Merge origin/master into dependabot/maven/aws.sdk.version-2.44.9

Author: Copilot

.github/workflows/bazel.yml

@@ -6,8 +6,7 @@
 # Cache layers used:
 #   1. Repository cache   – downloaded JARs / external repositories
 #   2. Disk cache         – action output cache (build artifacts)
-# Both are saved to GitHub Actions cache keyed on the OS, Bazel module lock,
-# and Maven artifact list so cache hits are maximized across identical runs.
+# Repository cache is shared across OS runners; disk cache remains OS-scoped.
 
 name: bazel
 
@@ -102,7 +101,16 @@ jobs:
       # The disk cache stores compiled action outputs; the repository cache
       # stores downloaded external files (JARs, etc.).
       # ----------------------------------------------------------------
-      - name: Restore Bazel caches
+      - name: Restore Bazel repository cache (cross-OS)
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        with:
+          path: ~/.cache/bazel/cache/repos/v1
+          key: bazel-repos-java${{ matrix.java }}-${{ hashFiles('MODULE.bazel', '.bazelversion', 'maven_install.json') }}
+          restore-keys: |
+            bazel-repos-java${{ matrix.java }}-
+            bazel-repos-
+          enableCrossOsArchive: true
+      - name: Restore Bazel disk cache
         id: bazel-cache
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:

.github/workflows/codeql-analysis.yml

@@ -50,10 +50,10 @@ jobs:
         java-version: 17.0.x
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
+      uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
       with:
         languages: ${{ matrix.language }}
         build-mode: none
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
+      uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4

.github/workflows/dependabot-sync-bazel-backfill.yml

@@ -0,0 +1,116 @@
+name: dependabot-sync-bazel-backfill
+
+on:
+  workflow_dispatch:
+    inputs:
+      backfill_open_prs:
+        description: "Sync all currently open Dependabot pom.xml PRs"
+        required: true
+        type: boolean
+        default: false
+
+jobs:
+  sync-open-dependabot-prs:
+    if: >-
+      github.event_name == 'workflow_dispatch' &&
+      github.event.inputs.backfill_open_prs == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: read
+    env:
+      BAZELISK_SKIP_VERSION_CHECK: "1"
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Java 17
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+        with:
+          distribution: temurin
+          java-version: 17
+
+      - name: Install Bazelisk
+        run: |
+          mkdir -p "$HOME/.local/bin"
+          curl -fsSL \
+            https://github.com/bazelbuild/bazelisk/releases/download/v1.24.1/bazelisk-linux-amd64 \
+            -o "$HOME/.local/bin/bazel"
+          chmod +x "$HOME/.local/bin/bazel"
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+      - name: Preserve Bazel sync script
+        run: |
+          cp scripts/sync_bazel_dependencies.py "${RUNNER_TEMP}/sync_bazel_dependencies.py"
+
+      - name: Sync all open Dependabot pom.xml PRs
+        shell: bash
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          api="${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}"
+          open_prs_json='[]'
+          page=1
+          while :; do
+            page_json="$(curl -fsSL \
+              -u "x-access-token:${GITHUB_TOKEN}" \
+              -H "Accept: application/vnd.github+json" \
+              "${api}/pulls?state=open&per_page=100&page=${page}")"
+            open_prs_json="$(jq -s 'add' \
+              <(printf '%s' "${open_prs_json}") \
+              <(printf '%s' "${page_json}"))"
+            if [[ "$(jq 'length' <<< "${page_json}")" -lt 100 ]]; then
+              break
+            fi
+            page=$((page + 1))
+          done
+
+          while IFS=$'\t' read -r number head_ref head_repo base_ref author; do
+            if [[ "${author}" != "dependabot[bot]" ]]; then
+              continue
+            fi
+            if [[ "${base_ref}" != "master" ]]; then
+              continue
+            fi
+            if [[ "${head_repo}" != "${GITHUB_REPOSITORY}" ]]; then
+              echo "Skipping #${number}; head repo ${head_repo} is not ${GITHUB_REPOSITORY}."
+              continue
+            fi
+            if [[ "${head_ref}" != "dependabot/"* ]]; then
+              echo "Skipping #${number}; branch ${head_ref} is not a Dependabot branch."
+              continue
+            fi
+
+            pr_files_json="$(curl -fsSL \
+              -u "x-access-token:${GITHUB_TOKEN}" \
+              -H "Accept: application/vnd.github+json" \
+              "${api}/pulls/${number}/files?per_page=100")"
+            if ! jq -e '.[] | select(.filename == "pom.xml")' >/dev/null <<< "${pr_files_json}"; then
+              echo "Skipping #${number}; root pom.xml was not changed."
+              continue
+            fi
+
+            echo "Processing Dependabot PR #${number} (${head_ref})"
+            git fetch origin "${head_ref}"
+            git checkout -B "dependabot-sync-work" "origin/${head_ref}"
+            # Ensure each PR branch starts from a clean checkout before sync.
+            git reset --hard
+            git clean -fd
+
+            python3 "${RUNNER_TEMP}/sync_bazel_dependencies.py" --root "$PWD"
+            REPIN=1 bazel run @maven//:pin
+
+            if git diff --quiet -- MODULE.bazel maven_install.json; then
+              echo "No Bazel dependency changes needed for #${number}."
+              continue
+            fi
+
+            git add MODULE.bazel maven_install.json
+            git commit -m "Sync Bazel dependencies for Dependabot update (#${number})"
+            git push origin "HEAD:${head_ref}"
+          done < <(jq -r '.[] | [.number, .head.ref, .head.repo.full_name, .base.ref, .user.login] | @tsv' <<< "${open_prs_json}")

