build: adopt hypertrace shared BOM, version catalog, and java-convention plugin (#120)

* build: bump to JDK 17 and upgrade service-framework to 0.1.94 for Jetty 12 (CVE-2026-2332)

The current build pulls service-framework 0.1.89 (Jetty 11.0.24, vulnerable to
CVE-2026-2332 / CVE-2025-5115). service-framework 0.1.94 migrates to
Jetty 12.1.9 (ee10), which requires JDK 17+.

- Bump source/target compatibility to Java 17 across all subprojects
- Bump CI workflows to Java 17
- Bump platform-metrics + platform-service-framework 0.1.89 -> 0.1.94
- Bump grpc-client-utils 0.13.16 -> 0.13.23 (resolution conflict version)
- Bump junit-pioneer 2.0.0 -> 2.3.0 and mockito-core 5.2.0 -> 5.15.2 for JDK 17+ reflection compat
- Add --add-opens to test task for junit-pioneer @SetEnvironmentVariable on JDK 17+

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* build: use Gradle Java toolchain to provision JDK 17

The shared hypertrace gradle GitHub action launches Gradle with JDK 11
on the runner. Setting source/target compatibility to 17 caused
'invalid source release: 17' on subprojects in the build job.
Switching to a Java toolchain lets Gradle auto-provision and compile
with JDK 17 regardless of the launcher JDK the action uses.

* build: adopt hypertrace shared BOM and version catalog

Migrates the project to the canonical hypertrace pattern: the shared
hypertrace-bom catalog drives common dep/plugin versions and the
java-convention plugin standardizes JVM toolchain handling. Repo-local
deps move to gradle/libs.versions.toml exposed as localLibs.

- settings.gradle.kts: apply org.hypertrace.dependency-settings 0.2.0
  with catalogVersion 0.3.80 (auto-registers commonLibs and localLibs)
- gradle/libs.versions.toml: repo-local catalog (mockito, log4j, junit-
  pioneer, caffeine, avro, hypertrace-config-partitioner-api, grpc-netty,
  hypertrace-grpcutils-context, plus the avro plugin which is not in BOM)
- build.gradle.kts: replace per-module hand-rolled plugin versions with
  alias(commonLibs.plugins.*); apply hypertrace.java-convention (toolchain
  21 default, releaseCompatibility 11) so dep/JDK upgrades come for free
  via BOM bumps
- Subprojects: rewrite to alias(commonLibs.*)/alias(localLibs.*) and add
  api(platform(commonLibs.hypertrace.bom)) for managed versions
- Generate gradle.lockfile per module (settings-gradle.lockfile not
  tracked per the BOM doc)
- Add .github/workflows/update-locks.yml: weekly schedule keeps locks in
  sync with newly published BOM versions
- Bump pr-build/pr-test java-version 17 to 21 to match toolchain default

* build: prefer non-jakarta aliases for hypertrace framework deps

Both `hypertrace.framework.metrics` and `hypertrace.framework.metrics.jakarta`
(and the same pair for `service`) resolve to the same underlying artifact in
hypertrace-bom 0.3.80 — the `-jakarta` suffix is a transitional alias for the
in-flight Jakarta EE migration. The unsuffixed names are clearer and self-
explanatory; switch to those.

No resolved-dependency change; lockfiles unchanged.

* build: address review feedback — prefer commonLibs and slf4j2 binding

- Move shared-catalog deps from localLibs to commonLibs: mockito-core,
  log4j-slf4j2-impl, grpc-netty, hypertrace-grpcutils-context. The BOM
  governs the versions there, so the local catalog only carries deps
  truly outside the shared catalog.
- Switch the log4j binding to log4j-slf4j2-impl (the slf4j2 binding) per
  reviewer note — log4j-slf4j-impl was the slf4j-1.x binding and pulls in
  the wrong API.
- Drop versions for kafka-bom-managed entries (avro, kafka-streams-avro-
  serde, kafka-streams-test-utils) — the kafka-bom platform constrains
  them.

Lockfiles regenerated; resolved versions now follow the BOM (mockito 5.8.0,
log4j-slf4j2-impl 2.25.4) instead of hand-pinned ones.

