SONARJAVA-6296 Configure Renovate

[renovate]

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.

📚 See our Reading List for relevant documentation you may be interested in reading.

🔡 Do you want to change how Renovate upgrades your dependencies? Add your custom config to renovate.json in this branch. Renovate will update the Pull Request description the next time it runs.

---

Detected Package Files

• .github/actions/orchestrator-cache/action.yml (github-actions)
• .github/actions/upload-actual/action.yml (github-actions)
• .github/workflows/PrepareNextIteration.yml (github-actions)
• .github/workflows/PullRequestClosed.yml (github-actions)
• .github/workflows/PullRequestCreated.yml (github-actions)
• .github/workflows/ReleasabilityCheck.yml (github-actions)
• .github/workflows/RequestReview.yml (github-actions)
• .github/workflows/SubmitReview.yml (github-actions)
• .github/workflows/ToggleLockBranch.yml (github-actions)
• .github/workflows/UpdateRuleMetadata.yml (github-actions)
• .github/workflows/automated-release.yml (github-actions)
• .github/workflows/build.yml (github-actions)
• .github/workflows/cleanup-cache.yml (github-actions)
• .github/workflows/dogfood.yml (github-actions)
• .github/workflows/mark-prs-stale.yml (github-actions)
• .github/workflows/pr-cleanup.yml (github-actions)
• .github/workflows/releasability.yaml (github-actions)
• .github/workflows/release.yml (github-actions)
• .github/workflows/unified-dogfooding.yml (github-actions)
• check-list/pom.xml (maven)
• external-reports/pom.xml (maven)
• its/autoscan/pom.xml (maven)
• its/plugin/plugins/java-extension-plugin/pom.xml (maven)
• its/plugin/plugins/pom.xml (maven)
• its/plugin/pom.xml (maven)
• its/plugin/tests/pom.xml (maven)
• its/pom.xml (maven)
• its/ruling/pom.xml (maven)
• its/vibebot/pom.xml (maven)
• java-checks-aws/pom.xml (maven)
• java-checks-common/pom.xml (maven)
• java-checks-testkit/pom.xml (maven)
• java-checks/pom.xml (maven)
• java-frontend/pom.xml (maven)
• java-jsp/pom.xml (maven)
• java-surefire/pom.xml (maven)
• pom.xml (maven)
• sonar-java-plugin/pom.xml (maven)
• .github/workflows/PrepareNextIteration.yml (regex)
• .github/workflows/build.yml (regex)
• .github/workflows/unified-dogfooding.yml (regex)

Configuration Summary

Based on the default config's presets, Renovate will:

• Start dependency updates only once this onboarding PR is merged
• Hopefully safe environment variables to allow users to configure.
• Show all Merge Confidence badges for pull requests.
• Enable Renovate Dependency Dashboard creation.
• Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
• Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
• Group known monorepo packages together.
• Use curated list of recommended non-monorepo package groupings.
• Show only the Age and Confidence Merge Confidence badges for pull requests.
• Apply crowd-sourced package replacement rules.
• Apply crowd-sourced workarounds for known problems with packages.
• Ensure that every dependency pinned by digest and sourced from Forgejo contains a link to the commit-to-commit diff
• Ensure that every dependency pinned by digest and sourced from Gitea contains a link to the commit-to-commit diff
• Ensure that every dependency pinned by digest and sourced from GitHub.com and Github enterprise contains a link to the commit-to-commit diff
• Ensure that every dependency pinned by digest and sourced from GitLab.com contains a link to the commit-to-commit diff
• Correctly link to the source code for golang.org/x packages
• Link to pkg.go.dev/... for golang.org/x packages' title
• Evaluate schedules according to timezone CET.
• Remove hourly and concurrent rate limits.
• Run Renovate on following schedule: before 6am on Monday

---

What to Expect

With your current configuration, Renovate will create 7 Pull Requests:

Update dependency org.springframework:spring-webmvc to v6 [SECURITY]

