From 9277a25661454ce64ee49bc7b3b1faf32766ee81 Mon Sep 17 00:00:00 2001
From: Dan Chao <dan.chao@apple.com>
Date: Fri, 24 Apr 2026 09:49:55 -0700
Subject: [PATCH 1/2] Add Dependabot updates for Gradle, CodeQL scanning,
 prevent dynamic versions

---
 .github/PklProject                 |  2 +-
 .github/PklProject.deps.json       | 16 +++++------
 .github/dependabot.yml             | 10 +++++++
 .github/index.pkl                  | 27 ++++++++++++++++++
 .github/workflows/__lockfile__.yml |  4 +++
 .github/workflows/codeql.yml       | 45 ++++++++++++++++++++++++++++++
 build.gradle.kts                   |  9 +++++-
 gradle/libs.versions.toml          |  4 +--
 8 files changed, 105 insertions(+), 12 deletions(-)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/PklProject b/.github/PklProject
index 1db4f6b..fb2a03a 100644
--- a/.github/PklProject
+++ b/.github/PklProject
@@ -2,7 +2,7 @@ amends "pkl:Project"
 
 dependencies {
   ["pkl.impl.ghactions"] {
-    uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.5.0"
+    uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.7.0"
   }
   ["com.github.actions"] {
     uri = "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.3.0"
diff --git a/.github/PklProject.deps.json b/.github/PklProject.deps.json
index 457d181..4aef34a 100644
--- a/.github/PklProject.deps.json
+++ b/.github/PklProject.deps.json
@@ -3,16 +3,16 @@
   "resolvedDependencies": {
     "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.3.1",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.6.0",
       "checksums": {
-        "sha256": "fd515da685ea126678c3ec684e84a4f992d43481cc1d75cb866cd55775f675f9"
+        "sha256": "10e27d63df4a4520d8a9375962406ca5ffe74f396bd3cb1c19b1f8358505010a"
       }
     },
     "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.5.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.7.0",
       "checksums": {
-        "sha256": "2c1e0d9efcd65b3c3207bf535c325ebc0ec2ab169187b324c4bb70821cac0e51"
+        "sha256": "962cdba703b50e86ecfda1a1345bf58caa7b4839dd090eae6120024d862793d0"
       }
     },
     "package://pkg.pkl-lang.org/pkl-pantry/pkl.experimental.deepToTyped@1": {
@@ -24,16 +24,16 @@
     },
     "package://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1.0.3",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1.1.3",
       "checksums": {
-        "sha256": "d368900942efb88ed51a98f9614748b06c74ba43423f045fcd6dedb5dbdc0bea"
+        "sha256": "521feb6f5ff12075ebad0758799fe7ec2675d231a0e0f5456694c8d4822a8171"
       }
     },
     "package://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1.0.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1.0.3",
       "checksums": {
-        "sha256": "02ef6f25bfca5b1d095db73ea15de79d2d2c6832ebcab61e6aba90554382abcb"
+        "sha256": "a8934d84ffd11992d7baf6acfd97bae31d6112fa8add5cc8b5b4a722ce5b9ffc"
       }
     }
   }
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 73242db..e2c7243 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,6 +1,16 @@
 version: 2
 updates:
+- package-ecosystem: gradle
+  cooldown:
+    default-days: 7
+    exclude:
+    - org.pkl-lang:*
+  directory: /
+  schedule:
+    interval: weekly
 - package-ecosystem: github-actions
+  cooldown:
+    default-days: 7
   directory: /
   ignore:
   - dependency-name: '*'
diff --git a/.github/index.pkl b/.github/index.pkl
index 970434e..4fb844f 100644
--- a/.github/index.pkl
+++ b/.github/index.pkl
@@ -118,3 +118,30 @@ local function setupStepsCache(jcache: ("maven"|"gradle"|"sbt")?): Listing<Workf
     }
   }
 }
+
+dependabot {
+  updates {
+    new {
+      `package-ecosystem` = "gradle"
+      directory = "/"
+      schedule {
+        interval = "weekly"
+      }
+      cooldown {
+        `default-days` = 7
+        exclude {
+          "org.pkl-lang:*"
+        }
+      }
+    }
+  }
+}
+
+codeql {
+  scans {
+    new {
+      language = "java-kotlin"
+      buildMode = "autobuild"
+    }
+  }
+}
diff --git a/.github/workflows/__lockfile__.yml b/.github/workflows/__lockfile__.yml
index 03654df..3696ad4 100644
--- a/.github/workflows/__lockfile__.yml
+++ b/.github/workflows/__lockfile__.yml
@@ -24,3 +24,7 @@ jobs:
       uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
     - name: actions/upload-artifact@v5
       uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
+    - name: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+    - name: github/codeql-action/init@v4
+      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..db8fa0e
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,45 @@
+# Generated from Workflow.pkl. DO NOT EDIT.
+'on':
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+  schedule:
+  - cron: 29 17 * * 4
+jobs:
+  analyze-actions:
+    name: Analyze (actions)
+    permissions:
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
+    - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+      with:
+        languages: actions
+        build-mode: none
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+      with:
+        category: /language:actions
+  analyze-java-kotlin:
+    name: Analyze (java-kotlin)
+    permissions:
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
+    - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+      with:
+        languages: java-kotlin
+        build-mode: autobuild
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+      with:
+        category: /language:java-kotlin
diff --git a/build.gradle.kts b/build.gradle.kts
index 3f7d3cb..b5c1154 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -1,7 +1,6 @@
 import java.nio.charset.StandardCharsets
 import java.util.*
 
