ci(dependabot): pin target-branch develop + sync deps from main #115 by DemchaAV · Pull Request #117 · DemchaAV/GraphCompose

DemchaAV · 2026-06-01T16:06:15Z

Summary

Closes the divergence root cause that bit us twice on the
v1.6.7 cycle (#111 jasperreports, #115 maven-minor-patch group).

The pattern

Dependabot reads the repo's default branch (main) and opens
grouped update PRs there. Our release cadence is:

Develop work on develop
Cut release, tag from develop
Merge develop → main

So whenever Dependabot's weekly cycle fires while a release is in
flight, the grouped PR lands on main instead of develop. By
the next release-prep, develop is missing those bumps and needs
a manual cherry-pick to stay aligned.

The episode was painful enough during v1.6.7 (twice) that I dropped
the structural fix into a focused PR rather than carrying it forward
as a perpetual cherry-pick chore.

Changes

Commit 1 (cherry-pick of 6668c89e from main):

jackson-bom 2.21.3 → 2.21.4
logback-classic 1.5.32 → 1.5.34 (fixes
CVE-2026-9828 —
HardenedModelInputStream deserialization whitelist bypass)
central-publishing-maven-plugin 0.7.0 → 0.9.0 (we blocked
0.10.0; 0.9.0 is a 2-minor jump and acceptable)
japicmp-maven-plugin 0.23.1 → 0.26.1
maven-enforcer-plugin 3.5.0 → 3.6.3
Plus maven-clean / site / resources / surefire / source / gpg
minor & patch bumps

Conflict resolution: the cherry-pick'd japicmp.baseline flipped
back from v1.6.7 to v1.6.6 (because the bump was made on main
before the v1.6.7 cut); kept develop's v1.6.7 baseline and took
main's plugin-version bump.

Commit 2 (this PR's own change):

.github/dependabot.yml — target-branch: develop added to
both maven and github-actions ecosystem blocks. Documented
inline with the reasoning.

Test plan

./mvnw test -pl . — 1032 tests, 0 failures
./mvnw verify -P japicmp -pl . — japicmp 0.26.1 plugin on
the v1.6.7 baseline; expected semver PATCH (no public-API
surface delta in this PR).
After merge: confirm next Dependabot weekly cycle on Monday
lands its PR on develop, not main.

