Add dependabot updates for Gradle, CodeQL scanning, prevent dynamic maven deps

Author: bioball

.github/PklProject

@@ -17,7 +17,7 @@ amends "pkl:Project"
 
 dependencies {
   ["pkl.impl.ghactions"] {
-    uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.5.0"
+    uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.7.0"
   }
   ["com.github.actions"] {
     uri = "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.2.0"

.github/PklProject.deps.json

@@ -3,16 +3,16 @@
   "resolvedDependencies": {
     "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.3.1",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.6.0",
       "checksums": {
-        "sha256": "fd515da685ea126678c3ec684e84a4f992d43481cc1d75cb866cd55775f675f9"
+        "sha256": "10e27d63df4a4520d8a9375962406ca5ffe74f396bd3cb1c19b1f8358505010a"
       }
     },
     "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.5.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.7.0",
       "checksums": {
-        "sha256": "2c1e0d9efcd65b3c3207bf535c325ebc0ec2ab169187b324c4bb70821cac0e51"
+        "sha256": "962cdba703b50e86ecfda1a1345bf58caa7b4839dd090eae6120024d862793d0"
       }
     },
     "package://pkg.pkl-lang.org/pkl-pantry/pkl.experimental.deepToTyped@1": {
@@ -24,16 +24,16 @@
     },
     "package://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1.0.3",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1.1.3",
       "checksums": {
-        "sha256": "d368900942efb88ed51a98f9614748b06c74ba43423f045fcd6dedb5dbdc0bea"
+        "sha256": "521feb6f5ff12075ebad0758799fe7ec2675d231a0e0f5456694c8d4822a8171"
       }
     },
     "package://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1.0.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1.0.3",
       "checksums": {
-        "sha256": "02ef6f25bfca5b1d095db73ea15de79d2d2c6832ebcab61e6aba90554382abcb"
+        "sha256": "a8934d84ffd11992d7baf6acfd97bae31d6112fa8add5cc8b5b4a722ce5b9ffc"
       }
     }
   }

.github/dependabot.yml

@@ -1,6 +1,16 @@
 version: 2
 updates:
+- package-ecosystem: gradle
+  cooldown:
+    default-days: 7
+    exclude:
+    - org.pkl-lang:*
+  directory: /
+  schedule:
+    interval: weekly
 - package-ecosystem: github-actions
+  cooldown:
+    default-days: 7
   directory: /
   ignore:
   - dependency-name: '*'

.github/index.pkl

@@ -119,3 +119,21 @@ local publishJob: Workflow.Job = new {
     }
   }
 }
+
+dependabot {
+  updates {
+    new {
+      `package-ecosystem` = "gradle"
+      directory = "/"
+      cooldown {
+        `default-days` = 7
+        exclude {
+          "org.pkl-lang:*"
+        }
+      }
+      schedule {
+        interval = "weekly"
+      }
+    }
+  }
+}

.github/workflows/__lockfile__.yml

@@ -24,3 +24,7 @@ jobs:
       uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
     - name: actions/upload-artifact@v5
       uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
+    - name: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+    - name: github/codeql-action/init@v4
+      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4

.github/workflows/codeql.yml

@@ -0,0 +1,28 @@
+# Generated from Workflow.pkl. DO NOT EDIT.
+'on':
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+  schedule:
+  - cron: 29 17 * * 4
+jobs:
+  analyze-actions:
+    name: Analyze (actions)
+    permissions:
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
+    - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+      with:
+        languages: actions
+        build-mode: none
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+      with:
+        category: /language:actions

build.gradle.kts

@@ -8,6 +8,14 @@ plugins {
 group = "org.pkl-lang"
 version = "1.0-SNAPSHOT"
 
+configurations {
+    all {
+        resolutionStrategy {
+            failOnDynamicVersions()
+        }
+    }
+}
+
 repositories {
     mavenCentral()
 }
@@ -36,7 +44,7 @@ val repos = arrayOf(
     "apple/pkl-swift"
 )
 
-tasks.create<JavaExec>("generateAndPublishDocs") {
+val generateAndPublishDocs by tasks.registering(JavaExec::class) {
     group = "publish"
     configureBuild(doPublish = true)
 }

gradle/libs.versions.toml

@@ -1,9 +1,9 @@
 [versions]
-pkl = "0.+"
-ktor = "2.+"
+pkl = "0.31.1"
+ktor = "3.4.3"
 spotless = "6.25.0"
-kotlinxSerialization = "1.6.+"
-kotlin = "2.+"
+kotlinxSerialization = "1.11.0"
+kotlin = "2.3.20"
 
 [libraries]
 pklDoc = { group = "org.pkl-lang", name = "pkl-doc", version.ref = "pkl" }