refactor: add bom

.github/workflows/update-locks.yml

@@ -0,0 +1,30 @@
+name: Update Locks
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '18 22 * * 3'
+jobs:
+  update-versions:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Calculate simple repository name
+        id: repo-basename
+        shell: bash
+        run: |
+          echo "value=`basename ${{ github.repository }}`" >> $GITHUB_OUTPUT
+      - name: Get Token from Github App
+        uses: tibdex/github-app-token@v2
+        id: generate-token
+        with:
+          app_id: ${{ secrets.GH_CI_APP_ID }}
+          private_key: ${{ secrets.GH_CI_APP_PRIVATE_KEY }}
+          repositories: >-
+            [${{ toJson(steps.repo-basename.outputs.value) }}]
+      - name: Update locks if needed
+        uses: hypertrace/github-actions/raise-lock-pr@main
+        with:
+          token: ${{ steps.generate-token.outputs.token }}

alerting-config-service-api/build.gradle.kts

@@ -1,23 +1,18 @@
-import com.google.protobuf.gradle.generateProtoTasks
 import com.google.protobuf.gradle.id
-import com.google.protobuf.gradle.ofSourceSet
-import com.google.protobuf.gradle.plugins
-import com.google.protobuf.gradle.protobuf
-import com.google.protobuf.gradle.protoc
 
 plugins {
   `java-library`
-  id("com.google.protobuf")
-  id("org.hypertrace.publish-plugin")
+  alias(commonLibs.plugins.google.protobuf)
+  alias(commonLibs.plugins.hypertrace.publish)
 }
 
 protobuf {
   protoc {
-    artifact = "com.google.protobuf:protoc:${libs.versions.protoc.get()}"
+    artifact = "com.google.protobuf:protoc:${commonLibs.versions.protoc.get()}"
   }
   plugins {
     id("grpc") {
-      artifact = "io.grpc:protoc-gen-grpc-java:${libs.versions.grpc.get()}"
+      artifact = "io.grpc:protoc-gen-grpc-java:${commonLibs.versions.grpc.get()}"
     }
   }
   generateProtoTasks {
@@ -30,12 +25,7 @@ protobuf {
 }
 
 dependencies {
-  api(libs.bundles.grpc.api)
-  constraints {
-    implementation("com.google.guava:guava:32.1.2-jre") {
-      because("https://nvd.nist.gov/vuln/detail/CVE-2023-2976")
-    }
-  }
+  api(commonLibs.bundles.grpc.api)
 }
 
 sourceSets {

alerting-config-service-api/gradle.lockfile

@@ -0,0 +1,23 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+com.fasterxml.jackson:jackson-bom:2.15.2=compileClasspath,runtimeClasspath
+com.google.api.grpc:proto-google-common-protos:2.17.0=compileClasspath,runtimeClasspath
+com.google.code.findbugs:jsr305:3.0.2=compileClasspath,runtimeClasspath
+com.google.errorprone:error_prone_annotations:2.18.0=compileClasspath,runtimeClasspath
+com.google.guava:failureaccess:1.0.1=compileClasspath,runtimeClasspath
+com.google.guava:guava-parent:32.1.2-jre=compileClasspath,runtimeClasspath
+com.google.guava:guava:32.1.2-jre=compileClasspath,runtimeClasspath
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=compileClasspath,runtimeClasspath
+com.google.j2objc:j2objc-annotations:2.8=compileClasspath
+com.google.protobuf:protobuf-java:3.24.1=compileClasspath,runtimeClasspath
+io.grpc:grpc-api:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-bom:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-protobuf-lite:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-protobuf:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-stub:1.57.2=compileClasspath,runtimeClasspath
+javax.annotation:javax.annotation-api:1.3.2=compileClasspath,runtimeClasspath
+org.checkerframework:checker-qual:3.33.0=compileClasspath,runtimeClasspath
+org.hypertrace.bom:hypertrace-bom:0.2.9=compileClasspath,runtimeClasspath
+org.hypertrace.core.kafkastreams.framework:kafka-bom:0.3.9=compileClasspath,runtimeClasspath
+empty=annotationProcessor

alerting-config-service-impl/build.gradle.kts

@@ -1,7 +1,7 @@
 plugins {
   `java-library`
   jacoco
-  id("org.hypertrace.jacoco-report-plugin")
+  alias(commonLibs.plugins.hypertrace.jacoco)
 }
 
 dependencies {
@@ -12,21 +12,21 @@ dependencies {
   implementation(projects.validationUtils)
   implementation(projects.configServiceChangeEventGenerator)
 
