From 0f08e74051fc280790ea3e8960360299a3dd8be6 Mon Sep 17 00:00:00 2001
From: Xiang Fu <xiangfu.1024@gmail.com>
Date: Sat, 25 Apr 2026 22:01:44 -0700
Subject: [PATCH 1/2] Bypass Dependabot for ClassLoaderTest's pinned commons-io
 2.11.0 fixture

ClassLoaderTest pins commons-io 2.11.0 as a test fixture (asserts
the literal jar filename and contents to validate plugin realm
isolation). The same coordinate is consumed at a newer version in
the top-level pom.xml, so a repo-wide Dependabot ignore rule is
not viable -- it would block legitimate commons-io upgrades. With
the previous <artifactItem> declaration, Dependabot kept opening
PRs that bumped the pinned 2.11.0 reference (e.g. #18331), forcing
manual reverts.

Refactor the fixture fetch to a two-step pipeline that hides the
coordinate from Dependabot's Maven updater while preserving Maven's
normal resolution semantics:

- maven-dependency-plugin:get with <artifact>commons-io:commons-io:2.11.0</artifact>
  resolves the jar through the standard resolution chain (local
  cache, configured mirrors, authenticated repos, SHA-1 checksum
  validation). Dependabot scans structured groupId+artifactId+version
  triples in <dependency>/<plugin>/<artifactItem> blocks, not
  single-string <artifact> values in plugin configuration.
- maven-antrun-plugin:run copies the resolved jar from
  ${settings.localRepository} into target/test-classes, preserving
  the literal filename commons-io-2.11.0.jar that
  ClassLoaderTest.assemblyBasedRealm asserts on.

Also update .github/dependabot.yml to drop the now-obsolete caveat
about commons-io.

Verified locally: ClassLoaderTest's 5 cases (assemblyBasedRealm,
classRealms, classicPluginClassloader, limitedPluginRealm,
unlimitedPluginRealm) all pass on a clean target dir with the
local commons-io 2.11.0 cache deleted (forcing fresh resolution).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/dependabot.yml | 17 ++++++----
 pinot-spi/pom.xml      | 74 ++++++++++++++++++++++++++++++++++++------
 2 files changed, 74 insertions(+), 17 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index cb571983d463..14f5c971e60e 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -30,14 +30,17 @@ updates:
     # These artifacts are pinned in pinot-spi/pom.xml (maven-dependency-plugin artifactItems) because
     # ClassLoaderTest asserts plugin realm isolation against known artifact contents. Dependabot's
     # `versions` filter is matched against the *target* version of an update, so we use range filters
-    # (">= <next>") to block every bump to a newer version for these coordinates.
+    # (">= <next>") to block every bump to a newer version for these coordinates. The rules apply
+    # repo-wide by coordinate, which is fine here because pinot-dropwizard / pinot-yammer /
+    # com.yammer.metrics:metrics-core are not referenced anywhere else.
     #
-    # Caveat: these rules apply repo-wide by coordinate. pinot-dropwizard / pinot-yammer /
-    # com.yammer.metrics:metrics-core are not referenced anywhere else, so locking them is safe.
-    # commons-io:commons-io is also consumed in the top-level pom.xml at a newer version, so it is
-    # intentionally NOT locked here; Dependabot may still open PRs that also modify the hardcoded
-    # 2.11.0 in pinot-spi/pom.xml — reviewers must revert that part manually (see the DO NOT BUMP
-    # comment next to the <version>2.11.0</version> entry in pinot-spi/pom.xml).
+    # The ClassLoaderTest also pins commons-io 2.11.0, but that coordinate is consumed at a newer
+    # version elsewhere (top-level pom.xml), so we cannot block it here. Instead, the fixture is
+    # resolved via maven-dependency-plugin's `dependency:get` goal in pinot-spi/pom.xml using a
+    # single-string <artifact>commons-io:commons-io:2.11.0</artifact> parameter — Dependabot's
+    # Maven updater scans structured groupId+artifactId+version triples inside <dependency>,
+    # <plugin>, and <artifactItem> blocks, not single-string <artifact> values in plugin
+    # configuration, so no ignore rule for commons-io is needed.
     - dependency-name: "org.apache.pinot:pinot-dropwizard"
       versions: [">= 0.10.1"]
     - dependency-name: "org.apache.pinot:pinot-yammer"
diff --git a/pinot-spi/pom.xml b/pinot-spi/pom.xml
index fca66c6cc345..2d03ead2ac10 100644
--- a/pinot-spi/pom.xml
+++ b/pinot-spi/pom.xml
@@ -62,10 +62,10 @@
 
