CMSgov · davidberry-sb · Mar 5, 2026
@@ -0,0 +1,65 @@
+version: 2
+updates:
+  # Maven dependencies
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    # Group related dependency updates
+    groups:
+      aws-sdk:
+        patterns:
+          - "com.amazonaws:aws-java-sdk-*"
+        exclude-patterns:
+          - "com.amazonaws:aws-dynamodb-encryption-java"
+      aws-encryption:
+        patterns:
+          - "com.amazonaws:aws-dynamodb-encryption-java"
+      spring:
+        patterns:
+          - "org.springframework*:*"
+      jackson:
+        patterns:
+          - "com.fasterxml.jackson.*:*"
+      testing:
+        patterns:
+          - "org.junit.*:*"
+          - "org.mockito:*"
+          - "com.google.truth:*"
+      build-tools:
+        patterns:
+          - "org.apache.maven.plugins:*"
+          - "org.jacoco:*"
+          - "com.github.spotbugs:*"
+    # Security updates get higher priority
+    labels:
+      - "dependencies"
+      - "security"
+    # Ignore major version updates for critical dependencies
+    ignore:
+      - dependency-name: "org.junit.*"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "com.amazonaws:aws-dynamodb-encryption-java"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "*"
+        # Ignore Java version updates (handle manually)
+        versions: ["18.*", "19.*", "20.*", "21.*"]
+
+  # GitHub Actions dependencies
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "10:00"
+    commit-message:
+      prefix: "ci"
+    labels:
+      - "dependencies"
+      - "github-actions"
@@ -0,0 +1,134 @@
+name: Dependency Update Validation
+
+on:
+  pull_request:
+    branches: [ develop ]
+    paths:
+      - '**/pom.xml'
+      - '.github/dependabot.yml'
+
+jobs:
+  validate-dependencies:
+    name: Validate Dependency Updates
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 2
+
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
+      with:
+        java-version: "17"
+        distribution: "corretto"
+        cache: 'maven'
+
+    - name: Check for AWS SDK version consistency
+      run: |
+        echo "Checking AWS SDK version consistency across all pom.xml files..."
+        AWS_VERSION=$(grep '<aws.version>' pom.xml | sed 's/.*<aws.version>\(.*\)<\/aws.version>.*/\1/')
+        echo "Root AWS version: $AWS_VERSION"
+
+        # Check if all AWS dependencies use the property
+        if grep -r "com.amazonaws" --include="*.xml" . | grep -v "\${aws.version}" | grep -v "aws-dynamodb-encryption-java" | grep "<version>"; then
+          echo "❌ Found AWS dependencies not using \${aws.version} property:"
+          grep -r "com.amazonaws" --include="*.xml" . | grep -v "\${aws.version}" | grep -v "aws-dynamodb-encryption-java" | grep "<version>"
+          exit 1
+        else
+          echo "✅ All core AWS dependencies use the \${aws.version} property"
+        fi
+
+        # Check DynamoDB encryption library separately
+        if grep -q "aws-dynamodb-encryption-java" <<< "$GITHUB_HEAD_REF"; then
+          echo "🔒 DynamoDB encryption library update detected - extra validation required"
+          echo "ENCRYPTION_UPDATE=true" >> $GITHUB_ENV
+        fi
+
+    - name: Run comprehensive tests
+      run: |
+        echo "Running full test suite..."
+        # Note: Removed OWASP dependency-check as project already uses Snyk + SonarQube
+        mvn --batch-mode clean verify -Pintegration -Dskip.generate=true
+
+    - name: Test encryption functionality
+      if: env.ENCRYPTION_UPDATE == 'true'
+      run: |
+        echo "🔒 Testing DynamoDB encryption functionality..."
+        # Run encryption-specific tests
+        mvn --batch-mode test -Dtest="*DynamoDbConfig*,*DbService*" 
+        echo "✅ Encryption tests completed"
+
+    - name: Check for breaking changes
+      run: |
+        echo "Checking for potential breaking changes..."
+        # Compare API surface if you have API compatibility tools
+        # This is a placeholder - you might want to add specific checks
+        mvn --batch-mode compile test-compile
+
+    - name: Security scan
+      run: |
+        echo "Running security checks..."
+        mvn --batch-mode spotbugs:check
+
+    - name: Comment PR with results
+      if: always()
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const fs = require('fs');
+          let comment = '## 🔍 Dependency Update Validation\n\n';
+
+          if (process.env.GITHUB_JOB_STATUS === 'success') {
+            comment += '✅ **All checks passed!** This dependency update looks safe to merge.\n\n';
+            comment += '- Dependency consistency: ✅\n';
+            comment += '- Security scan: ✅\n';
+            comment += '- Test suite: ✅\n';
+          } else {
+            comment += '❌ **Some checks failed.** Please review before merging.\n\n';
+            comment += 'Check the workflow logs for details.\n';
+          }
+
+          comment += '\n---\n*Auto-generated by dependency validation workflow*';
+
+          github.rest.issues.createComment({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            body: comment
+          });
+
+  integration-test:
+    name: Extended Integration Tests  
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    needs: validate-dependencies
+
+    services:
+      localstack:
+        image: localstack/localstack:latest
+        env:
+          SERVICES: s3,dynamodb,kms
+          DEFAULT_REGION: us-east-1
+        ports:
+          - 4566:4566
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
+      with:
+        java-version: "17"
+        distribution: "corretto"
+        cache: 'maven'
+
+    - name: Test against mocked AWS services
+      run: |
+        echo "Testing with LocalStack (mocked AWS services)..."