-  implementation(libs.guava)
-  implementation(libs.rxjava3)
+  implementation(commonLibs.guava)
+  implementation(commonLibs.rxjava3)
 
-  implementation(libs.hypertrace.grpcutils.context)
-  implementation(libs.hypertrace.grpcutils.client)
-  implementation(libs.hypertrace.grpcutils.rxserver)
-  implementation(libs.hypertrace.grpcutils.rxclient)
-  implementation(libs.slf4j.api)
+  implementation(commonLibs.hypertrace.grpcutils.context)
+  implementation(commonLibs.hypertrace.grpcutils.client)
+  implementation(commonLibs.hypertrace.grpcutils.rx.server)
+  implementation(commonLibs.hypertrace.grpcutils.rx.client)
+  implementation(commonLibs.slf4j2.api)
 
-  annotationProcessor(libs.lombok)
-  compileOnly(libs.lombok)
+  annotationProcessor(commonLibs.lombok)
+  compileOnly(commonLibs.lombok)
 
-  testImplementation(libs.junit.jupiter)
-  testImplementation(libs.mockito.core)
-  testImplementation(libs.mockito.junit)
+  testImplementation(commonLibs.junit.jupiter)
+  testImplementation(commonLibs.mockito.core)
+  testImplementation(commonLibs.mockito.junit)
   testImplementation(testFixtures(projects.configServiceApi))
 }
 

alerting-config-service-impl/gradle.lockfile

@@ -0,0 +1,52 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+com.auth0:java-jwt:4.4.0=runtimeClasspath
+com.auth0:jwks-rsa:0.22.0=runtimeClasspath
+com.fasterxml.jackson.core:jackson-annotations:2.15.2=runtimeClasspath
+com.fasterxml.jackson.core:jackson-core:2.15.2=runtimeClasspath
+com.fasterxml.jackson.core:jackson-databind:2.15.2=runtimeClasspath
+com.fasterxml.jackson:jackson-bom:2.15.2=compileClasspath,runtimeClasspath
+com.github.luben:zstd-jni:1.5.2-1=runtimeClasspath
+com.github.seancfoley:ipaddress:5.3.4=runtimeClasspath
+com.google.android:annotations:4.1.1.4=runtimeClasspath
+com.google.api.grpc:proto-google-common-protos:2.17.0=compileClasspath,runtimeClasspath
+com.google.code.findbugs:jsr305:3.0.2=compileClasspath,runtimeClasspath
+com.google.code.gson:gson:2.10.1=runtimeClasspath
+com.google.errorprone:error_prone_annotations:2.18.0=compileClasspath,runtimeClasspath
+com.google.guava:failureaccess:1.0.1=compileClasspath,runtimeClasspath
+com.google.guava:guava-parent:32.1.2-jre=compileClasspath,runtimeClasspath
+com.google.guava:guava:32.1.2-jre=compileClasspath,runtimeClasspath
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=compileClasspath,runtimeClasspath
+com.google.j2objc:j2objc-annotations:2.8=compileClasspath,runtimeClasspath
+com.google.protobuf:protobuf-java-util:3.24.1=runtimeClasspath
+com.google.protobuf:protobuf-java:3.24.1=compileClasspath,runtimeClasspath
+com.typesafe:config:1.4.2=compileClasspath,runtimeClasspath
+commons-io:commons-io:2.7=runtimeClasspath
+io.grpc:grpc-api:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-bom:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-context:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-core:1.57.2=runtimeClasspath
+io.grpc:grpc-protobuf-lite:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-protobuf:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-stub:1.57.2=compileClasspath,runtimeClasspath
+io.netty:netty-bom:4.1.100.Final=compileClasspath,runtimeClasspath
+io.perfmark:perfmark-api:0.26.0=runtimeClasspath
+io.reactivex.rxjava3:rxjava:3.1.7=compileClasspath,runtimeClasspath
+javax.annotation:javax.annotation-api:1.3.2=compileClasspath,runtimeClasspath
+org.apache.kafka:kafka-clients:7.4.0-ccs=compileClasspath,runtimeClasspath
+org.checkerframework:checker-qual:3.33.0=compileClasspath,runtimeClasspath
+org.codehaus.mojo:animal-sniffer-annotations:1.23=runtimeClasspath
+org.hypertrace.bom:hypertrace-bom:0.2.9=compileClasspath,runtimeClasspath
+org.hypertrace.core.eventstore:event-store:0.1.3=runtimeClasspath
+org.hypertrace.core.grpcutils:grpc-client-rx-utils:0.12.6=compileClasspath,runtimeClasspath
+org.hypertrace.core.grpcutils:grpc-client-utils:0.12.6=compileClasspath,runtimeClasspath
+org.hypertrace.core.grpcutils:grpc-context-utils:0.12.6=compileClasspath,runtimeClasspath
+org.hypertrace.core.grpcutils:grpc-server-rx-utils:0.12.6=compileClasspath,runtimeClasspath
+org.hypertrace.core.kafkastreams.framework:kafka-bom:0.3.9=compileClasspath,runtimeClasspath
+org.lz4:lz4-java:1.8.0=runtimeClasspath
+org.projectlombok:lombok:1.18.28=annotationProcessor,compileClasspath
+org.reactivestreams:reactive-streams:1.0.4=compileClasspath,runtimeClasspath
+org.slf4j:slf4j-api:2.0.7=compileClasspath,runtimeClasspath
+org.xerial.snappy:snappy-java:1.1.10.5=runtimeClasspath
+empty=

build.gradle.kts

@@ -1,19 +1,13 @@
 plugins {
-  id("org.hypertrace.repository-plugin") version "0.4.2"
-  id("org.hypertrace.ci-utils-plugin") version "0.3.2"
-  id("org.hypertrace.jacoco-report-plugin") version "0.2.1" apply false
-  id("org.hypertrace.publish-plugin") version "1.0.5" apply false
-  id("org.hypertrace.docker-java-application-plugin") version "0.9.9" apply false
-  id("org.hypertrace.docker-publish-plugin") version "0.9.9" apply false
-  id("org.hypertrace.integration-test-plugin") version "0.2.0" apply false
-  id("org.hypertrace.code-style-plugin") version "1.2.0" apply false
-  id("com.google.protobuf") version "0.8.19" apply false
-  id("org.owasp.dependencycheck") version "8.2.1"
+  alias(commonLibs.plugins.hypertrace.ciutils)
+  alias(commonLibs.plugins.hypertrace.codestyle) apply false
+  alias(commonLibs.plugins.hypertrace.publish) apply false
+  alias(commonLibs.plugins.owasp.dependencycheck)
 }
 
 subprojects {
   group = "org.hypertrace.config.service"
-  pluginManager.withPlugin("org.hypertrace.publish-plugin") {
+  pluginManager.withPlugin(rootProject.commonLibs.plugins.hypertrace.publish.get().pluginId) {
     configure<org.hypertrace.gradle.publishing.HypertracePublishExtension> {
       license.set(org.hypertrace.gradle.publishing.License.TRACEABLE_COMMUNITY)
     }
@@ -25,8 +19,7 @@ subprojects {
       targetCompatibility = JavaVersion.VERSION_11
     }
   }
-
-  apply(plugin = "org.hypertrace.code-style-plugin")
+  apply(plugin = rootProject.commonLibs.plugins.hypertrace.codestyle.get().pluginId)
 }
 
