From 9b1b1c60ab25cd8b8f63a925bc40c70333bbc949 Mon Sep 17 00:00:00 2001
From: Tim Jacomb <21194782+timja@users.noreply.github.com>
Date: Wed, 7 Aug 2024 16:26:42 +0100
Subject: [PATCH] Switch to Renovate from Dependabot for remaining dependencies
 (#9459)

---
 .github/dependabot.yml |  68 ---------------------------
 .github/renovate.json  | 103 ++++++++++++++++++++++++++++++++++++++---
 core/pom.xml           |   2 +
 pom.xml                |   2 -
 test/pom.xml           |   2 +
 war/pom.xml            |   2 +
 6 files changed, 103 insertions(+), 76 deletions(-)
 delete mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
deleted file mode 100644
index 8c2bd4291a6e..000000000000
--- a/.github/dependabot.yml
+++ /dev/null
@@ -1,68 +0,0 @@
----
-version: 2
-updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "maven"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    ignore:
-      # Exclusions in this section have been triaged and determined to be
-      # permanent. We do not anticipate removing exclusions from this section.
-
-      # Provided by Jetty and should be aligned with the version provided by the
-      # version of Jetty we deliver. See:
-      # https://github.com/jenkinsci/jenkins/pull/5211
-      - dependency-name: "jakarta.servlet:jakarta.servlet-api"
-
-      # Jetty Maven Plugin and Winstone should be upgraded in lockstep in order
-      # to keep their corresponding Jetty versions aligned.
-      - dependency-name: "org.eclipse.jetty:jetty-maven-plugin"
-      - dependency-name: "org.jenkins-ci:winstone"
-
-      # Here lies technical debt. Exclusions in this section have been triaged
-      # and determined to be temporary. Exclusions should be removed from this
-      # section once the remaining action items have been completed.
-
-      # Contains incompatible API changes and needs compatibility work.
-      - dependency-name: "jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api"
-
-      # Needs significant testing. See:
-      # https://github.com/jenkinsci/jenkins/pull/5112#issuecomment-744429487
-      # https://github.com/jenkinsci/jenkins/pull/5116#issuecomment-744526638
-      - dependency-name: "org.codehaus.groovy:groovy-all"
-        versions: [">=2.5.0"]
-
-      # Consumed by Groovy and should be updated in lockstep with Groovy. See:
-      # https://github.com/jenkinsci/jenkins/pull/5184
-      - dependency-name: "org.fusesource.jansi:jansi"
-
-      # Contains incompatible API changes and needs compatibility work. See:
-      # https://github.com/jenkinsci/jenkins/pull/4224
-      - dependency-name: "org.jfree:jfreechart"
-
-      # Starting with 6.x, Spring requires Java 17 at a minimum.
-      - dependency-name: "org.springframework:spring-framework-bom"
-        versions: [">=6.0.0"]
-
-      # Starting with 6.x, Spring Security requires Java 17 at a minimum.
-      - dependency-name: "org.springframework.security:spring-security-bom"
-        versions: [">=6.0.0"]
-
-      # Starting with 7.x, Guice switches from javax.* to jakarta.* bindings.
-      # See https://github.com/google/guice/wiki/Guice700
-      - dependency-name: "com.google.inject:guice-bom"
-        versions: [">=7.0.0"]
-  - package-ecosystem: "maven"
-    directory: "/"
-    target-branch: "stable-2.452"
-    labels:
-      - "into-lts"
-      - "needs-justification"
-    schedule:
-      interval: "daily"
-    # Include only security updates and exclude version updates.
-    open-pull-requests-limit: 0
diff --git a/.github/renovate.json b/.github/renovate.json
index 8c3c4ad17cea..9078329a2c7f 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -1,32 +1,110 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base",
+    "config:recommended",
     ":disableDependencyDashboard",
     ":semanticCommitsDisabled"
   ],
-  "enabledManagers": ["npm", "regex"],
+  "prHourlyLimit": 0,
+  "prConcurrentLimit": 0,
   "postUpdateOptions": ["yarnDedupeHighest"],
+  "baseBranches": ["master", "stable-2.462"],
   "packageRules": [
+    {
+      "matchBaseBranches": ["/stable-.+/"],
+      "matchManagers": ["maven"],
+      "labels": ["dependencies", "into-lts", "needs-justification"]
+    },
+    {
+      "matchBaseBranches": ["/stable-.+/"],
+      "matchManagers": ["custom.regex", "npm", "github-actions"],
+      "enabled": false
+    },
     {
       "matchDatasources": ["npm"],
       "addLabels": ["javascript"],
-      "stabilityDays": 3,
+      "minimumReleaseAge": "3 days",
       "reviewers": ["team:sig-ux"]
     },
     {
       "matchPackageNames": ["node"],
       "allowedVersions": "/20.[0-9]+.[0-9]+(.[0-9]+)?$/"
+    },
+    {
+      "description": "Should be upgraded in lockstep in order to keep their corresponding Jetty versions aligned, could be grouped but releases are likely separated by a bit of time",
+      "matchManagers": ["maven"],