                  DO NOT BUMP the hardcoded versions below. They are intentionally pinned test fixtures used by
                  ClassLoaderTest to validate plugin realm isolation against known artifact contents. Corresponding
-                 ignore rules live in .github/dependabot.yml, but Dependabot cannot always distinguish these locked
-                 references from other uses of the same coordinate elsewhere in the repo (e.g., commons-io is also
-                 consumed at a newer version in the top-level pom.xml), so Dependabot may still open PRs that touch
-                 this file. Reviewers: reject any change to the versions below.
+                 ignore rules live in .github/dependabot.yml. (commons-io 2.11.0, which is also consumed at a newer
+                 version in the top-level pom.xml, is fetched via the separate `fetch-classloadertest-commons-io-fixture`
+                 / `copy-classloadertest-commons-io-fixture` executions below to keep its coordinate off Dependabot's
+                 scanner without blocking legitimate commons-io upgrades.)
             -->
             <phase>generate-test-resources</phase>
             <goals>
@@ -94,12 +94,6 @@
                   <classifier>shaded</classifier>
                   <outputDirectory>${project.build.testOutputDirectory}/plugins/pinot-shaded-yammer</outputDirectory>
                 </artifactItem>
-                <artifactItem>
-                  <groupId>commons-io</groupId>
-                  <artifactId>commons-io</artifactId>
-                  <version>2.11.0</version> <!-- PINNED test fixture: DO NOT BUMP (asserted by ClassLoaderTest) -->
-                  <outputDirectory>${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin</outputDirectory>
-                </artifactItem>
                 <artifactItem>
                   <groupId>com.yammer.metrics</groupId>
                   <artifactId>metrics-core</artifactId>
@@ -109,6 +103,36 @@
               </artifactItems>
             </configuration>
           </execution>
+          <execution>
+            <id>fetch-classloadertest-commons-io-fixture</id>
+            <!-- Resolve commons-io 2.11.0 into the local Maven repository for the ClassLoaderTest fixture.
+                 Why this two-step (dependency:get + antrun copy) and not an <artifactItem> in copy-pinot-plugins?
+                 commons-io is also consumed at a newer version in the top-level pom.xml. Putting 2.11.0 in an
+                 <artifactItem> exposes the coordinate to Dependabot's Maven updater, which would open repeated
+                 PRs trying to "upgrade" the pinned test fixture. A repo-wide ignore is not viable because it
+                 would also block legitimate commons-io upgrades for the production version.
+
+                 dependency:get takes a single-string <artifact>groupId:artifactId:version</artifact> parameter
+                 — Dependabot's Maven updater scans <dependency>/<plugin>/<artifactItem> blocks for structured
+                 groupId+artifactId+version triples, NOT single-string <artifact> parameters in plugin
+                 configuration. Resolution still goes through Maven's normal chain (local cache, configured
+                 mirrors, authenticated repos, SHA-1 checksum validation), so offline/mirrored builds keep
+                 working and the fixture jar's integrity is verified.
+
+                 The companion `copy-classloadertest-commons-io-fixture` antrun execution copies the resolved
+                 jar from ${settings.localRepository} to target/test-classes/plugins, where ClassLoaderTest
+                 expects it. The destination filename MUST remain commons-io-2.11.0.jar (asserted by
+                 ClassLoaderTest.assemblyBasedRealm via CodeSource.getLocation().getPath().endsWith(...)).
+            -->
+            <phase>generate-test-resources</phase>
+            <goals>
+              <goal>get</goal>
+            </goals>
+            <configuration>
+              <artifact>commons-io:commons-io:2.11.0</artifact>
+              <transitive>false</transitive>
+            </configuration>
+          </execution>
           <execution>
             <id>unpack-pinot-plugins</id>
             <!-- The org.apache.pinot.spi.plugin.ClassLoaderTest has tests that requires plugin jars.
@@ -138,6 +162,36 @@
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-antrun-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>copy-classloadertest-commons-io-fixture</id>
+            <!-- Companion to the `fetch-classloadertest-commons-io-fixture` execution above: copies the
+                 resolved commons-io 2.11.0 jar from ${settings.localRepository} into target/test-classes,
+                 where ClassLoaderTest expects it. See the rationale comment on that execution for why the
+                 fixture is fetched via dependency:get rather than as an <artifactItem>.
+
+                 Ordering: this execution must run AFTER `fetch-classloadertest-commons-io-fixture`. Both
+                 are bound to the generate-test-resources phase; cross-plugin executions in the same phase
+                 run in plugin declaration order, so maven-dependency-plugin must remain declared before
+                 maven-antrun-plugin in <build><plugins> for this to work.
+            -->
+            <phase>generate-test-resources</phase>
+            <goals>
+              <goal>run</goal>
+            </goals>
+            <configuration>
+              <target>
+                <mkdir dir="${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin"/>
+                <copy file="${settings.localRepository}/commons-io/commons-io/2.11.0/commons-io-2.11.0.jar"
+                      tofile="${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin/commons-io-2.11.0.jar"/>
+              </target>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-surefire-plugin</artifactId>

From 074e944f4a8b17ea8936e654a4c88c95523354a3 Mon Sep 17 00:00:00 2001
From: Xiang Fu <xiangfu.1024@gmail.com>
Date: Sun, 26 Apr 2026 00:49:35 -0700
Subject: [PATCH 2/2] Apply the dependency:get bypass uniformly to all
 ClassLoaderTest fixtures

Address review feedback on #18335: extend the dependency:get + antrun
copy/unzip pattern to every pinned ClassLoaderTest fixture, not just
commons-io.

Before: pinot-dropwizard, pinot-yammer (x2 shaded), and metrics-core
were still declared as <artifactItem> blocks under copy-pinot-plugins
and unpack-pinot-plugins, with `versions: [">= <next>"]` ignore rules
in .github/dependabot.yml suppressing Dependabot bumps. Those rules
worked because none of those coordinates were used elsewhere -- but
the asymmetric handling left a footgun: any future use of one of
those coordinates at a different version elsewhere in the repo would
silently get blocked from updates by the repo-wide ignore rule.

After: all five fixtures (including the previously-handled commons-io)
are routed through the same pipeline:
- maven-dependency-plugin:get with single-string <artifact> parameters
  resolves each unique GAV+classifier combination through Maven's
  normal chain (cache, mirrors, authenticated repos, SHA-1 validation).
  Dependabot's Maven updater does not scan single-string <artifact>
  values, so the pinned coordinates are invisible to it.
- A single maven-antrun-plugin:run execution stages the resolved jars
  from ${settings.localRepository} into target/test-classes/plugins/
  with the literal filenames the test asserts on, and unzips the
  non-shaded pinot-yammer 0.10.0 into the assemblybased-pinot-plugin
  classes/ subdirectory.

The .github/dependabot.yml fixture-specific ignore rules are removed
since no <artifactItem> blocks remain for these coordinates.

Verified locally: ClassLoaderTest's 5 cases pass on a fully empty
target dir AND empty local cache for all four fixture coordinates,
confirming the resolve+stage pipeline is idempotent and self-bootstrapping.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/dependabot.yml |  30 ++-----
 pinot-spi/pom.xml      | 189 ++++++++++++++++++++---------------------
 2 files changed, 101 insertions(+), 118 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 14f5c971e60e..ab14ec838238 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -25,28 +25,14 @@ updates:
     schedule:
       interval: "daily"
     open-pull-requests-limit: 20
-    ignore:
-    # Locked test resources for pinot-spi/src/test/java/org/apache/pinot/spi/plugin/ClassLoaderTest.java.
-    # These artifacts are pinned in pinot-spi/pom.xml (maven-dependency-plugin artifactItems) because
-    # ClassLoaderTest asserts plugin realm isolation against known artifact contents. Dependabot's
-    # `versions` filter is matched against the *target* version of an update, so we use range filters
-    # (">= <next>") to block every bump to a newer version for these coordinates. The rules apply
-    # repo-wide by coordinate, which is fine here because pinot-dropwizard / pinot-yammer /
-    # com.yammer.metrics:metrics-core are not referenced anywhere else.
-    #
-    # The ClassLoaderTest also pins commons-io 2.11.0, but that coordinate is consumed at a newer
-    # version elsewhere (top-level pom.xml), so we cannot block it here. Instead, the fixture is
-    # resolved via maven-dependency-plugin's `dependency:get` goal in pinot-spi/pom.xml using a
-    # single-string <artifact>commons-io:commons-io:2.11.0</artifact> parameter — Dependabot's
-    # Maven updater scans structured groupId+artifactId+version triples inside <dependency>,
-    # <plugin>, and <artifactItem> blocks, not single-string <artifact> values in plugin
-    # configuration, so no ignore rule for commons-io is needed.
-    - dependency-name: "org.apache.pinot:pinot-dropwizard"
-      versions: [">= 0.10.1"]
-    - dependency-name: "org.apache.pinot:pinot-yammer"
-      versions: [">= 0.10.1"]
-    - dependency-name: "com.yammer.metrics:metrics-core"
-      versions: [">= 2.1.6"]
+    # No `ignore` rules needed for the ClassLoaderTest pinned test fixtures
+    # (pinot-dropwizard, pinot-yammer, commons-io, com.yammer.metrics:metrics-core).
+    # Those fixtures are resolved by pinot-spi/pom.xml via maven-dependency-plugin's
+    # `dependency:get` goal using single-string <artifact>groupId:artifactId:version</artifact>
+    # parameters — Dependabot's Maven updater scans structured groupId+artifactId+version
+    # triples inside <dependency>, <plugin>, and <artifactItem> blocks, not single-string
+    # <artifact> values in plugin configuration, so the pinned coordinates are invisible
+    # to Dependabot and no ignore rule is required.
 
   - package-ecosystem: "npm"
     directory: "/pinot-controller/src/main/resources"
diff --git a/pinot-spi/pom.xml b/pinot-spi/pom.xml
index 2d03ead2ac10..50cb2c700dd5 100644
--- a/pinot-spi/pom.xml
+++ b/pinot-spi/pom.xml
@@ -50,114 +50,92 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-dependency-plugin</artifactId>
-        <executions>
-          <execution>
-            <id>copy-pinot-plugins</id>
-            <!-- The org.apache.pinot.spi.plugin.ClassLoaderTest has tests that requires plugin jars.
-                 These jars could have been added to src/test/resources/plugins, but that would increase the size of
-                 source repository a lot. Instead, let Maven download these jars and put them at the expected location.
+        <!-- ClassLoaderTest fixture resolution.
 
-                 DO NOT replace its versions with ${project.version}, as the ClassLoaderTest depends on the existence
-                 and non-existence of classes in these jars.
+             The org.apache.pinot.spi.plugin.ClassLoaderTest validates plugin classloader/realm isolation
+             against pinned versions of real plugin jars. The jars could have been checked in under
+             src/test/resources/plugins, but that would bloat the source repository, so we let Maven
+             download them on demand.
 
-                 DO NOT BUMP the hardcoded versions below. They are intentionally pinned test fixtures used by
-                 ClassLoaderTest to validate plugin realm isolation against known artifact contents. Corresponding
-                 ignore rules live in .github/dependabot.yml. (commons-io 2.11.0, which is also consumed at a newer
-                 version in the top-level pom.xml, is fetched via the separate `fetch-classloadertest-commons-io-fixture`
-                 / `copy-classloadertest-commons-io-fixture` executions below to keep its coordinate off Dependabot's
-                 scanner without blocking legitimate commons-io upgrades.)
-            -->
+             DO NOT replace these versions with ${project.version}, as the test depends on the presence
+             (and absence) of specific classes in those exact jars. DO NOT BUMP the hardcoded versions
+             below — they are deliberately frozen test fixtures.
+
+             Why dependency:get with a single-string <artifact> instead of <artifactItem> blocks?
+             Dependabot's Maven updater scans <dependency>, <plugin>, and <artifactItem> blocks for
+             structured groupId+artifactId+version triples; it does NOT parse single-string
+             <artifact>...</artifact> values inside plugin configuration. Using <artifactItem> here
+             gave Dependabot a coordinate to "upgrade" and produced repeated noise PRs (e.g. #18331).
+             For coordinates that are not consumed elsewhere in the repo, a `versions: [">= <next>"]`
+             ignore rule in .github/dependabot.yml would suppress those PRs, but commons-io is also
+             consumed at a newer version in the top-level pom.xml, so a repo-wide ignore would block
+             legitimate upgrades. To keep the mechanism uniform across all the pinned fixtures (and
+             defensive against any future shared-coordinate situation), we route every fixture through
+             dependency:get + antrun copy/unzip from ${settings.localRepository}.
+
+             dependency:get goes through Maven's normal resolution chain (local cache, configured
+             mirrors, authenticated repos, SHA-1 checksum validation), so offline/mirrored builds keep
+             working and artifact integrity is verified.
+
+             The companion antrun execution `stage-classloadertest-fixtures` copies the resolved jars
+             from ${settings.localRepository} into target/test-classes/plugins/ with the literal
+             filenames ClassLoaderTest asserts on (see CodeSource.getLocation().getPath().endsWith(...)
+             checks in the test).
+        -->
+        <executions>
+          <execution>
+            <id>fetch-classloadertest-fixture-pinot-dropwizard-shaded</id>
             <phase>generate-test-resources</phase>
             <goals>
-              <goal>copy</goal>
+              <goal>get</goal>
             </goals>
             <configuration>
-              <artifactItems>
-                <artifactItem>
-                  <groupId>org.apache.pinot</groupId>
-                  <artifactId>pinot-dropwizard</artifactId>
-                  <version>0.10.0</version> <!-- PINNED test fixture: DO NOT BUMP -->
-                  <classifier>shaded</classifier>
-                  <outputDirectory>${project.build.testOutputDirectory}/plugins/pinot-dropwizard</outputDirectory>
-                </artifactItem>
-                <artifactItem>
-                  <groupId>org.apache.pinot</groupId>
-                  <artifactId>pinot-yammer</artifactId>
-                  <version>0.10.0</version> <!-- PINNED test fixture: DO NOT BUMP -->
-                  <classifier>shaded</classifier>
-                  <outputDirectory>${project.build.testOutputDirectory}/plugins/pinot-yammer</outputDirectory>
-                </artifactItem>
-                <artifactItem>
-                  <groupId>org.apache.pinot</groupId>
-                  <artifactId>pinot-yammer</artifactId>
-                  <version>0.10.0</version> <!-- PINNED test fixture: DO NOT BUMP -->
-                  <classifier>shaded</classifier>
-                  <outputDirectory>${project.build.testOutputDirectory}/plugins/pinot-shaded-yammer</outputDirectory>
-                </artifactItem>
-                <artifactItem>
-                  <groupId>com.yammer.metrics</groupId>
-                  <artifactId>metrics-core</artifactId>
-                  <version>2.1.5</version> <!-- PINNED test fixture: DO NOT BUMP -->
-                  <outputDirectory>${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin</outputDirectory>
-                </artifactItem>
-              </artifactItems>
+              <artifact>org.apache.pinot:pinot-dropwizard:0.10.0:jar:shaded</artifact>
+              <transitive>false</transitive>
             </configuration>
           </execution>
           <execution>
-            <id>fetch-classloadertest-commons-io-fixture</id>
-            <!-- Resolve commons-io 2.11.0 into the local Maven repository for the ClassLoaderTest fixture.
-                 Why this two-step (dependency:get + antrun copy) and not an <artifactItem> in copy-pinot-plugins?
-                 commons-io is also consumed at a newer version in the top-level pom.xml. Putting 2.11.0 in an