…h 11 updates (#115) Bumps the maven-minor-patch group with 11 updates in the / directory: | Package | From | To | | --- | --- | --- | | [com.fasterxml.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom) | `2.21.3` | `2.21.4` | | [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) | `1.5.32` | `1.5.34` | | [org.apache.maven.plugins:maven-clean-plugin](https://github.com/apache/maven-clean-plugin) | `3.4.0` | `3.5.0` | | [org.apache.maven.plugins:maven-site-plugin](https://github.com/apache/maven-site-plugin) | `3.21.0` | `3.22.0` | | [org.apache.maven.plugins:maven-resources-plugin](https://github.com/apache/maven-resources-plugin) | `3.3.1` | `3.5.0` | | [org.apache.maven.plugins:maven-enforcer-plugin](https://github.com/apache/maven-enforcer) | `3.5.0` | `3.6.3` | | [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) | `3.5.5` | `3.5.6` | | [org.apache.maven.plugins:maven-source-plugin](https://github.com/apache/maven-source-plugin) | `3.3.1` | `3.4.0` | | [org.apache.maven.plugins:maven-gpg-plugin](https://github.com/apache/maven-gpg-plugin) | `3.2.7` | `3.2.8` | | [org.sonatype.central:central-publishing-maven-plugin](https://github.com/sonatype/central-publishing-maven-plugin) | `0.7.0` | `0.9.0` | | [com.github.siom79.japicmp:japicmp-maven-plugin](https://github.com/siom79/japicmp) | `0.23.1` | `0.26.1` | Bumps the maven-minor-patch group with 2 updates in the /benchmarks directory: [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) and [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire). Bumps the maven-minor-patch group with 2 updates in the /examples directory: [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) and [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire). Updates `com.fasterxml.jackson:jackson-bom` from 2.21.3 to 2.21.4 - [Commits](FasterXML/jackson-bom@jackson-bom-2.21.3...jackson-bom-2.21.4) Updates `ch.qos.logback:logback-classic` from 1.5.32 to 1.5.34 - [Release notes](https://github.com/qos-ch/logback/releases) - [Commits](qos-ch/logback@v_1.5.32...v_1.5.34) Updates `org.apache.maven.plugins:maven-clean-plugin` from 3.4.0 to 3.5.0 - [Release notes](https://github.com/apache/maven-clean-plugin/releases) - [Commits](apache/maven-clean-plugin@maven-clean-plugin-3.4.0...maven-clean-plugin-3.5.0) Updates `org.apache.maven.plugins:maven-site-plugin` from 3.21.0 to 3.22.0 - [Release notes](https://github.com/apache/maven-site-plugin/releases) - [Commits](apache/maven-site-plugin@maven-site-plugin-3.21.0...maven-site-plugin-3.22.0) Updates `org.apache.maven.plugins:maven-resources-plugin` from 3.3.1 to 3.5.0 - [Release notes](https://github.com/apache/maven-resources-plugin/releases) - [Commits](apache/maven-resources-plugin@maven-resources-plugin-3.3.1...maven-resources-plugin-3.5.0) Updates `org.apache.maven.plugins:maven-enforcer-plugin` from 3.5.0 to 3.6.3 - [Release notes](https://github.com/apache/maven-enforcer/releases) - [Commits](apache/maven-enforcer@enforcer-3.5.0...enforcer-3.6.3) Updates `org.apache.maven.plugins:maven-surefire-plugin` from 3.5.5 to 3.5.6 - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](apache/maven-surefire@surefire-3.5.5...surefire-3.5.6) Updates `org.apache.maven.plugins:maven-source-plugin` from 3.3.1 to 3.4.0 - [Release notes](https://github.com/apache/maven-source-plugin/releases) - [Commits](apache/maven-source-plugin@maven-source-plugin-3.3.1...maven-source-plugin-3.4.0) Updates `org.apache.maven.plugins:maven-gpg-plugin` from 3.2.7 to 3.2.8 - [Release notes](https://github.com/apache/maven-gpg-plugin/releases) - [Commits](apache/maven-gpg-plugin@maven-gpg-plugin-3.2.7...maven-gpg-plugin-3.2.8) Updates `org.sonatype.central:central-publishing-maven-plugin` from 0.7.0 to 0.9.0 - [Commits](https://github.com/sonatype/central-publishing-maven-plugin/commits) Updates `com.github.siom79.japicmp:japicmp-maven-plugin` from 0.23.1 to 0.26.1 - [Release notes](https://github.com/siom79/japicmp/releases) - [Changelog](https://github.com/siom79/japicmp/blob/master/release.py) - [Commits](siom79/japicmp@japicmp-base-0.23.1...japicmp-base-0.26.1) Updates `ch.qos.logback:logback-classic` from 1.5.32 to 1.5.34 - [Release notes](https://github.com/qos-ch/logback/releases) - [Commits](qos-ch/logback@v_1.5.32...v_1.5.34) Updates `org.apache.maven.plugins:maven-surefire-plugin` from 3.5.5 to 3.5.6 - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](apache/maven-surefire@surefire-3.5.5...surefire-3.5.6) Updates `ch.qos.logback:logback-classic` from 1.5.32 to 1.5.34 - [Release notes](https://github.com/qos-ch/logback/releases) - [Commits](qos-ch/logback@v_1.5.32...v_1.5.34) Updates `org.apache.maven.plugins:maven-surefire-plugin` from 3.5.5 to 3.5.6 - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](apache/maven-surefire@surefire-3.5.5...surefire-3.5.6) --- updated-dependencies: - dependency-name: com.fasterxml.jackson:jackson-bom dependency-version: 2.21.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: maven-minor-patch - dependency-name: ch.qos.logback:logback-classic dependency-version: 1.5.34 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: maven-minor-patch - dependency-name: org.apache.maven.plugins:maven-clean-plugin dependency-version: 3.5.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: maven-minor-patch - dependency-name: org.apache.maven.plugins:maven-site-plugin dependency-version: 3.22.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: maven-minor-patch - dependency-name: org.apache.maven.plugins:maven-resources-plugin dependency-version: 3.5.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: maven-minor-patch - dependency-name: org.apache.maven.plugins:maven-enforcer-plugin dependency-version: 3.6.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: maven-minor-patch - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-version: 3.5.6 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: maven-minor-patch - dependency-name: org.apache.maven.plugins:maven-source-plugin dependency-version: 3.4.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: maven-minor-patch - dependency-name: org.apache.maven.plugins:maven-gpg-plugin dependency-version: 3.2.8 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: maven-minor-patch - dependency-name: org.sonatype.central:central-publishing-maven-plugin dependency-version: 0.9.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: maven-minor-patch - dependency-name: com.github.siom79.japicmp:japicmp-maven-plugin dependency-version: 0.26.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: maven-minor-patch - dependency-name: ch.qos.logback:logback-classic dependency-version: 1.5.34 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: maven-minor-patch - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-version: 3.5.6 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: maven-minor-patch - dependency-name: ch.qos.logback:logback-classic dependency-version: 1.5.34 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: maven-minor-patch - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-version: 3.5.6 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: maven-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Closes the root cause of the v1.6.7-era #111 / #115 divergence pattern. Dependabot was reading the repo's default branch (main) and opening grouped PRs there; releases are cut from develop then merged to main, so every grouped PR landed alongside the latest release and force-diverged from ongoing dev work. Each one required a cherry-pick to align — fixed once by a small explicit `target-branch: develop` on the maven and github-actions ecosystem blocks. Sibling cherry-pick (preceding commit on this branch) brings the PR #115 deps bump bundle from main to develop so the two branches match before the policy takes effect.

dependabot Bot and others added 2 commits June 1, 2026 17:03

DemchaAV merged commit fc8394a into develop Jun 1, 2026
11 checks passed

DemchaAV deleted the chore/sync-deps-and-dependabot-target branch June 1, 2026 16:11

DemchaAV mentioned this pull request Jun 1, 2026

docs(release): prep v1.6.8 — feature summary + migration table (PR-1.6.8) #122

Open

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci(dependabot): pin target-branch develop + sync deps from main #115#117

ci(dependabot): pin target-branch develop + sync deps from main #115#117
DemchaAV merged 2 commits into
developfrom
chore/sync-deps-and-dependabot-target

DemchaAV commented Jun 1, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

DemchaAV commented Jun 1, 2026

Summary

The pattern

Changes

Test plan

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant