         - "org.mock-server:*"
         - "org.mockito:*"
+        - "org.testcontainers:*"
         - "org.xmlunit:*"
         update-types:
         - "minor"
         - "patch"
+      # Group together all Amazon S3 deps in a single PR
+      amazon-s3:
+        applies-to: version-updates
+        patterns:
+          - "software.amazon.*:*"
+        update-types:
+          - "minor"
+          - "patch"
       # Group together all Apache Commons deps in a single PR
       apache-commons:
         applies-to: version-updates
@@ -121,12 +135,33 @@ updates:
       # Don't try to auto-update any DSpace dependencies
       - dependency-name: "org.dspace:*"
       - dependency-name: "org.dspace.*:*"
+      # Don't automatically update BouncyCastle because maven-gpg-plugin REQUIRES a very specific version or release
+      # errors will occur. See https://github.com/DSpace/DSpace/pull/11696
+      - dependency-name: "org.bouncycastle:*"
       # Ignore major/minor updates for Hibernate. Only patch updates can be automated.
       - dependency-name: "org.hibernate.*:*"
         update-types: ["version-update:semver-major", "version-update:semver-minor"]
+      # Ignore updates for jboss-logging because it is a "convergence only" dependency
+      # that we do not use directly (see comments in pom.xml).
+      - dependency-name: "org.jboss.logging:*"
+      # Don't try to update antlr4-runtime because it is a transitive dependency
+      # used by Hibernate and Solr. The version is pinned in pom.xml and should
+      # only be updated when required. See: https://github.com/DSpace/DSpace/pull/11989
+      - dependency-name: "org.antlr:antlr4-runtime"
       # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
       - dependency-name: "*"
         update-types: ["version-update:semver-major"]
+  # Also automatically update all our GitHub actions on the main branch
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    # Monthly dependency updates
+    schedule:
+      interval: "monthly"
+      time: "02:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
   ######################
   ## dspace-9_x branch
   ######################
@@ -136,6 +171,10 @@ updates:
     schedule:
       interval: "monthly"
       time: "02:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
     # Allow up to 10 open PRs for dependencies
     open-pull-requests-limit: 10
     # Group together some upgrades in a single PR
@@ -162,6 +201,7 @@ updates:
         applies-to: version-updates
         patterns:
           - "junit:*"
+          - "com.adobe.testing:*"
           - "com.github.stefanbirker:system-rules"
           - "com.h2database:*"
           - "io.findify:s3mock*"
@@ -170,10 +210,19 @@ updates:
           - "org.hamcrest:*"
           - "org.mock-server:*"
           - "org.mockito:*"
+          - "org.testcontainers:*"
           - "org.xmlunit:*"
         update-types:
           - "minor"
           - "patch"
+      # Group together all Amazon S3 deps in a single PR
+      amazon-s3:
+        applies-to: version-updates
+        patterns:
+          - "software.amazon.*:*"
+        update-types:
+          - "minor"
+          - "patch"
       # Group together all Apache Commons deps in a single PR
       apache-commons:
         applies-to: version-updates
@@ -242,12 +291,37 @@ updates:
       # Don't try to auto-update any DSpace dependencies
       - dependency-name: "org.dspace:*"
       - dependency-name: "org.dspace.*:*"
+      # Last version of errorprone to support JDK 17 is 2.42.x
+      - dependency-name: "com.google.errorprone:*"
+        versions: [">=2.43.0"]
+      # Don't automatically update BouncyCastle because maven-gpg-plugin REQUIRES a very specific version or release
+      # errors will occur. See https://github.com/DSpace/DSpace/pull/11696
+      - dependency-name: "org.bouncycastle:*"
       # Ignore major/minor updates for Hibernate. Only patch updates can be automated.
       - dependency-name: "org.hibernate.*:*"
         update-types: ["version-update:semver-major", "version-update:semver-minor"]
+      # Ignore updates for jboss-logging because it is a "convergence only" dependency
+      # that we do not use directly (see comments in pom.xml).
