From 0d1b799e55416c01e33848ad77396a32c546e419 Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 19:25:15 +0100
Subject: [PATCH 1/8] ci: add semver filtering to Dependabot auto-merge
 (patch/minor only)

---
 .github/workflows/dependabot-auto-merge.yml | 32 +++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 .github/workflows/dependabot-auto-merge.yml

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
new file mode 100644
index 0000000..26085a8
--- /dev/null
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,32 @@
+name: Dependabot Auto-Merge
+
+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Approve patch and minor updates
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Auto-merge patch and minor updates
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 7e96d3c0e74ed437e325446791f860d0043a09ca Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 19:25:59 +0100
Subject: [PATCH 2/8] ci: configure Dependabot version updates targeting
 develop

---
 .github/dependabot.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..c673eaf
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    target-branch: "develop"
+    open-pull-requests-limit: 5
+    groups:
+      minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    target-branch: "develop"

From 706efc1e4853959a561b7386e6bcf179bdfd7535 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 10 Feb 2026 18:28:19 +0000
Subject: [PATCH 3/8] build(deps): bump the minor-and-patch group with 10
 updates (#3)

Bumps the minor-and-patch group with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [io.grpc:grpc-netty-shaded](https://github.com/grpc/grpc-java) | `1.60.1` | `1.79.0` |
| [io.grpc:grpc-protobuf](https://github.com/grpc/grpc-java) | `1.60.1` | `1.79.0` |
| [io.grpc:grpc-stub](https://github.com/grpc/grpc-java) | `1.60.1` | `1.79.0` |
| [io.grpc:grpc-testing](https://github.com/grpc/grpc-java) | `1.60.1` | `1.79.0` |
| [io.grpc:grpc-inprocess](https://github.com/grpc/grpc-java) | `1.60.1` | `1.79.0` |
| com.sun.xml.ws:jaxws-rt | `4.0.2` | `4.0.3` |
| org.apache.cxf:cxf-spring-boot-starter-jaxws | `4.0.3` | `4.1.4` |
| org.apache.cxf:cxf-rt-ws-security | `4.0.3` | `4.1.4` |
| org.glassfish.jaxb:jaxb-xjc | `4.0.4` | `4.0.6` |
| [org.wiremock:wiremock-standalone](https://github.com/wiremock/wiremock) | `3.3.1` | `3.13.2` |


Updates `io.grpc:grpc-netty-shaded` from 1.60.1 to 1.79.0
- [Release notes](https://github.com/grpc/grpc-java/releases)
- [Commits](https://github.com/grpc/grpc-java/compare/v1.60.1...v1.79.0)

Updates `io.grpc:grpc-protobuf` from 1.60.1 to 1.79.0
- [Release notes](https://github.com/grpc/grpc-java/releases)
- [Commits](https://github.com/grpc/grpc-java/compare/v1.60.1...v1.79.0)

Updates `io.grpc:grpc-stub` from 1.60.1 to 1.79.0
- [Release notes](https://github.com/grpc/grpc-java/releases)
- [Commits](https://github.com/grpc/grpc-java/compare/v1.60.1...v1.79.0)

Updates `io.grpc:grpc-testing` from 1.60.1 to 1.79.0
- [Release notes](https://github.com/grpc/grpc-java/releases)
- [Commits](https://github.com/grpc/grpc-java/compare/v1.60.1...v1.79.0)

Updates `io.grpc:grpc-inprocess` from 1.60.1 to 1.79.0
- [Release notes](https://github.com/grpc/grpc-java/releases)
- [Commits](https://github.com/grpc/grpc-java/compare/v1.60.1...v1.79.0)

Updates `io.grpc:grpc-protobuf` from 1.60.1 to 1.79.0
- [Release notes](https://github.com/grpc/grpc-java/releases)
- [Commits](https://github.com/grpc/grpc-java/compare/v1.60.1...v1.79.0)

Updates `io.grpc:grpc-stub` from 1.60.1 to 1.79.0
- [Release notes](https://github.com/grpc/grpc-java/releases)
- [Commits](https://github.com/grpc/grpc-java/compare/v1.60.1...v1.79.0)

Updates `com.sun.xml.ws:jaxws-rt` from 4.0.2 to 4.0.3

Updates `org.apache.cxf:cxf-spring-boot-starter-jaxws` from 4.0.3 to 4.1.4

Updates `org.apache.cxf:cxf-rt-ws-security` from 4.0.3 to 4.1.4

Updates `org.glassfish.jaxb:jaxb-xjc` from 4.0.4 to 4.0.6

Updates `org.wiremock:wiremock-standalone` from 3.3.1 to 3.13.2
- [Release notes](https://github.com/wiremock/wiremock/releases)
- [Commits](https://github.com/wiremock/wiremock/compare/3.3.1...3.13.2)