-                 <artifactItem> exposes the coordinate to Dependabot's Maven updater, which would open repeated
-                 PRs trying to "upgrade" the pinned test fixture. A repo-wide ignore is not viable because it
-                 would also block legitimate commons-io upgrades for the production version.
-
-                 dependency:get takes a single-string <artifact>groupId:artifactId:version</artifact> parameter
-                 — Dependabot's Maven updater scans <dependency>/<plugin>/<artifactItem> blocks for structured
-                 groupId+artifactId+version triples, NOT single-string <artifact> parameters in plugin
-                 configuration. Resolution still goes through Maven's normal chain (local cache, configured
-                 mirrors, authenticated repos, SHA-1 checksum validation), so offline/mirrored builds keep
-                 working and the fixture jar's integrity is verified.
-
-                 The companion `copy-classloadertest-commons-io-fixture` antrun execution copies the resolved
-                 jar from ${settings.localRepository} to target/test-classes/plugins, where ClassLoaderTest
-                 expects it. The destination filename MUST remain commons-io-2.11.0.jar (asserted by
-                 ClassLoaderTest.assemblyBasedRealm via CodeSource.getLocation().getPath().endsWith(...)).
-            -->
+            <id>fetch-classloadertest-fixture-pinot-yammer-shaded</id>
             <phase>generate-test-resources</phase>
             <goals>
               <goal>get</goal>
             </goals>
             <configuration>
-              <artifact>commons-io:commons-io:2.11.0</artifact>
+              <artifact>org.apache.pinot:pinot-yammer:0.10.0:jar:shaded</artifact>
               <transitive>false</transitive>
             </configuration>
           </execution>
           <execution>
-            <id>unpack-pinot-plugins</id>
-            <!-- The org.apache.pinot.spi.plugin.ClassLoaderTest has tests that requires plugin jars.
-                 These jars could have been added to src/test/resources/plugins, but that would increase the size of
-                 source repository a lot. Instead, let Maven download these jars and put them at the expected location.
-
-                 DO NOT replace its versions with ${project.version}, as the ClassLoaderTest depends on the existence
-                 and non-existence of classes in these jars.
-
-                 DO NOT BUMP the hardcoded version below. See the matching notice in the copy-pinot-plugins
-                 execution above and the ignore rules in .github/dependabot.yml.
-            -->
+            <id>fetch-classloadertest-fixture-pinot-yammer</id>
+            <phase>generate-test-resources</phase>
+            <goals>
+              <goal>get</goal>
+            </goals>
+            <configuration>
+              <artifact>org.apache.pinot:pinot-yammer:0.10.0</artifact>
+              <transitive>false</transitive>
+            </configuration>
+          </execution>
+          <execution>
+            <id>fetch-classloadertest-fixture-metrics-core</id>
             <phase>generate-test-resources</phase>
             <goals>
-              <goal>unpack</goal>
+              <goal>get</goal>
             </goals>
             <configuration>
-              <artifactItems>
-                <artifactItem>
-                  <groupId>org.apache.pinot</groupId>
-                  <artifactId>pinot-yammer</artifactId>
-                  <version>0.10.0</version> <!-- PINNED test fixture: DO NOT BUMP -->
-                  <outputDirectory>${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin/classes</outputDirectory>
-                </artifactItem>
-              </artifactItems>
+              <artifact>com.yammer.metrics:metrics-core:2.1.5</artifact>
+              <transitive>false</transitive>
+            </configuration>
+          </execution>
+          <execution>
+            <id>fetch-classloadertest-fixture-commons-io</id>
+            <phase>generate-test-resources</phase>
+            <goals>
+              <goal>get</goal>
+            </goals>
+            <configuration>
+              <artifact>commons-io:commons-io:2.11.0</artifact>
+              <transitive>false</transitive>
             </configuration>
           </execution>
         </executions>
@@ -167,16 +145,15 @@
         <artifactId>maven-antrun-plugin</artifactId>
         <executions>
           <execution>
-            <id>copy-classloadertest-commons-io-fixture</id>
-            <!-- Companion to the `fetch-classloadertest-commons-io-fixture` execution above: copies the
-                 resolved commons-io 2.11.0 jar from ${settings.localRepository} into target/test-classes,
-                 where ClassLoaderTest expects it. See the rationale comment on that execution for why the
-                 fixture is fetched via dependency:get rather than as an <artifactItem>.
+            <id>stage-classloadertest-fixtures</id>
+            <!-- Stages the ClassLoaderTest fixture jars from ${settings.localRepository} into
+                 target/test-classes/plugins/ with the literal filenames the test asserts on.
+                 See the rationale comment on the maven-dependency-plugin block above.
 