 dependencyCheck {

config-proto-converter/build.gradle.kts

@@ -1,19 +1,9 @@
 plugins {
   `java-library`
-  id("org.hypertrace.publish-plugin")
+  alias(commonLibs.plugins.hypertrace.publish)
 }
 
 dependencies {
-  api(libs.grpc.protobuf)
-  implementation(libs.protobuf.javautil)
-  constraints {
-    implementation(libs.gson) {
-      because("https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327")
-    }
-  }
-  constraints {
-    implementation("com.google.guava:guava:32.1.2-jre") {
-      because("https://nvd.nist.gov/vuln/detail/CVE-2023-2976")
-    }
-  }
+  api(commonLibs.grpc.protobuf)
+  implementation(commonLibs.protobuf.javautil)
 }

config-proto-converter/gradle.lockfile

@@ -0,0 +1,23 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+com.fasterxml.jackson:jackson-bom:2.15.2=compileClasspath,runtimeClasspath
+com.google.api.grpc:proto-google-common-protos:2.17.0=compileClasspath,runtimeClasspath
+com.google.code.findbugs:jsr305:3.0.2=compileClasspath,runtimeClasspath
+com.google.code.gson:gson:2.8.9=compileClasspath,runtimeClasspath
+com.google.errorprone:error_prone_annotations:2.18.0=compileClasspath,runtimeClasspath
+com.google.guava:failureaccess:1.0.1=compileClasspath,runtimeClasspath
+com.google.guava:guava-parent:32.1.2-jre=compileClasspath,runtimeClasspath
+com.google.guava:guava:32.1.2-jre=compileClasspath,runtimeClasspath
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=compileClasspath,runtimeClasspath
+com.google.j2objc:j2objc-annotations:2.8=compileClasspath,runtimeClasspath
+com.google.protobuf:protobuf-java-util:3.24.1=compileClasspath,runtimeClasspath
+com.google.protobuf:protobuf-java:3.24.1=compileClasspath,runtimeClasspath
+io.grpc:grpc-api:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-bom:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-protobuf-lite:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-protobuf:1.57.2=compileClasspath,runtimeClasspath
+org.checkerframework:checker-qual:3.33.0=compileClasspath,runtimeClasspath
+org.hypertrace.bom:hypertrace-bom:0.2.9=compileClasspath,runtimeClasspath
+org.hypertrace.core.kafkastreams.framework:kafka-bom:0.3.9=compileClasspath,runtimeClasspath
+empty=annotationProcessor

config-service-api/build.gradle.kts

@@ -1,29 +1,24 @@
-import com.google.protobuf.gradle.generateProtoTasks
 import com.google.protobuf.gradle.id
-import com.google.protobuf.gradle.ofSourceSet
-import com.google.protobuf.gradle.plugins
-import com.google.protobuf.gradle.protobuf
-import com.google.protobuf.gradle.protoc
 
 plugins {
   `java-library`
   `java-test-fixtures`
-  id("com.google.protobuf")
-  id("org.hypertrace.publish-plugin")
+  alias(commonLibs.plugins.google.protobuf)
+  alias(commonLibs.plugins.hypertrace.publish)
 }
 
 val generateLocalGoGrpcFiles = false
 
 protobuf {
   protoc {
-    artifact = "com.google.protobuf:protoc:${libs.versions.protoc.get()}"
+    artifact = "com.google.protobuf:protoc:${commonLibs.versions.protoc.get()}"
   }
   plugins {
     // Optional: an artifact spec for a protoc plugin, with "grpc" as
     // the identifier, which can be referred to in the "plugins"
     // container of the "generateProtoTasks" closure.
     id("grpc_java") {
-      artifact = "io.grpc:protoc-gen-grpc-java:${libs.versions.grpc.get()}"
+      artifact = "io.grpc:protoc-gen-grpc-java:${commonLibs.versions.grpc.get()}"
     }
 
     if (generateLocalGoGrpcFiles) {
@@ -62,20 +57,15 @@ sourceSets {
 }
 
 dependencies {
-  api(libs.bundles.grpc.api)
+  api(commonLibs.bundles.grpc.api)
 