.github/workflows/dependabot-sync-bazel.yml

@@ -0,0 +1,58 @@
+name: dependabot-sync-bazel
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+    branches: ["master"]
+    paths:
+      - "pom.xml"
+
+jobs:
+  sync-bazel-dependencies:
+    if: >-
+      github.event.pull_request.user.login == 'dependabot[bot]' &&
+      github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: read
+    env:
+      BAZELISK_SKIP_VERSION_CHECK: "1"
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Set up Java 17
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+        with:
+          distribution: temurin
+          java-version: 17
+
+      - name: Install Bazelisk
+        run: |
+          mkdir -p "$HOME/.local/bin"
+          curl -fsSL \
+            https://github.com/bazelbuild/bazelisk/releases/download/v1.24.1/bazelisk-linux-amd64 \
+            -o "$HOME/.local/bin/bazel"
+          chmod +x "$HOME/.local/bin/bazel"
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+      - name: Sync Bazel dependency files
+        run: |
+          python3 scripts/sync_bazel_dependencies.py
+          REPIN=1 bazel run @maven//:pin
+
+      - name: Commit regenerated Bazel files
+        shell: bash
+        run: |
+          if git diff --quiet -- MODULE.bazel maven_install.json; then
+            echo "No Bazel dependency file changes detected."
+            exit 0
+          fi
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add MODULE.bazel maven_install.json
+          git commit -m "Sync Bazel dependencies for Dependabot update"
+          git push origin "HEAD:${{ github.event.pull_request.head.ref }}"

.github/workflows/spring.yml

@@ -11,17 +11,48 @@ jobs:
       matrix:
         java: [ 17, 21, 25, 26 ]
     runs-on: ubuntu-latest
+    env:
+      BAZELISK_SKIP_VERSION_CHECK: "1"
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Setup Java
         uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: 'temurin'
           java-version: ${{ matrix.java }}
-      - name: Cache local Maven repository
+      - name: Install Bazelisk
+        run: |
+          mkdir -p "$HOME/.local/bin"
+          curl -fsSL \
+            https://github.com/bazelbuild/bazelisk/releases/download/v1.24.1/bazelisk-linux-amd64 \
+            -o "$HOME/.local/bin/bazel"
+          chmod +x "$HOME/.local/bin/bazel"
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+      - name: Restore Bazel repository cache (cross-OS)
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
-          path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-spring-${{ matrix.java }}-${{ hashFiles('pom.xml', '**/pom.xml') }}
-      - name: Build Spring modules with Maven
-        run: ./mvnw -q -B --define=org.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn -pl spring,spring-aot -am clean test
+          path: ~/.cache/bazel/cache/repos/v1
+          key: bazel-repos-${{ matrix.java }}-${{ hashFiles('MODULE.bazel', '.bazelversion', 'maven_install.json') }}
+          restore-keys: |
+            bazel-repos-${{ matrix.java }}-
+            bazel-repos-
+          enableCrossOsArchive: true
+      - name: Restore Bazel disk cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        with:
+          path: ~/.cache/bazel-disk-cache
+          key: bazel-${{ runner.os }}-java${{ matrix.java }}-${{ hashFiles('MODULE.bazel', '.bazelversion', 'maven_install.json') }}
+          restore-keys: |
+            bazel-${{ runner.os }}-java${{ matrix.java }}-
+            bazel-${{ runner.os }}-
+      - name: Pin Maven dependencies
+        run: REPIN=1 bazel run @maven//:pin
+      - name: Build Spring integrations with Bazel
+        run: >-
+          bazel build --config=ci
+          //spring:client-java-spring-integration
+          //spring-aot:client-java-spring-aot-integration
+      - name: Test Spring integrations with Bazel
+        run: >-
+          bazel test --config=ci
+          //spring:tests

MODULE.bazel

@@ -70,12 +70,12 @@ maven.install(
         "com.squareup.okio:okio-jvm:3.16.4",
         "com.flipkart.zjsonpatch:zjsonpatch:0.4.16",
         # ---- spring (Java 17+ modules) ----
-        "org.springframework:spring-core:6.2.8",
-        "org.springframework:spring-aop:6.2.8",
-        "org.springframework:spring-beans:6.2.8",
-        "org.springframework:spring-context:6.2.8",
-        "org.springframework:spring-expression:6.2.8",
-        "org.springframework:spring-test:6.2.8",
+        "org.springframework:spring-core:7.0.7",
+        "org.springframework:spring-aop:7.0.7",
+        "org.springframework:spring-beans:7.0.7",
+        "org.springframework:spring-context:7.0.7",
+        "org.springframework:spring-expression:7.0.7",
+        "org.springframework:spring-test:7.0.7",
         # ---- test ----
         "ch.qos.logback:logback-classic:1.5.32",
         "ch.qos.logback:logback-core:1.5.32",
@@ -103,7 +103,7 @@ maven.install(
 )
 
 # Spring Boot 4.0.6 artifacts declared with exclusions to keep
-# spring-framework pinned to 6.2.8.
+# spring-framework pinned to 7.0.7.
 _SPRING_FRAMEWORK_EXCLUSIONS = [
     "org.springframework:spring-core",
     "org.springframework:spring-aop",