-                 Ordering: this execution must run AFTER `fetch-classloadertest-commons-io-fixture`. Both
-                 are bound to the generate-test-resources phase; cross-plugin executions in the same phase
-                 run in plugin declaration order, so maven-dependency-plugin must remain declared before
-                 maven-antrun-plugin in <build><plugins> for this to work.
+                 Ordering: this execution must run AFTER all `fetch-classloadertest-fixture-*`
+                 executions. Both plugins bind to generate-test-resources; cross-plugin executions
+                 in the same phase run in plugin declaration order, so maven-dependency-plugin
+                 must remain declared before maven-antrun-plugin in <build><plugins>.
             -->
             <phase>generate-test-resources</phase>
             <goals>
@@ -184,9 +161,29 @@
             </goals>
             <configuration>
               <target>
+                <!-- pinot-dropwizard 0.10.0 (shaded) -->
+                <mkdir dir="${project.build.testOutputDirectory}/plugins/pinot-dropwizard"/>
+                <copy file="${settings.localRepository}/org/apache/pinot/pinot-dropwizard/0.10.0/pinot-dropwizard-0.10.0-shaded.jar"
+                      todir="${project.build.testOutputDirectory}/plugins/pinot-dropwizard"/>
+                <!-- pinot-yammer 0.10.0 (shaded) -->
+                <mkdir dir="${project.build.testOutputDirectory}/plugins/pinot-yammer"/>
+                <copy file="${settings.localRepository}/org/apache/pinot/pinot-yammer/0.10.0/pinot-yammer-0.10.0-shaded.jar"
+                      todir="${project.build.testOutputDirectory}/plugins/pinot-yammer"/>
+                <!-- pinot-yammer 0.10.0 (shaded) — staged again under a different plugin name
+                     so the test exercises the legacy shaded-jar PluginClassloader code path. -->
+                <mkdir dir="${project.build.testOutputDirectory}/plugins/pinot-shaded-yammer"/>
+                <copy file="${settings.localRepository}/org/apache/pinot/pinot-yammer/0.10.0/pinot-yammer-0.10.0-shaded.jar"
+                      todir="${project.build.testOutputDirectory}/plugins/pinot-shaded-yammer"/>
+                <!-- assemblybased-pinot-plugin: commons-io 2.11.0 + metrics-core 2.1.5 placed
+                     side-by-side, plus the unpacked classes from pinot-yammer 0.10.0. -->
                 <mkdir dir="${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin"/>
                 <copy file="${settings.localRepository}/commons-io/commons-io/2.11.0/commons-io-2.11.0.jar"
-                      tofile="${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin/commons-io-2.11.0.jar"/>
+                      todir="${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin"/>
+                <copy file="${settings.localRepository}/com/yammer/metrics/metrics-core/2.1.5/metrics-core-2.1.5.jar"
+                      todir="${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin"/>
+                <mkdir dir="${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin/classes"/>
+                <unzip src="${settings.localRepository}/org/apache/pinot/pinot-yammer/0.10.0/pinot-yammer-0.10.0.jar"
+                       dest="${project.build.testOutputDirectory}/plugins/assemblybased-pinot-plugin/classes"/>
               </target>
             </configuration>
           </execution>