-  testFixturesApi(libs.grpc.api)
+  testFixturesApi(commonLibs.grpc.api)
   testFixturesApi(projects.configServiceApi)
-  testFixturesImplementation(libs.grpc.stub)
-  testFixturesImplementation(libs.grpc.core)
-  testFixturesImplementation(libs.hypertrace.grpcutils.context)
-  testFixturesImplementation(libs.mockito.core)
-  testFixturesImplementation(libs.guava)
-  testFixturesAnnotationProcessor(libs.lombok)
-  testFixturesCompileOnly(libs.lombok)
-  constraints {
-    implementation("com.google.guava:guava:32.1.2-jre") {
-      because("https://nvd.nist.gov/vuln/detail/CVE-2023-2976")
-    }
-  }
+  testFixturesImplementation(commonLibs.grpc.stub)
+  testFixturesImplementation(commonLibs.grpc.core)
+  testFixturesImplementation(commonLibs.hypertrace.grpcutils.context)
+  testFixturesImplementation(commonLibs.mockito.core)
+  testFixturesImplementation(commonLibs.guava)
+  testFixturesAnnotationProcessor(commonLibs.lombok)
+  testFixturesCompileOnly(commonLibs.lombok)
 }

config-service-api/gradle.lockfile

@@ -0,0 +1,23 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+com.fasterxml.jackson:jackson-bom:2.15.2=compileClasspath,runtimeClasspath
+com.google.api.grpc:proto-google-common-protos:2.17.0=compileClasspath,runtimeClasspath
+com.google.code.findbugs:jsr305:3.0.2=compileClasspath,runtimeClasspath
+com.google.errorprone:error_prone_annotations:2.18.0=compileClasspath,runtimeClasspath
+com.google.guava:failureaccess:1.0.1=compileClasspath,runtimeClasspath
+com.google.guava:guava-parent:32.1.2-jre=compileClasspath,runtimeClasspath
+com.google.guava:guava:32.1.2-jre=compileClasspath,runtimeClasspath
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=compileClasspath,runtimeClasspath
+com.google.j2objc:j2objc-annotations:2.8=compileClasspath
+com.google.protobuf:protobuf-java:3.24.1=compileClasspath,runtimeClasspath
+io.grpc:grpc-api:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-bom:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-protobuf-lite:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-protobuf:1.57.2=compileClasspath,runtimeClasspath
+io.grpc:grpc-stub:1.57.2=compileClasspath,runtimeClasspath
+javax.annotation:javax.annotation-api:1.3.2=compileClasspath,runtimeClasspath
+org.checkerframework:checker-qual:3.33.0=compileClasspath,runtimeClasspath
+org.hypertrace.bom:hypertrace-bom:0.2.9=compileClasspath,runtimeClasspath
+org.hypertrace.core.kafkastreams.framework:kafka-bom:0.3.9=compileClasspath,runtimeClasspath
+empty=annotationProcessor

config-service-change-event-api/build.gradle.kts

@@ -1,15 +1,12 @@
-import com.google.protobuf.gradle.protobuf
-import com.google.protobuf.gradle.protoc
-
 plugins {
   `java-library`
-  id("com.google.protobuf")
-  id("org.hypertrace.publish-plugin")
+  alias(commonLibs.plugins.google.protobuf)
+  alias(commonLibs.plugins.hypertrace.publish)
 }
 
 protobuf {
   protoc {
-    artifact = "com.google.protobuf:protoc:${libs.versions.protoc.get()}"
+    artifact = "com.google.protobuf:protoc:${commonLibs.versions.protoc.get()}"
   }
 }
 
@@ -22,7 +19,7 @@ sourceSets {
 }
 
 dependencies {
-  api(libs.protobuf.java)
-  api(platform(libs.kafka.bom))
-  api(libs.kafka.clients)
+  api(commonLibs.protobuf.java)
+  api(platform(commonLibs.hypertrace.kafka.bom))
+  api(commonLibs.kafka.clients)
 }