+      - dependency-name: "org.jboss.logging:*"
+      # Don't try to update antlr4-runtime because it is a transitive dependency
+      # used by Hibernate and Solr. The version is pinned in pom.xml and should
+      # only be updated when required. See: https://github.com/DSpace/DSpace/pull/11989
+      - dependency-name: "org.antlr:antlr4-runtime"
       # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
       - dependency-name: "*"
         update-types: [ "version-update:semver-major" ]
+  # Also automatically update all our GitHub actions on the dspace-9_x branch
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: dspace-9_x
+    # Monthly dependency updates
+    schedule:
+      interval: "monthly"
+      time: "02:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
   ######################
   ## dspace-8_x branch
   ######################
@@ -257,6 +331,10 @@ updates:
     schedule:
       interval: "monthly"
       time: "02:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
     # Allow up to 10 open PRs for dependencies
     open-pull-requests-limit: 10
     # Group together some upgrades in a single PR
@@ -283,6 +361,7 @@ updates:
         applies-to: version-updates
         patterns:
           - "junit:*"
+          - "com.adobe.testing:*"
           - "com.github.stefanbirker:system-rules"
           - "com.h2database:*"
           - "io.findify:s3mock*"
@@ -291,10 +370,19 @@ updates:
           - "org.hamcrest:*"
           - "org.mock-server:*"
           - "org.mockito:*"
+          - "org.testcontainers:*"
           - "org.xmlunit:*"
         update-types:
           - "minor"
           - "patch"
+      # Group together all Amazon S3 deps in a single PR
+      amazon-s3:
+        applies-to: version-updates
+        patterns:
+          - "software.amazon.*:*"
+        update-types:
+          - "minor"
+          - "patch"
       # Group together all Apache Commons deps in a single PR
       apache-commons:
         applies-to: version-updates
@@ -363,12 +451,37 @@ updates:
       # Don't try to auto-update any DSpace dependencies
       - dependency-name: "org.dspace:*"
       - dependency-name: "org.dspace.*:*"
+      # Last version of errorprone to support JDK 17 is 2.42.x
+      - dependency-name: "com.google.errorprone:*"
+        versions: [">=2.43.0"]
+      # Don't automatically update BouncyCastle because maven-gpg-plugin REQUIRES a very specific version or release
+      # errors will occur. See https://github.com/DSpace/DSpace/pull/11696
+      - dependency-name: "org.bouncycastle:*"
       # Ignore major/minor updates for Hibernate. Only patch updates can be automated.
       - dependency-name: "org.hibernate.*:*"
         update-types: ["version-update:semver-major", "version-update:semver-minor"]
+      # Ignore updates for jboss-logging because it is a "convergence only" dependency
+      # that we do not use directly (see comments in pom.xml).
+      - dependency-name: "org.jboss.logging:*"
+      # Don't try to update antlr4-runtime because it is a transitive dependency
+      # used by Hibernate and Solr. The version is pinned in pom.xml and should
+      # only be updated when required. See: https://github.com/DSpace/DSpace/pull/11989
+      - dependency-name: "org.antlr:antlr4-runtime"
       # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
       - dependency-name: "*"
         update-types: [ "version-update:semver-major" ]
+  # Also automatically update all our GitHub actions on the dspace-8_x branch
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: dspace-8_x
+    # Monthly dependency updates
+    schedule:
+      interval: "monthly"
+      time: "02:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
   ######################
   ## dspace-7_x branch
   ######################
@@ -378,6 +491,10 @@ updates:
     schedule:
       interval: "monthly"
       time: "02:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
     # Allow up to 10 open PRs for dependencies
     open-pull-requests-limit: 10
     # Group together some upgrades in a single PR
@@ -404,17 +521,27 @@ updates:
         applies-to: version-updates
         patterns:
           - "junit:*"
+          - "com.adobe.testing:*"
           - "com.github.stefanbirker:system-rules"
           - "com.h2database:*"
           - "io.findify:s3mock*"
           - "io.netty:*"
           - "org.hamcrest:*"
           - "org.mock-server:*"
           - "org.mockito:*"
+          - "org.testcontainers:*"
           - "org.xmlunit:*"
         update-types:
           - "minor"
           - "patch"
+      # Group together all Amazon S3 deps in a single PR
+      amazon-s3:
+        applies-to: version-updates
+        patterns:
+          - "software.amazon.*:*"
+        update-types:
+          - "minor"
+          - "patch"
       # Group together all Apache Commons deps in a single PR
       apache-commons:
         applies-to: version-updates
@@ -499,13 +626,31 @@ updates:
       # Last version of errorprone to support JDK 11 is 2.31.0
       - dependency-name: "com.google.errorprone:*"
         versions: [">=2.32.0"]
+      # Don't automatically update BouncyCastle because maven-gpg-plugin REQUIRES a very specific version or release
+      # errors will occur. See https://github.com/DSpace/DSpace/pull/11696
+      - dependency-name: "org.bouncycastle:*"
       # Spring Security 5.8 changes the behavior of CSRF Tokens in a way which is incompatible with DSpace 7
       # See https://github.com/DSpace/DSpace/pull/9888#issuecomment-2408165545
       - dependency-name: "org.springframework.security:*"
         versions: [">=5.8.0"]
       # Ignore major/minor updates for Hibernate. Only patch updates can be automated.
       - dependency-name: "org.hibernate.*:*"
         update-types: ["version-update:semver-major", "version-update:semver-minor"]
+      # Ignore updates for jboss-logging because it is a "convergence only" dependency
+      # that we do not use directly (see comments in pom.xml).
+      - dependency-name: "org.jboss.logging:*"
       # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
       - dependency-name: "*"
         update-types: [ "version-update:semver-major" ]
+  # Also automatically update all our GitHub actions on the dspace-7_x branch
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: dspace-7_x
+    # Monthly dependency updates
+    schedule:
+      interval: "monthly"
+      time: "02:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
@@ -24,7 +24,7 @@ jobs:
           # NOTE: Unit Tests include a retry for occasionally failing tests
           #  - surefire.rerunFailingTestsCount => try again for flakey tests, and keep track of/report on number of retries
           - type: "Unit Tests"
-            java: 17
+            java: 21
             mvnflags: "-DskipUnitTests=false -Dsurefire.rerunFailingTestsCount=2"
             resultsdir: "**/target/surefire-reports/**"
           # NOTE: ITs skip all code validation checks, as they are already done by Unit Test job.
@@ -34,7 +34,7 @@ jobs:
           #  - xml.skip          => Skip all XML/XSLT validation by xml-maven-plugin
           #  - failsafe.rerunFailingTestsCount => try again for flakey tests, and keep track of/report on number of retries
           - type: "Integration Tests"
-            java: 17
+            java: 21
             mvnflags: "-DskipIntegrationTests=false -Denforcer.skip=true -Dcheckstyle.skip=true -Dlicense.skip=true -Dxml.skip=true -Dfailsafe.rerunFailingTestsCount=2"
             resultsdir: "**/target/failsafe-reports/**"
       # Do NOT exit immediately if one matrix job fails
@@ -45,11 +45,11 @@ jobs:
     steps:
       # https://github.com/actions/checkout
       - name: Checkout codebase
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       # https://github.com/actions/setup-java
       - name: Install JDK ${{ matrix.java }}
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           java-version: ${{ matrix.java }}
           distribution: 'temurin'
@@ -87,19 +87,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       # Download artifacts from previous 'tests' job
       - name: Download coverage artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
 
       # Now attempt upload to Codecov using its action.
       # NOTE: We use a retry action to retry the Codecov upload if it fails the first time.
       #
       # Retry action: https://github.com/marketplace/actions/retry-action
       # Codecov action: https://github.com/codecov/codecov-action
       - name: Upload coverage to Codecov.io
-        uses: Wandalen/wretry.action@v1.3.0
+        uses: Wandalen/wretry.action@v3.8.0
         with:
           action: codecov/codecov-action@v4
           # Ensure codecov-action throws an error when it fails to upload
 
@@ -35,19 +35,19 @@ jobs:
     steps:
       # https://github.com/actions/checkout
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       # https://github.com/actions/setup-java
       - name: Install JDK
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
-          java-version: 17
+          java-version: 21
           distribution: 'temurin'
 
       # Initializes the CodeQL tools for scanning.
       # https://github.com/github/codeql-action
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           # Codescan Javascript as well since a few JS files exist in REST API's interface
           languages: java, javascript
@@ -56,8 +56,8 @@ jobs:
       # NOTE: Based on testing, this autobuild process works well for DSpace. A custom
       # DSpace build w/caching (like in build.yml) was about the same speed as autobuild.
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
 
       # Perform GitHub Code Scanning.
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4