READLY-124 Add BOMs and clean up all dependencies

.github/dependabot.yml

@@ -0,0 +1,27 @@
+---
+
+version: 2
+
+registries:
+  maven-artifactory:
+    type: maven-repository
+    url: https://artifactory.rtr.cloud/artifactory/maven-releases/
+    username: ${{ secrets.ARTIFACTORY_DEPLOY_USER }}
+    password: ${{ secrets.ARTIFACTORY_DEPLOY_PASSWORD }}
+
+updates:
+  - package-ecosystem: "maven"
+    registries:
+      - maven-artifactory
+    target-branch: "master"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 30
+
+  - package-ecosystem: "github-actions"
+    target-branch: "master"
+    directory: ".github/workflows"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10

.github/workflows/pr-validation.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Check out repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: YAML linting
         uses: karancode/yamllint-github-action@v2.1.1
@@ -51,5 +51,13 @@ jobs:
               }
             ]
 
+      - name: Resolve dependencies
+        run: mvn -B dependency:go-offline
+
+      # can't add -o here; go-offline and resolve-plugins don't download plugin dependencies, lol
       - name: Build, test, and install
         run: mvn -B install
+
+      # dependency:analyze-only is run as part of the previous step, but this sometimes catches more
+      - name: Run dependency and bug analysis
+        run: mvn -o -B dependency:analyze

.github/workflows/release.yml

@@ -28,13 +28,18 @@ jobs:
       - name: Check out repo
         uses: actions/checkout@v4
 
-      - name: Install Java and Maven
+      - name: Set up JDK 8
         uses: actions/setup-java@v3
         with:
           java-version: 8
           distribution: temurin
           check-latest: false
 
+      - name: Set up Maven
+        uses: stCarolas/setup-maven@v4.5
+        with:
+          maven-version: 3.9.4
+
       - name: Configure git
         run: |
           git config --global user.email "infrastructure+deploy@renttherunway.com"

alchemy-api/pom.xml

@@ -1,27 +1,69 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
   <parent>
     <artifactId>alchemy-parent</artifactId>
     <groupId>io.rtr.alchemy</groupId>
-    <version>2.0.10-SNAPSHOT</version>
+    <version>2.1.0-SNAPSHOT</version>
   </parent>
+
   <name>Alchemy API Library</name>
   <description>Representations for Alchemy Service</description>
-  <modelVersion>4.0.0</modelVersion>
   <artifactId>alchemy-api</artifactId>
 
+  <dependencyManagement>
+    <dependencies>
+      <!-- third-party dependencies -->
+      <dependency>
+        <groupId>io.rtr.alchemy</groupId>
+        <artifactId>alchemy-dependencies</artifactId>
+        <version>${project.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
   <dependencies>
+    <!-- direct third-party dependencies -->
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-annotations</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>javax.validation</groupId>
+      <artifactId>validation-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>joda-time</groupId>
+      <artifactId>joda-time</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+    </dependency>
+
+    <!-- test dependencies -->
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-databind</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>io.dropwizard</groupId>
       <artifactId>dropwizard-jackson</artifactId>
+      <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>io.dropwizard</groupId>
-      <artifactId>dropwizard-validation</artifactId>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>com.fasterxml.jackson.datatype</groupId>
-      <artifactId>jackson-datatype-guava</artifactId>
+      <groupId>nl.jqno.equalsverifier</groupId>
+      <artifactId>equalsverifier</artifactId>
+      <scope>test</scope>
     </dependency>
   </dependencies>
 </project>

alchemy-api/src/test/java/io/rtr/alchemy/dto/models/ExperimentDtoTest.java

@@ -7,6 +7,9 @@
 public class ExperimentDtoTest {
     @Test
     public void testEqualsHashCode() {
-        EqualsVerifier.forClass(ExperimentDto.class).suppress(Warning.STRICT_INHERITANCE).verify();
+        EqualsVerifier.forClass(ExperimentDto.class)
+                .suppress(Warning.STRICT_INHERITANCE)
+                .withOnlyTheseFields("name")
+                .verify();
     }
 }

alchemy-api/src/test/java/io/rtr/alchemy/dto/models/TreatmentDtoTest.java

@@ -7,6 +7,9 @@
 public class TreatmentDtoTest {
     @Test
     public void testEqualsHashCode() {
-        EqualsVerifier.forClass(TreatmentDto.class).suppress(Warning.STRICT_INHERITANCE).verify();
+        EqualsVerifier.forClass(TreatmentDto.class)
+                .suppress(Warning.STRICT_INHERITANCE)
+                .withIgnoredFields("description")
+                .verify();
     }
 }

alchemy-bom/pom.xml

@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <artifactId>alchemy-parent</artifactId>
+    <groupId>io.rtr.alchemy</groupId>
+    <version>2.1.0-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>alchemy-bom</artifactId>
+  <packaging>pom</packaging>
+  <name>Alchemy BOM</name>
+  <description>Bill of Materials for Alchemy Libraries</description>
+
+  <!-- Note that alchemy-example is excluded, since it is not meant to be used -->
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.rtr.alchemy</groupId>
+        <artifactId>alchemy-api</artifactId>
+        <version>${project.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.rtr.alchemy</groupId>
+        <artifactId>alchemy-client</artifactId>
+        <version>${project.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.rtr.alchemy</groupId>
+        <artifactId>alchemy-core</artifactId>
+        <version>${project.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.rtr.alchemy</groupId>
+        <artifactId>alchemy-db-memory</artifactId>
+        <version>${project.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.rtr.alchemy</groupId>
+        <artifactId>alchemy-db-mongo</artifactId>
+        <version>${project.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.rtr.alchemy</groupId>
+        <artifactId>alchemy-dependencies</artifactId>
+        <version>${project.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.rtr.alchemy</groupId>
+        <artifactId>alchemy-mapping</artifactId>
+        <version>${project.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.rtr.alchemy</groupId>
+        <artifactId>alchemy-service</artifactId>
+        <version>${project.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.rtr.alchemy</groupId>
+        <artifactId>alchemy-testing</artifactId>
+        <version>${project.version}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+</project>