fix: tailor dependency-age report per gradle update PR.

[AlexeyKuznetsov-DD]

What Does This Do

Makes the weekly update-gradle-dependencies workflow generate a separate dependency-age report for each PR it opens, instead of putting the same combined report in both.

validate-lockfiles in dependency_age.py now emits two extra outputs:

• summary_core — findings for core/product lockfiles
• summary_instrumentation — findings for dd-smoke-tests/ and dd-java-agent/instrumentation/ lockfiles

The workflow wires summary_core into the core PR and summary_instrumentation into the instrumentation PR.

Motivation

The validation step runs once over the whole tree, so both PRs (e.g. #11590 and #11591) embedded the identical summary. Each PR only changes a subset of lockfiles, so the report should list only the dependencies relevant to that
PR.

[dd-octo-sts]

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite	Status
Startup	🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results

Scenario	Candidate	master	Δ (95% CI of mean)
startup:insecure-bank:iast:Agent	14.00 s	13.85 s	[+0.3%; +1.8%] (maybe worse)
startup:insecure-bank:tracing:Agent	12.93 s	12.94 s	[-1.0%; +0.8%] (no difference)
startup:petclinic:appsec:Agent	16.77 s	16.67 s	[-1.2%; +2.5%] (no difference)
startup:petclinic:iast:Agent	16.89 s	16.94 s	[-1.5%; +0.9%] (no difference)
startup:petclinic:profiling:Agent	15.78 s	16.82 s	[-14.3%; +1.9%] (unstable)
startup:petclinic:sca:Agent	16.67 s	16.76 s	[-2.0%; +1.0%] (no difference)
startup:petclinic:tracing:Agent	15.32 s	16.19 s	[-13.5%; +2.8%] (unstable)

Commit: 363feffd · CI Pipeline · Benchmarking Platform UI

---

Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

[sarahchen6]

It seems like we no longer need the summary variable now, so we can clean that up 🤔 (here and in emit_outputs)

[AlexeyKuznetsov-DD]

Nice catch! I applied this suggestion and also added tests.
Please take a look one more time :)

[sarahchen6]

Looks good, thanks!

[sarahchen6]

Let's try it out!

[AlexeyKuznetsov-DD]

/merge -f --reason "Not a code change, just refined report for GtiHub 48h action, no need to pass MQ"

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-06-09 15:58:57 UTC ℹ️ Start processing command /merge -f --reason "Not a code change, just refined report for GtiHub 48h action, no need to pass MQ"

---

2026-06-09 15:59:02 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 0s (p90).

---

2026-06-09 15:59:12 UTC ℹ️ MergeQueue: This merge request was merged

Warning

This change was merged without running any pre merge CI checks

Reason: Not a code change, just refined report for GtiHub 48h action, no need to pass MQ