chore: upgrade sweep — release compile gate, Tomcat bumps, CI/Renovate hardening#75
Merged
Merged
Conversation
…novate hardening pom.xml: - switch maven.compiler.source/target → maven.compiler.release (11/17/21) so the compiler enforces the target JDK's API surface and drops the "system modules path not set" warning on newer local JDKs - pin maven-compiler-plugin 3.15.0 with <failOnWarning>true</failOnWarning>; all three profiles + tests compile warning-clean scripts/install-tomcat.sh: - bump Tomcat 9.0.116→9.0.118, 10.1.52→10.1.55, 11.0.20→11.0.22 - add # renovate: annotations so each line is Renovate-tracked Makefile: - harden ci-run: --pull=false (containerd RWLayer race), dated catthehacker -P pin (ACT_UBUNTU_VERSION, Renovate-tracked), GITHUB_TOKEN forward for mise aqua: tool lookups, random artifact port/dir for multi-session safety - widen help column 18→20 so deps-print-updates aligns .github/workflows/ci.yml: - re-include CLAUDE.md in the code paths-filter (project config runs CI) - tag pushes force code=true so a tagged release is never skipped on an empty paths-filter diff .github/workflows/cleanup-runs.yml: - per-workflow run retention (a global KEEP_MINIMUM can deregister a low-frequency workflow); add cache-cleanup job + concurrency + workflow_call renovate.json: - pin JUnit to 5.x (JUnit 6 needs Java 17; tomcat9 tests run on Java 11) - track Tomcat (scripts) + ACT_UBUNTU_VERSION (Makefile) via custom managers, with per-major Tomcat allowedVersions constraints - hold mise github-tags bumps 3 days (tag-before-publish 404 guard) - platformAutomerge:false so Renovate gates merges on green CI itself (master has no required status checks) README.md / CLAUDE.md: document the release/failOnWarning change and add the Code Quality & Security make-target group. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Autonomous project-health sweep (
/upgrade-analysis→/makefile→/ci-workflow→/renovate→/readme→/repo-about→/ship-it).Real upgrades
install-tomcat.sh: 9.0.116→9.0.118, 10.1.52→10.1.55, 11.0.20→11.0.22 (were untracked; now Renovate-tracked with per-major constraints). Everything else was already at latest; the Java pin (temurin-21.0.11) is the current April-2026 CPU.Correctness
maven.compiler.source/target→maven.compiler.release(11/17/21) + pinnedmaven-compiler-pluginwithfailOnWarning=true. Silences the "system modules path not set" warning and turns warnings into a real CI gate. Verified warning-clean across all 3 profiles + tests.JUnit 6 decision
Kept JUnit 5.14.4 and added a Renovate major-guard. JUnit 6 requires a Java 17 test runtime, but the
tomcat9profile tests on Java 11 (Tomcat 9 /javax.servletminimum). Not upgrading is the correct call — same deliberate version-lock as the existing Jetty/Servlet guards. JUnit 5.14.x is fully maintained.CI / Renovate hardening
ci.yml: re-includeCLAUDE.mdin the code paths-filter; tag pushes forcecode=true(never skip a tagged release).cleanup-runs.yml: per-workflow run retention (a globalKEEP_MINIMUMcan deregister a low-frequency workflow) + cache-cleanup job.renovate.json: JUnit major-guard, Tomcat +ACT_UBUNTU_VERSIONcustom managers, misegithub-tags3-day buffer (tag-before-publish 404 guard),platformAutomerge:false.Makefile: hardenedci-run(--pull=false, dated catthehacker pin,GITHUB_TOKENforward), help-column alignment.masterhas no required status checks, so Renovate automerge could merge a red PR.platformAutomerge:false(in this PR) makes Renovate gate on green CI itself, but the categorical fix is to addci-passas a required status check (Settings → Branches/Rules). I left that to you since it changes the merge contract for all contributors.Verification
make cigreen (build + test + trivy-fs + gitleaks across the default profile);make verify-allgreen on all 3 profiles;renovate-config-validatorpassed; customManager regexes confirmed extracting all pins.🤖 Generated with Claude Code