• Branch name: renovate/maven-org.springframework-spring-webmvc-vulnerability
• Merge into: master
• Upgrade org.springframework:spring-webmvc to 6.1.14

Update GitHub Actions dependencies

• Schedule: ["before 6am on Monday"]
• Branch name: renovate/github-actions-dependencies
• Merge into: master
• Upgrade actions/checkout to 93cb6efe18208431cddfb8368fd83d5badbf9bfd
• Pin actions/checkout to 34e114876b0b11c390a56381ad16ebd13914f8d5
• Pin actions/stale to 5bef64f19d7facfb25b37b414482c7164d639639
• Pin actions/upload-artifact to ea165f8d65b6e75b540449e92b4886f43607fa02
• Upgrade jdx/mise-action to 5228313ee0372e111a38da051671ca30fc5a96db
• Upgrade slackapi/slack-github-action to fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3

Update Maven dependencies

• Schedule: ["before 6am on Monday"]
• Branch name: renovate/maven-dependencies
• Merge into: master
• Upgrade org.apache.maven.plugins:maven-resources-plugin to 3.5.0
• Upgrade com.google.code.gson:gson to 2.14.0
• Upgrade commons-io:commons-io to 2.22.0
• Upgrade org.springframework:spring-expression to 6.2.18
• Upgrade org.junit:junit-bom to 5.14.3
• Upgrade com.google.guava:guava to 33.6.0-jre
• Upgrade org.apache.maven.plugins:maven-shade-plugin to 3.6.2
• Upgrade org.slf4j:slf4j-api to 1.7.36
• Upgrade org.slf4j:slf4j-simple to 1.7.36
• Upgrade org.mockito:mockito-core to 5.23.0
• Upgrade org.mockito:mockito-junit-jupiter to 5.23.0
• Upgrade org.jacoco:org.jacoco.agent to 0.8.14
• Upgrade org.apache.struts:struts-core to 1.3.10
• Upgrade org.sonarsource.sslr:sslr-testing-harness to 1.25.1.3886
• Upgrade org.sonarsource.sslr:sslr-core to 1.25.1.3886
• Upgrade org.sonarsource.analyzer-commons:sonar-performance-measure to 2.22.0.4796
• Upgrade org.sonarsource.analyzer-commons:sonar-regex-parsing to 2.22.0.4796
• Upgrade org.sonarsource.analyzer-commons:sonar-analyzer-test-commons to 2.22.0.4796
• Upgrade org.sonarsource.analyzer-commons:sonar-xml-parsing to 2.22.0.4796
• Upgrade org.sonarsource.analyzer-commons:sonar-analyzer-recognizers to 2.22.0.4796
• Upgrade org.sonarsource.analyzer-commons:sonar-analyzer-commons to 2.22.0.4796
• Upgrade org.sonarsource.sonarlint.core:sonarlint-core to 10.47.0.84936
• Upgrade org.sonarsource.sonarlint.core:sonarlint-plugin-api to 10.47.0.84936
• Upgrade commons-collections:commons-collections to 3.2.2
• Upgrade org.sonarsource.sonarqube:sonar-testing-harness to 25.12.0.117093
• Upgrade org.sonarsource.sonarqube:sonar-plugin-api-impl to 25.12.0.117093
• Upgrade org.sonarsource.sonarqube:sonar-ws to 25.12.0.117093
• Upgrade com.googlecode.maven-download-plugin:download-maven-plugin to 1.13.0
• Upgrade org.codehaus.mojo:build-helper-maven-plugin to 3.6.1
• Upgrade org.codehaus.mojo:exec-maven-plugin to 3.6.3
• Upgrade org.apache.tomcat.embed:tomcat-embed-jasper to 9.0.117
• Upgrade org.apache.maven.plugins:maven-compiler-plugin to 3.15.0