Updates `io.grpc:grpc-testing` from 1.60.1 to 1.79.0
- [Release notes](https://github.com/grpc/grpc-java/releases)
- [Commits](https://github.com/grpc/grpc-java/compare/v1.60.1...v1.79.0)

Updates `io.grpc:grpc-inprocess` from 1.60.1 to 1.79.0
- [Release notes](https://github.com/grpc/grpc-java/releases)
- [Commits](https://github.com/grpc/grpc-java/compare/v1.60.1...v1.79.0)

---
updated-dependencies:
- dependency-name: io.grpc:grpc-netty-shaded
  dependency-version: 1.79.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: io.grpc:grpc-protobuf
  dependency-version: 1.79.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: io.grpc:grpc-stub
  dependency-version: 1.79.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: io.grpc:grpc-testing
  dependency-version: 1.79.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: io.grpc:grpc-inprocess
  dependency-version: 1.79.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: io.grpc:grpc-protobuf
  dependency-version: 1.79.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: io.grpc:grpc-stub
  dependency-version: 1.79.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: com.sun.xml.ws:jaxws-rt
  dependency-version: 4.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: org.apache.cxf:cxf-spring-boot-starter-jaxws
  dependency-version: 4.1.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: org.apache.cxf:cxf-rt-ws-security
  dependency-version: 4.1.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: org.glassfish.jaxb:jaxb-xjc
  dependency-version: 4.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: org.wiremock:wiremock-standalone
  dependency-version: 3.13.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: io.grpc:grpc-testing
  dependency-version: 1.79.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: io.grpc:grpc-inprocess
  dependency-version: 1.79.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/pom.xml b/pom.xml
index 08b1c23..c15bbbb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -19,7 +19,7 @@
 
     <properties>
         <aws.sdk2.version>2.25.32</aws.sdk2.version>
-        <grpc.version>1.60.1</grpc.version>
+        <grpc.version>1.79.0</grpc.version>
         <protobuf.version>3.25.1</protobuf.version>
     </properties>
 
@@ -164,7 +164,7 @@
         <dependency>
             <groupId>com.sun.xml.ws</groupId>
             <artifactId>jaxws-rt</artifactId>
-            <version>4.0.2</version>
+            <version>4.0.3</version>
         </dependency>
         <dependency>
             <groupId>jakarta.xml.soap</groupId>
@@ -185,7 +185,7 @@
         <dependency>
             <groupId>org.apache.cxf</groupId>
             <artifactId>cxf-spring-boot-starter-jaxws</artifactId>
-            <version>4.0.3</version>
+            <version>4.1.4</version>
             <exclusions>
                 <!-- Exclude spring-boot-starter-web to avoid conflicts with webflux -->
                 <exclusion>
@@ -197,7 +197,7 @@
         <dependency>
             <groupId>org.apache.cxf</groupId>
             <artifactId>cxf-rt-ws-security</artifactId>
-            <version>4.0.3</version>
+            <version>4.1.4</version>
         </dependency>
         <dependency>
             <groupId>org.apache.wss4j</groupId>
@@ -212,7 +212,7 @@
         <dependency>
             <groupId>org.glassfish.jaxb</groupId>
             <artifactId>jaxb-xjc</artifactId>
-            <version>4.0.4</version>
+            <version>4.0.6</version>
         </dependency>
 
         <!-- Testing -->
@@ -243,7 +243,7 @@
         <dependency>
             <groupId>org.wiremock</groupId>
             <artifactId>wiremock-standalone</artifactId>
-            <version>3.3.1</version>
+            <version>3.13.2</version>
             <scope>test</scope>
         </dependency>
 

From e17a8f9ae018c5441f0ce46ad8c1a8bf1eccdcaf Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 19:38:57 +0100
Subject: [PATCH 4/8] ci: add pull_request_target trigger for Dependabot CI
 compatibility

---
 .github/workflows/ci.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e9f817d..83785e6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,8 @@ on:
     branches: [develop]
   pull_request:
     branches: [develop, main]
+  pull_request_target:
+    branches: [develop, main]
   workflow_dispatch:
     inputs:
       triggered-by:
@@ -12,7 +14,8 @@ on:
         type: string
 jobs:
   build:
+    if: github.event_name \!= 'pull_request_target' || github.actor == 'dependabot[bot]'
     uses: fireflyframework/.github/.github/workflows/java-ci.yml@main
     with:
       java-version: '25'
-
+      checkout-ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}

From dbb40663c19b4b4fdaed6754f68e9c306ea72aee Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 19:52:27 +0100
Subject: [PATCH 5/8] ci: revert ci.yml to original triggers
 (pull_request_target moved to separate file)