+      "enabled": false,
+      "matchPackageNames": [
+        "org.eclipse.jetty:jetty-maven-plugin", "org.jenkins-ci:winstone"
+      ]
+    },
+    {
+      "description": "Provided by Jetty and should be aligned with the version provided by the version of Jetty we deliver. See: https://github.com/jenkinsci/jenkins/pull/5211",
+      "matchManagers": ["maven"],
+      "enabled": false,
+      "matchPackageNames": ["jakarta.servlet:jakarta.servlet-api"]
+    },
+    {
+      "description": "Contains incompatible API changes and needs compatibility work",
+      "matchManagers": ["maven"],
+      "enabled": false,
+      "matchPackageNames": [
+        "jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api"
+      ]
+    },
+    {
+      "description": "Needs significant testing. See: https://github.com/jenkinsci/jenkins/pull/5112#issuecomment-744429487 and https://github.com/jenkinsci/jenkins/pull/5116#issuecomment-744526638",
+      "matchManagers": ["maven"],
+      "allowedVersions": "<2.5.0",
+      "matchPackageNames": ["org.codehaus.groovy:groovy-all"]
+    },
+    {
+      "description": "Consumed by Groovy and should be updated in lockstep with Groovy. See: https://github.com/jenkinsci/jenkins/pull/5184",
+      "matchManagers": ["maven"],
+      "enabled": false,
+      "matchPackageNames": ["org.fusesource.jansi:jansi"]
+    },
+    {
+      "description": "Contains incompatible API changes and needs compatibility work. See: https://github.com/jenkinsci/jenkins/pull/4224",
+      "matchManagers": ["maven"],
+      "enabled": false,
+      "matchPackageNames": ["org.jfree:jfreechart"]
+    },
+    {
+      "description": "Starting with 6.x, Spring requires Java 17 at a minimum.",
+      "matchManagers": ["maven"],
+      "allowedVersions": "<6.0.0",
+      "matchPackageNames": ["org.springframework:spring-framework-bom", "org.springframework.security:spring-security-bom"]
+    },
+    {
+      "description": "Starting with 7.x, Guice switches from javax.* to jakarta.* bindings. See https://github.com/google/guice/wiki/Guice700",
+      "matchManagers": ["maven"],
+      "allowedVersions": "<7.0.0",
+      "matchPackageNames": ["com.google.inject:guice-bom"]
+    },
+    {
+      "matchFileNames": ["test/pom.xml", "core/pom.xml", "war/pom.xml"],
+      "matchPackageNames": ["org.jenkins-ci.main:remoting"],
+      "description": "Avoid updating the remoting.minimum.supported.version property but still update latest one by not placing this property in the parent pom.xml",
+      "enabled": false
+    },
+    {
+      "matchPackageNames": ["net.jcip:jcip-annotations"],
+      "matchDatasources": ["maven"],
+      "enabled": false,
+      "description": "maven-metadata.xml is missing for this really old package which is required by renovate"
     }
   ],
-  "regexManagers": [
+  "customManagers": [
     {
+      "customType": "regex",
       "fileMatch": ["war/pom.xml"],
       "matchStrings": ["<node.version>(?<currentValue>.*?)</node.version>"],
       "depNameTemplate": "node",
       "datasourceTemplate": "npm"
     },
     {
+      "customType": "regex",
       "fileMatch": ["ath.sh"],
       "matchStrings": ["export ATH_VERSION=(?<currentValue>.*?)\n"],
       "depNameTemplate": "jenkins/ath",
@@ -34,30 +112,43 @@
       "versioningTemplate": "loose"
     },
     {
+      "customType": "regex",
       "fileMatch": [".gitpod/Dockerfile"],
       "matchStrings": ["ARG MAVEN_VERSION=(?<currentValue>.*?)\n"],
       "depNameTemplate": "org.apache.maven:maven-core",
       "datasourceTemplate": "maven"
     },
     {
+      "customType": "regex",
       "fileMatch": ["core/src/site/site.xml"],
       "matchStrings": ["lit@(?<currentValue>.*?)/"],
       "depNameTemplate": "lit",
       "datasourceTemplate": "npm"
     },
     {
+      "customType": "regex",
       "fileMatch": ["core/src/site/site.xml"],
       "matchStrings": ["webcomponentsjs@(?<currentValue>.*?)/"],
       "depNameTemplate": "@webcomponents/webcomponentsjs",
       "datasourceTemplate": "npm"
     },
     {
+      "customType": "regex",
       "fileMatch": ["core/src/site/site.xml"],
-      "matchStrings": ["<version>(?<currentValue>.*?)<\/version>"],
+      "matchStrings": ["<version>(?<currentValue>.*?)</version>"],
       "depNameTemplate": "org.apache.maven.skins:maven-fluido-skin",
       "datasourceTemplate": "maven"
     }
   ],
   "labels": ["dependencies", "skip-changelog"],
-  "rebaseWhen": "conflicted"
+  "rebaseWhen": "conflicted",
+  "ignorePaths": [
+    "**/node_modules/**",
+    "**/bower_components/**",
+    "**/vendor/**",
+    "**/examples/**",
+    "**/__tests__/**",
+    "**/tests/**",
+    "**/__fixtures__/**"
+  ]
 }
diff --git a/core/pom.xml b/core/pom.xml
index 95c289164930..8e30ae211ed7 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -40,6 +40,8 @@ THE SOFTWARE.
 
   <properties>
     <xmlunit.version>2.10.0</xmlunit.version>
+    <!-- Minimum Remoting version, which is tested for API compatibility, duplicated so that renovate only updates the latest remoting version property -->
+    <remoting.minimum.supported.version>3107.v665000b_51092</remoting.minimum.supported.version>
     <!-- Filled in by jacoco-maven-plugin -->
     <jacocoSurefireArgs />
   </properties>
diff --git a/pom.xml b/pom.xml
index 700c50ec85d4..a0673a9c6cc1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -88,8 +88,6 @@ THE SOFTWARE.
 
     <!-- Bundled Remoting version -->
     <remoting.version>3256.3258.v858f3c9a_f69d</remoting.version>
-    <!-- Minimum Remoting version, which is tested for API compatibility -->
-    <remoting.minimum.supported.version>3107.v665000b_51092</remoting.minimum.supported.version>
 
     <spotbugs.effort>Max</spotbugs.effort>
     <spotbugs.threshold>Medium</spotbugs.threshold>
diff --git a/test/pom.xml b/test/pom.xml
index e6611ad67099..7b0a43d7c4a1 100644
--- a/test/pom.xml
+++ b/test/pom.xml
@@ -38,6 +38,8 @@ THE SOFTWARE.
 
   <properties>
     <mavenDebug>false</mavenDebug>
+    <!-- Minimum Remoting version, which is tested for API compatibility, duplicated so that renovate only updates the latest remoting version property -->
+    <remoting.minimum.supported.version>3107.v665000b_51092</remoting.minimum.supported.version>
     <!-- Filled in by jacoco-maven-plugin -->
     <jacocoSurefireArgs />
     <!--
diff --git a/war/pom.xml b/war/pom.xml
index 7848e05e243f..350911cda226 100644
--- a/war/pom.xml
+++ b/war/pom.xml
@@ -47,6 +47,8 @@ THE SOFTWARE.
     <!-- HTTP listener port -->
     <port>8080</port>
     <mina-sshd-api.version>2.13.1-117.v2f1a_b_66ff91d</mina-sshd-api.version>
+    <!-- Minimum Remoting version, which is tested for API compatibility, duplicated so that renovate only updates the latest remoting version property -->
+    <remoting.minimum.supported.version>3107.v665000b_51092</remoting.minimum.supported.version>
     <node.version>20.16.0</node.version>
     <!-- frontend-maven-plugin will install this Yarn version as bootstrap, then hand over control to Yarn Berry. -->
     <yarn.version>1.22.19</yarn.version>