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: suresh-prakash

.github/workflows/pr-build.yml

@@ -22,7 +22,7 @@ jobs:
       - uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
-          java-version: '11'
+          java-version: '21'
 
       - name: Build with Gradle
         uses: hypertrace/github-actions/gradle@main

.github/workflows/pr-test.yml

@@ -18,7 +18,7 @@ jobs:
       - uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
-          java-version: '11'
+          java-version: '21'
 
       - name: Unit test
         uses: hypertrace/github-actions/gradle@main
@@ -56,7 +56,7 @@ jobs:
       - uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
-          java-version: '11'
+          java-version: '21'
       - name: Dependency Check
         uses: hypertrace/github-actions/dependency-check@main
         with:

.github/workflows/update-locks.yml

@@ -0,0 +1,30 @@
+name: Update Locks
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '37 21 * * 3'
+jobs:
+  update-versions:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Calculate simple repository name
+        id: repo-basename
+        shell: bash
+        run: |
+          echo "value=`basename ${{ github.repository }}`" >> $GITHUB_OUTPUT
+      - name: Get Token from Github App
+        uses: tibdex/github-app-token@v2
+        id: generate-token
+        with:
+          app_id: ${{ secrets.GH_CI_APP_ID }}
+          private_key: ${{ secrets.GH_CI_APP_PRIVATE_KEY }}
+          repositories: >-
+            [${{ toJson(steps.repo-basename.outputs.value) }}]
+      - name: Update locks if needed
+        uses: hypertrace/github-actions/raise-lock-pr@main
+        with:
+          token: ${{ steps.generate-token.outputs.token }}

build.gradle.kts

@@ -2,30 +2,25 @@ import org.hypertrace.gradle.publishing.HypertracePublishExtension
 import org.hypertrace.gradle.publishing.License
 
 plugins {
-  id("org.hypertrace.repository-plugin") version "0.5.0"
-  id("org.hypertrace.ci-utils-plugin") version "0.4.0"
-  id("org.hypertrace.avro-plugin") version "0.5.1" apply false
-  id("org.hypertrace.publish-plugin") version "1.1.1" apply false
-  id("org.hypertrace.jacoco-report-plugin") version "0.3.0" apply false
-  id("org.hypertrace.code-style-plugin") version "2.1.2" apply false
-  id("org.owasp.dependencycheck") version "12.1.3"
+  alias(commonLibs.plugins.hypertrace.repository)
+  alias(commonLibs.plugins.hypertrace.ciutils)
+  alias(commonLibs.plugins.hypertrace.publish) apply false
+  alias(commonLibs.plugins.hypertrace.codestyle) apply false
+  alias(commonLibs.plugins.hypertrace.java.convention)
+  alias(commonLibs.plugins.owasp.dependencycheck)
+  alias(localLibs.plugins.hypertrace.avro) apply false
 }
 
 subprojects {
   group = "org.hypertrace.core.kafkastreams.framework"
-  pluginManager.withPlugin("org.hypertrace.publish-plugin") {
+  pluginManager.withPlugin(rootProject.commonLibs.plugins.hypertrace.publish.get().pluginId) {
     configure<HypertracePublishExtension> {
       license.set(License.APACHE_2_0)
     }
   }
 
   pluginManager.withPlugin("java") {
-    configure<JavaPluginExtension> {
-      sourceCompatibility = JavaVersion.VERSION_11
-      targetCompatibility = JavaVersion.VERSION_11
-
-      apply(plugin = "org.hypertrace.code-style-plugin")
-    }
+    apply(plugin = rootProject.commonLibs.plugins.hypertrace.codestyle.get().pluginId)
   }
 
   // Handle lz4-java redirect capability conflict:
@@ -45,4 +40,4 @@ dependencyCheck {
   suppressionFile = "owasp-suppressions.xml"
   scanConfigurations.add("runtimeClasspath")
   failBuildOnCVSS = 3.0F
-}
+}

gradle/libs.versions.toml

@@ -0,0 +1,17 @@
+[versions]
+caffeine = "3.1.8"
+junit-pioneer = "2.3.0"
+hypertrace-config = "0.1.73"
+hypertrace-avro-plugin = "0.5.1"
+
+[libraries]
+junit-pioneer = { module = "org.junit-pioneer:junit-pioneer", version.ref = "junit-pioneer" }
+hamcrest-core = { module = "org.hamcrest:hamcrest-core", version = "2.2" }
+caffeine = { module = "com.github.ben-manes.caffeine:caffeine", version.ref = "caffeine" }
+kafka-streams-avro-serde = { module = "io.confluent:kafka-streams-avro-serde" }
+kafka-streams-test-utils = { module = "org.apache.kafka:kafka-streams-test-utils" }
+avro = { module = "org.apache.avro:avro" }
+hypertrace-config-partitioner-api = { module = "org.hypertrace.config.service:partitioner-config-service-api", version.ref = "hypertrace-config" }
+
+[plugins]
+hypertrace-avro = { id = "org.hypertrace.avro-plugin", version.ref = "hypertrace-avro-plugin" }

kafka-event-listener/build.gradle.kts

@@ -1,25 +1,26 @@
 plugins {
   `java-library`
   jacoco
-  id("org.hypertrace.publish-plugin")
-  id("org.hypertrace.jacoco-report-plugin")
+  alias(commonLibs.plugins.hypertrace.publish)
+  alias(commonLibs.plugins.hypertrace.jacoco)
   id("java-test-fixtures")
 }
 
 dependencies {
-  annotationProcessor("org.projectlombok:lombok:1.18.38")
-  compileOnly("org.projectlombok:lombok:1.18.38")
+  annotationProcessor(commonLibs.lombok)
+  compileOnly(commonLibs.lombok)
 
   api(platform(project(":kafka-bom")))
-  api("org.apache.kafka:kafka-clients")
+  api(platform(commonLibs.hypertrace.bom))
+  api(commonLibs.kafka.clients)
 