---
 .github/workflows/ci.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 83785e6..3beaf0c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,8 +4,6 @@ on:
     branches: [develop]
   pull_request:
     branches: [develop, main]
-  pull_request_target:
-    branches: [develop, main]
   workflow_dispatch:
     inputs:
       triggered-by:
@@ -14,8 +12,6 @@ on:
         type: string
 jobs:
   build:
-    if: github.event_name \!= 'pull_request_target' || github.actor == 'dependabot[bot]'
     uses: fireflyframework/.github/.github/workflows/java-ci.yml@main
     with:
       java-version: '25'
-      checkout-ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}

From 41ca333ad2ef8791fc5208af26a68a7edb041e64 Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 19:53:21 +0100
Subject: [PATCH 6/8] ci: add separate Dependabot CI workflow using
 pull_request_target

---
 .github/workflows/dependabot-ci.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 .github/workflows/dependabot-ci.yml

diff --git a/.github/workflows/dependabot-ci.yml b/.github/workflows/dependabot-ci.yml
new file mode 100644
index 0000000..9c3408a
--- /dev/null
+++ b/.github/workflows/dependabot-ci.yml
@@ -0,0 +1,12 @@
+name: Dependabot CI
+on:
+  pull_request_target:
+    branches: [develop, main]
+jobs:
+  build:
+    if: github.actor == 'dependabot[bot]'
+    uses: fireflyframework/.github/.github/workflows/java-ci.yml@main
+    with:
+      java-version: '25'
+      checkout-ref: ${{ github.event.pull_request.head.sha }}
+      trigger-downstream: false

From 5f8c9d54d0db008e08130a102acbeed26d1eeb94 Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 20:00:55 +0100
Subject: [PATCH 7/8] ci: inline Dependabot CI build (cross-repo reusable
 workflows unsupported for Dependabot)

---
 .github/workflows/dependabot-ci.yml | 80 +++++++++++++++++++++++++++--
 1 file changed, 75 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/dependabot-ci.yml b/.github/workflows/dependabot-ci.yml
index 9c3408a..25bfe12 100644
--- a/.github/workflows/dependabot-ci.yml
+++ b/.github/workflows/dependabot-ci.yml
@@ -2,11 +2,81 @@ name: Dependabot CI
 on:
   pull_request_target:
     branches: [develop, main]
+
+permissions:
+  contents: read
+  packages: read
+  statuses: write
+
 jobs:
   build:
+    runs-on: ubuntu-latest
     if: github.actor == 'dependabot[bot]'
-    uses: fireflyframework/.github/.github/workflows/java-ci.yml@main
-    with:
-      java-version: '25'
-      checkout-ref: ${{ github.event.pull_request.head.sha }}
-      trigger-downstream: false
+    steps:
+      - name: Checkout PR code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Set up JDK 25
+        uses: actions/setup-java@v4
+        with:
+          java-version: '25'
+          distribution: temurin
+          cache: maven
+
+      - name: Configure GitHub Packages
+        run: |
+          mkdir -p ~/.m2
+          cat > ~/.m2/settings.xml << 'EOF'
+          <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                    xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
+            <servers>
+              <server>
+                <id>github</id>
+                <username>${env.GITHUB_ACTOR}</username>
+                <password>${env.GITHUB_TOKEN}</password>
+              </server>
+            </servers>
+            <profiles>
+              <profile>
+                <id>github-packages</id>
+                <repositories>
+                  <repository>
+                    <id>github</id>
+                    <url>https://maven.pkg.github.com/fireflyframework/fireflyframework-parent</url>
+                    <snapshots><enabled>true</enabled></snapshots>
+                    <releases><enabled>true</enabled></releases>
+                  </repository>
+                </repositories>
+              </profile>
+            </profiles>
+            <activeProfiles>
+              <activeProfile>github-packages</activeProfile>
+            </activeProfiles>
+          </settings>
+          EOF
+
+      - name: Build with Maven
+        run: mvn -B verify
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Report build status
+        if: always()
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [ "${{ job.status }}" = "success" ]; then
+            STATE="success"
+            DESC="Dependabot build passed"
+          else
+            STATE="failure"
+            DESC="Dependabot build failed"
+          fi
+          gh api "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \
+            -f state="$STATE" \
+            -f context="build / build" \
+            -f description="$DESC" \
+            -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"

From b685b7b085c6b7c0bab0d5f45a88ebcfcc6d2301 Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 20:33:34 +0100
Subject: [PATCH 8/8] ci: grant actions:write permission in caller for DAG
 orchestrator

---
 .github/workflows/ci.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3beaf0c..6614de5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,5 +13,9 @@ on:
 jobs:
   build:
     uses: fireflyframework/.github/.github/workflows/java-ci.yml@main
+    permissions:
+      packages: read
+      contents: read
+      actions: write
     with:
       java-version: '25'