-@Suppress("DSL_SCOPE_VIOLATION")
 plugins {
   `java-library`
   `maven-publish`
@@ -11,6 +10,14 @@ plugins {
   signing
 }
 
+configurations {
+  all {
+    resolutionStrategy {
+      failOnDynamicVersions()
+    }
+  }
+}
+
 private val isReleaseBuild = System.getProperty("releaseBuild") != null
 
 version = if (isReleaseBuild) version else "$version-SNAPSHOT"
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 97bcdb7..36c6695 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -2,7 +2,7 @@
 
 [versions]
 # https://central.sonatype.com/artifact/org.assertj/assertj-core/versions
-assertJ = "3.26.3"
+assertJ = "3.27.7"
 # https://github.com/google/google-java-format/releases/
 googleJavaFormat = "1.35.0"
 # only used in Kotlin sample
@@ -12,7 +12,7 @@ kotlin = "2.0.21"
 ktfmt = "0.62"
 # https://central.sonatype.com/artifact/org.junit.jupiter/junit-jupiter/versions
 junit = "5.11.3"
-junitPlatform = "1.+"
+junitPlatform = "6.0.3"
 pkl = "0.31.1"
 # only used for testing; use same version as Spring Boot
 # https://central.sonatype.com/artifact/org.springframework.boot/spring-boot/dependencies

From 6aedd20095d0612414fe9476420436ba47d57a93 Mon Sep 17 00:00:00 2001
From: Dan Chao <dan.chao@apple.com>
Date: Wed, 29 Apr 2026 14:46:37 -0700
Subject: [PATCH 2/2] Add dependency submission job

---
 .github/index.pkl                  | 26 +++++++++++++++++++++++---
 .github/workflows/__lockfile__.yml |  2 ++
 .github/workflows/main.yml         | 19 +++++++++++++++++++
 3 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/.github/index.pkl b/.github/index.pkl
index 4fb844f..e330209 100644
--- a/.github/index.pkl
+++ b/.github/index.pkl
@@ -23,7 +23,13 @@ import "@pkl.impl.ghactions/helpers.pkl"
 
 triggerDocsBuild = "release"
 
-build = new {
+testReports {
+  excludeJobs {
+    "dependency-submission"
+  }
+}
+
+build {
   jobs {
     ["build-and-test"] {
       name = "Build and test"
@@ -42,8 +48,22 @@ prb = build
 
 releaseBranch = build
 
-main = new {
+main {
   jobs {
+    ["dependency-submission"] {
+      permissions {
+        contents = "write"
+      }
+      name = "Dependency submission"
+      `runs-on` = "ubuntu-latest"
+      steps = (setupSteps) {
+        (module.catalog.`gradle/actions/dependency-submission@v6`) {
+          with {
+            `dependency-graph-include-configurations` = ".*[rR]untimeClasspath|.*[cC]ompileClasspath"
+          }
+        }
+      }
+    }
     ["deploy-snapshot"] {
       name = "Build and deploy snapshot"
       `runs-on` = "ubuntu-latest"
@@ -58,7 +78,7 @@ main = new {
   }
 }
 
-release = new {
+release {
   jobs {
     ["release-to-github"] {
       name = "Release to GitHub"
diff --git a/.github/workflows/__lockfile__.yml b/.github/workflows/__lockfile__.yml
index 3696ad4..067e32c 100644
--- a/.github/workflows/__lockfile__.yml
+++ b/.github/workflows/__lockfile__.yml
@@ -28,3 +28,5 @@ jobs:
       uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
     - name: github/codeql-action/init@v4
       uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+    - name: gradle/actions/dependency-submission@v6
+      uses: gradle/actions/dependency-submission@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 1a68936..536235b 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -12,6 +12,25 @@ concurrency:
 permissions:
   contents: read
 jobs:
+  dependency-submission:
+    name: Dependency submission
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
+        fetch-depth: 0
+    - name: Setup Java
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+      with:
+        java-version: '21'
+        distribution: temurin
+        cache: gradle
+    - uses: gradle/actions/dependency-submission@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6
+      with:
+        dependency-graph-include-configurations: .*[rR]untimeClasspath|.*[cC]ompileClasspath
   deploy-snapshot:
     name: Build and deploy snapshot
     runs-on: ubuntu-latest