Update sonar-plugin-api to v13.5.0.4319

• Schedule: ["before 6am on Monday"]
• Branch name: renovate/sonar-plugin-api
• Merge into: master
• Upgrade org.sonarsource.api.plugin:sonar-plugin-api-test-fixtures to 13.5.0.4319
• Upgrade org.sonarsource.api.plugin:sonar-plugin-api to 13.5.0.4319

Update dependency mise to 2026.4.20

• Schedule: ["before 6am on Monday"]
• Branch name: renovate/mise
• Merge into: master
• Upgrade mise to 2026.4.20

Update GitHub Actions dependencies (major)

• Schedule: ["before 6am on Monday"]
• Branch name: renovate/major-github-actions-dependencies
• Merge into: master
• Upgrade actions/checkout to de0fac2e4500dabe0009e67214ff5f5447ce83dd
• Upgrade actions/stale to b5d41d4e1d5dceea10e7104786b73624c18a190f
• Upgrade actions/upload-artifact to 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
• Upgrade jdx/mise-action to 1648a7812b9aeae629881980618f079932869151
• Upgrade slackapi/slack-github-action to 03ea5433c137af7c0495bc0cad1af10403fc800c

Update Maven dependencies (major)

• Schedule: ["before 6am on Monday"]
• Branch name: renovate/major-maven-dependencies
• Merge into: master
• Upgrade org.springframework:spring-expression to 7.0.7
• Upgrade org.junit:junit-bom to 6.0.3
• Upgrade org.slf4j:slf4j-api to 2.0.17
• Upgrade org.slf4j:slf4j-simple to 2.0.17
• Upgrade org.sonarsource.sonarlint.core:sonarlint-core to 11.2.1.85436
• Upgrade org.sonarsource.sonarlint.core:sonarlint-plugin-api to 11.2.1.85436
• Upgrade org.sonarsource.sonarqube:sonar-testing-harness to 26.4.0.121862
• Upgrade org.sonarsource.sonarqube:sonar-plugin-api-impl to 26.4.0.121862
• Upgrade org.sonarsource.sonarqube:sonar-ws to 26.4.0.121862
• Upgrade javax:javaee-web-api to 8.0.1
• Upgrade org.apache.tomcat.embed:tomcat-embed-jasper to 11.0.21

---

❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section.
If you need any further assistance then you can also request help here.

---

This PR was generated by Mend Renovate. View the repository job log.

[hashicorp-vault-sonar-prod]

Renovate Jira issue ID: SONARJAVA-6295

[sonar-review-alpha]

Summary

⚠️ The PR description exceeded the analysis limit and was truncated. The review may not reflect all context.

This PR adds renovate.json5 to enable automated dependency updates for sonar-java. The configuration extends SonarSource's standard JVM squad presets and adds project-specific customizations:

• Ignored paths: Test sources and documentation directories to reduce noise
• sonar-plugin-api handling: Includes a reminder to check the compatibility matrix before updating (critical for plugin development)
• SonarSource GitHub Actions: Custom version extraction for internal actions

Once merged, Renovate will automatically create dependency update PRs on the configured schedule (before 6am Mondays), starting with 7 PRs including a security update for spring-webmvc.

What reviewers should know

Key decision: The config is minimal and delegates most logic to SonarSource's shared presets (quality-jvm-squad). Review focuses on the local customizations, not the defaults.

Important for reviewers:

• The prHeader for sonar-plugin-api is a UX choice—it warns authors to verify compatibility before merging updates to that critical dependency. Make sure this message is helpful to your team.
• The ignorePaths list targets test/doc directories. Verify these match your repo's actual layout and that nothing important gets excluded.
• The GitHub Actions regex ^v(?<version>\\d+)$ assumes SonarSource actions use git tags like v1, v2. Confirm this matches your actual workflow.

After merge: Expect the 7 pull requests listed in the author's description to be created within hours. The spring-webmvc security PR should be prioritized.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[sonar-review-alpha]

LGTM! ✅

🗣️ Give feedback