-  implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.89")
-  testImplementation("org.junit.jupiter:junit-jupiter:5.9.2")
-  testImplementation("org.mockito:mockito-core:5.2.0")
-  testImplementation("com.github.ben-manes.caffeine:caffeine:3.1.8")
+  implementation(commonLibs.hypertrace.framework.metrics)
+  testImplementation(commonLibs.junit.jupiter)
+  testImplementation(commonLibs.mockito.core)
+  testImplementation(localLibs.caffeine)
 
   testFixturesApi(platform(project(":kafka-bom")))
-  testFixturesApi("org.apache.kafka:kafka-clients")
+  testFixturesApi(commonLibs.kafka.clients)
 }
 
 tasks.test {

kafka-event-listener/gradle.lockfile

@@ -0,0 +1,69 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+at.yawk.lz4:lz4-java:1.8.1=runtimeClasspath,testRuntimeClasspath
+com.fasterxml.jackson:jackson-bom:2.21.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+com.github.ben-manes.caffeine:caffeine:3.1.8=testCompileClasspath,testRuntimeClasspath
+com.github.luben:zstd-jni:1.5.6-3=runtimeClasspath,testRuntimeClasspath
+com.google.code.findbugs:jsr305:3.0.2=runtimeClasspath,testRuntimeClasspath
+com.google.errorprone:error_prone_annotations:2.18.0=runtimeClasspath
+com.google.errorprone:error_prone_annotations:2.21.1=testCompileClasspath,testRuntimeClasspath
+com.google.guava:failureaccess:1.0.1=runtimeClasspath,testRuntimeClasspath
+com.google.guava:guava-parent:32.1.2-jre=runtimeClasspath,testRuntimeClasspath
+com.google.guava:guava:32.1.2-jre=runtimeClasspath,testRuntimeClasspath
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava=runtimeClasspath,testRuntimeClasspath
+com.typesafe:config:1.4.2=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.dropwizard.metrics:metrics-core:4.2.25=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.dropwizard.metrics:metrics-jakarta-servlet:4.2.25=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.dropwizard.metrics:metrics-jvm:4.2.25=runtimeClasspath,testRuntimeClasspath
+io.github.mweirauch:micrometer-jvm-extras:0.2.2=runtimeClasspath,testRuntimeClasspath
+io.grpc:grpc-bom:1.75.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.micrometer:micrometer-commons:1.14.4=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.micrometer:micrometer-core:1.14.4=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.micrometer:micrometer-observation:1.14.4=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.micrometer:micrometer-registry-prometheus-simpleclient:1.14.4=runtimeClasspath,testRuntimeClasspath
+io.netty:netty-bom:4.1.133.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+io.prometheus:simpleclient:0.16.0=runtimeClasspath,testRuntimeClasspath
+io.prometheus:simpleclient_common:0.16.0=runtimeClasspath,testRuntimeClasspath
+io.prometheus:simpleclient_dropwizard:0.16.0=runtimeClasspath,testRuntimeClasspath
+io.prometheus:simpleclient_pushgateway:0.16.0=runtimeClasspath,testRuntimeClasspath
+io.prometheus:simpleclient_servlet_common:0.16.0=runtimeClasspath,testRuntimeClasspath
+io.prometheus:simpleclient_servlet_jakarta:0.16.0=runtimeClasspath,testRuntimeClasspath
+io.prometheus:simpleclient_tracer_common:0.16.0=runtimeClasspath,testRuntimeClasspath
+io.prometheus:simpleclient_tracer_otel:0.16.0=runtimeClasspath,testRuntimeClasspath
+io.prometheus:simpleclient_tracer_otel_agent:0.16.0=runtimeClasspath,testRuntimeClasspath
+jakarta.servlet:jakarta.servlet-api:6.1.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy-agent:1.14.10=testCompileClasspath,testRuntimeClasspath
+net.bytebuddy:byte-buddy:1.14.10=testCompileClasspath,testRuntimeClasspath
+org.apache.kafka:kafka-clients:7.7.0-ccs=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apiguardian:apiguardian-api:1.1.2=testCompileClasspath
+org.checkerframework:checker-qual:3.33.0=runtimeClasspath
+org.checkerframework:checker-qual:3.37.0=testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty.ee10:jetty-ee10-bom:12.1.9=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty.ee10:jetty-ee10-servlet:12.1.9=runtimeClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-bom:12.1.9=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-http:12.1.9=runtimeClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-io:12.1.9=runtimeClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-security:12.1.9=runtimeClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-server:12.1.9=runtimeClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-session:12.1.9=runtimeClasspath,testRuntimeClasspath
+org.eclipse.jetty:jetty-util:12.1.9=runtimeClasspath,testRuntimeClasspath
+org.hdrhistogram:HdrHistogram:2.2.2=runtimeClasspath,testRuntimeClasspath
+org.hypertrace.bom:hypertrace-bom:0.3.80=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.hypertrace.core.serviceframework:platform-metrics:0.1.94=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-api:5.10.0=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-engine:5.10.0=testRuntimeClasspath
+org.junit.jupiter:junit-jupiter-params:5.10.0=testCompileClasspath,testRuntimeClasspath
+org.junit.jupiter:junit-jupiter:5.10.0=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-commons:1.10.0=testCompileClasspath,testRuntimeClasspath
+org.junit.platform:junit-platform-engine:1.10.0=testRuntimeClasspath
+org.junit:junit-bom:5.10.0=testCompileClasspath,testRuntimeClasspath
+org.latencyutils:LatencyUtils:2.0.3=runtimeClasspath,testRuntimeClasspath
+org.mockito:mockito-core:5.8.0=testCompileClasspath,testRuntimeClasspath
+org.objenesis:objenesis:3.3=testRuntimeClasspath
+org.opentest4j:opentest4j:1.3.0=testCompileClasspath,testRuntimeClasspath
+org.projectlombok:lombok:1.18.30=annotationProcessor,compileClasspath
+org.slf4j:slf4j-api:2.0.17=runtimeClasspath,testRuntimeClasspath
+org.slf4j:slf4j-api:2.0.7=compileClasspath,testCompileClasspath
+org.xerial.snappy:snappy-java:1.1.10.5=runtimeClasspath,testRuntimeClasspath
+empty=

kafka-streams-framework/build.gradle.kts

@@ -1,39 +1,40 @@
 plugins {
   `java-library`
   jacoco
-  id("org.hypertrace.publish-plugin")
-  id("org.hypertrace.jacoco-report-plugin")
-  id("org.hypertrace.avro-plugin")
+  alias(commonLibs.plugins.hypertrace.publish)
+  alias(commonLibs.plugins.hypertrace.jacoco)
+  alias(localLibs.plugins.hypertrace.avro)
 }
 
 tasks.test {
   useJUnitPlatform()
 }
 
 dependencies {
-  annotationProcessor("org.projectlombok:lombok:1.18.38")
-  compileOnly("org.projectlombok:lombok:1.18.38")
+  annotationProcessor(commonLibs.lombok)
+  compileOnly(commonLibs.lombok)
 
   api(project(":kafka-streams-serdes"))
   api(platform(project(":kafka-bom")))
+  api(platform(commonLibs.hypertrace.bom))
   api("org.apache.kafka:kafka-streams")
-  api("io.confluent:kafka-streams-avro-serde")
-  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.13.16")
+  api(localLibs.kafka.streams.avro.serde)
+  api(commonLibs.hypertrace.grpcutils.client)
 
-  implementation("org.apache.avro:avro")
-  implementation("org.apache.kafka:kafka-clients")
-  implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.89")
-  implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.89")
-  implementation("org.apache.commons:commons-lang3:3.18.0")
+  implementation(localLibs.avro)
+  implementation(commonLibs.kafka.clients)
+  implementation(commonLibs.hypertrace.framework.metrics)
+  implementation(commonLibs.hypertrace.framework.service)
+  implementation(commonLibs.commons.lang)
 
-  testCompileOnly("org.projectlombok:lombok:1.18.38")
-  testAnnotationProcessor("org.projectlombok:lombok:1.18.38")
-  testImplementation("org.apache.kafka:kafka-streams-test-utils")
-  testImplementation("org.junit.jupiter:junit-jupiter:5.9.2")
-  testImplementation("org.junit-pioneer:junit-pioneer:2.0.0")
-  testImplementation("org.mockito:mockito-core:5.2.0")
-  testImplementation("org.hamcrest:hamcrest-core:2.2")
-  testRuntimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.20.0")
+  testCompileOnly(commonLibs.lombok)
+  testAnnotationProcessor(commonLibs.lombok)
+  testImplementation(localLibs.kafka.streams.test.utils)
+  testImplementation(commonLibs.junit.jupiter)
+  testImplementation(localLibs.junit.pioneer)
+  testImplementation(commonLibs.mockito.core)
+  testImplementation(localLibs.hamcrest.core)
+  testRuntimeOnly(commonLibs.log4j.slf4j2.impl)
 }
 
 // Disabling compatibility check for the test avro definitions.