+        export AWS_ENDPOINT_OVERRIDE=http://localhost:4566
+        export AWS_ACCESS_KEY_ID=test
+        export AWS_SECRET_ACCESS_KEY=test
+        mvn --batch-mode test -Pintegration
@@ -0,0 +1,130 @@
+#!/bin/bash
+
+# Dependency Update Helper Script
+# Usage: ./scripts/update-dependencies.sh [aws|all]
+
+set -e
+
+echo "🔍 QPP Conversion Tool - Dependency Update Helper"
+echo "================================================="
+
+# Function to check Maven dependency updates
+check_maven_updates() {
+    echo "📦 Checking for Maven dependency updates..."
+    mvn versions:display-dependency-updates -DprocessDependencyManagement=false
+    echo ""
+
+    echo "📦 Checking for Maven plugin updates..."
+    mvn versions:display-plugin-updates
+    echo ""
+}
+
+# Function to update AWS SDK specifically
+update_aws_sdk() {
+    echo "🔧 Updating AWS SDK to latest version..."
+
+    # Get current AWS version
+    CURRENT_VERSION=$(grep '<aws.version>' pom.xml | sed 's/.*<aws.version>\(.*\)<\/aws.version>.*/\1/')
+    echo "Current AWS SDK version: $CURRENT_VERSION"
+
+    # Check for latest AWS SDK version
+    echo "Checking for latest AWS SDK version..."
+    LATEST_VERSION=$(mvn versions:resolve-ranges -Dincludes="com.amazonaws:aws-java-sdk-core" -q | grep "aws-java-sdk-core" | tail -1 | sed 's/.*-> \([0-9.]*\).*/\1/' || echo "")
+
+    if [ ! -z "$LATEST_VERSION" ] && [ "$LATEST_VERSION" != "$CURRENT_VERSION" ]; then
+        echo "Latest AWS SDK version: $LATEST_VERSION"
+        read -p "Update AWS SDK from $CURRENT_VERSION to $LATEST_VERSION? (y/N): " confirm
+
+        if [[ $confirm =~ ^[Yy]$ ]]; then
+            echo "Updating aws.version property..."
+            sed -i.bak "s/<aws.version>$CURRENT_VERSION<\/aws.version>/<aws.version>$LATEST_VERSION<\/aws.version>/" pom.xml
+            rm pom.xml.bak 2>/dev/null || true
+
+            echo "✅ Updated AWS SDK version to $LATEST_VERSION"
+            echo "🧪 Running tests to validate update..."
+
+            mvn --batch-mode clean compile test -q -Dskip.generate=true
+            if [ $? -eq 0 ]; then
+                echo "✅ Tests passed! Update looks good."
+            else
+                echo "❌ Tests failed. Reverting change..."
+                git checkout pom.xml
+                exit 1
+            fi
+        fi
+    else
+        echo "✅ AWS SDK is already at the latest version ($CURRENT_VERSION)"
+    fi
+}
+
+# Function to create a dependency update PR
+create_update_pr() {
+    local update_type=$1
+    local branch_name="deps/update-$update_type-$(date +%Y%m%d)"
+
+    echo "🌿 Creating branch: $branch_name"
+    git checkout -b "$branch_name"
+
+    echo "📝 Committing changes..."
+    git add pom.xml
+    git commit -m "deps: update $update_type dependencies
+
+- Updated $update_type dependencies to latest versions
+- Validated with test suite
+- Auto-generated by update script"
+
+    echo "🚀 Pushing branch..."
+    git push -u origin "$branch_name"
+
+    # Create PR using GitHub CLI if available
+    if command -v gh &> /dev/null; then
+        echo "📋 Creating pull request..."
+        gh pr create \
+            --title "deps: update $update_type dependencies" \
+            --body "Automated dependency update for $update_type.
+
+## Changes
+- Updated $update_type dependencies to latest versions
+- All tests pass ✅
+
+## Validation
+- [ ] Integration tests pass
+- [ ] Security scan clean
+- [ ] Performance impact assessed
+
+/cc @your-team" \
+            --label "dependencies" \
+            --assignee "@me"
+    else
+        echo "💡 GitHub CLI not installed. Please create PR manually for branch: $branch_name"
+    fi
+}
+
+# Main script logic
+case "${1:-all}" in
+    "aws")
+        echo "🎯 Targeting AWS SDK updates only"
+        update_aws_sdk
+        if git diff --quiet pom.xml; then
+            echo "No changes made."
+        else
+            create_update_pr "aws-sdk"
+        fi
+        ;;
+    "all")
+        echo "🎯 Checking all dependencies"
+        check_maven_updates
+        echo ""
+        echo "💡 Use 'mvn versions:use-latest-versions' to update dependencies"
+        echo "💡 Use '$0 aws' to update just AWS SDK"
+        ;;
+    *)
+        echo "Usage: $0 [aws|all]"
+        echo "  aws  - Update AWS SDK only"
+        echo "  all  - Check all dependency updates (default)"
+        exit 1
+        ;;
+esac
+
+echo ""
+echo "✨ Done!"