chore(ci): better lockfiles updates

[solnic]

This adds an internal mix sentry.bump_lockfiles machinery that can perform safe dep version bumps that check our test suites.

Here's a sample run:

dir(sentry-elixir) ⚡ mix sentry.bump_lockfiles --dry-run --skip-integrations
Optimistic bump did not pass (applying allowed bumps would cross a major boundary); bisecting.
==> Trying root: acceptor_pool 1.0.0 -> 1.0.1
    kept acceptor_pool
==> Trying root: bandit 1.6.11 -> 1.12.0
    kept bandit
==> Trying root: certifi 2.12.0 -> 2.17.0
    kept certifi
==> Trying root: cowboy 2.12.0 -> 2.16.1
    failed cowboy (tests in root)
==> Trying root: cowlib 2.13.0 -> 2.17.1
    kept cowlib
==> Trying root: crontab 1.1.13 -> 1.2.0
    skipped crontab (requires_major_dep)
==> Trying root: db_connection 2.7.0 -> 2.10.1
    kept db_connection
==> Trying root: dialyxir 1.4.3 -> 1.4.7
    kept dialyxir
==> Trying root: earmark_parser 1.4.41 -> 1.4.45
    kept earmark_parser
==> Trying root: ecto 3.12.3 -> 3.14.0
    skipped ecto (requires_major_dep)
==> Trying root: ecto_sql 3.12.0 -> 3.14.0
    skipped ecto_sql (requires_major_dep)
==> Trying root: gen_stage 1.2.1 -> 1.3.2
    kept gen_stage
==> Trying root: jason 1.4.4 -> 1.4.5
    kept jason
==> Trying root: makeup 1.1.2 -> 1.2.1
    kept makeup
==> Trying root: makeup_erlang 1.0.1 -> 1.1.0
    kept makeup_erlang
==> Trying root: mimerl 1.3.0 -> 1.5.0
    kept mimerl
==> Trying root: mint 1.7.1 -> 1.9.0
    kept mint
==> Trying root: oban 2.18.3 -> 2.23.0
    skipped oban (requires_major_dep)
==> Trying root: opentelemetry 1.5.0 -> 1.7.0
    kept opentelemetry
==> Trying root: opentelemetry_api 1.4.0 -> 1.5.0
    kept opentelemetry_api
==> Trying root: opentelemetry_exporter 1.8.0 -> 1.10.0
    failed opentelemetry_exporter (tests in root)
==> Trying root: parse_trans 3.4.1 -> 3.4.2
    kept parse_trans
==> Trying root: phoenix 1.7.17 -> 1.8.8
    kept phoenix
==> Trying root: rewrite 1.1.2 -> 1.3.0
    kept rewrite
==> Trying root: tls_certificate_check 1.28.0 -> 1.33.0
    kept tls_certificate_check

────────────────────────────────────────────────────────────
Dependency bump report
Overall status: partial
Bumped: 19  •  Skipped (major): 16  •  Failed: 2

root (partial)
  ✓ acceptor_pool 1.0.0 -> 1.0.1
  ✓ bandit 1.6.11 -> 1.12.0
  ✓ certifi 2.12.0 -> 2.17.0
  ✓ cowlib 2.13.0 -> 2.17.1
  ✓ db_connection 2.7.0 -> 2.10.1
  ✓ dialyxir 1.4.3 -> 1.4.7
  ✓ earmark_parser 1.4.41 -> 1.4.45
  ✓ gen_stage 1.2.1 -> 1.3.2
  ✓ jason 1.4.4 -> 1.4.5
  ✓ makeup 1.1.2 -> 1.2.1
  ✓ makeup_erlang 1.0.1 -> 1.1.0
  ✓ mimerl 1.3.0 -> 1.5.0
  ✓ mint 1.7.1 -> 1.9.0
  ✓ opentelemetry 1.5.0 -> 1.7.0
  ✓ opentelemetry_api 1.4.0 -> 1.5.0
  ✓ parse_trans 3.4.1 -> 3.4.2
  ✓ phoenix 1.7.17 -> 1.8.8
  ✓ rewrite 1.1.2 -> 1.3.0
  ✓ tls_certificate_check 1.28.0 -> 1.33.0
  ⤳ decimal 2.2.0 -> 3.1.1 (skipped: major)
  ⤳ ex_doc 0.34.2 -> 0.40.3 (skipped: 0x_minor_breaking)
  ⤳ finch 0.21.0 -> 0.23.0 (skipped: 0x_minor_breaking)
  ⤳ floki 0.37.0 -> 0.38.4 (skipped: 0x_minor_breaking)
  ⤳ hackney 1.20.1 -> 4.4.5 (skipped: major)
  ⤳ idna 6.1.1 -> 7.1.0 (skipped: major)
  ⤳ igniter 0.6.3 -> 0.8.1 (skipped: 0x_minor_breaking)
  ⤳ makeup_elixir 0.16.2 -> 1.0.1 (skipped: major)
  ⤳ owl 0.12.2 -> 0.13.1 (skipped: 0x_minor_breaking)
  ⤳ phoenix_live_view 0.20.17 -> 1.2.3 (skipped: major)
  ⤳ req 0.5.10 -> 0.6.2 (skipped: 0x_minor_breaking)
  ⤳ spitfire 0.2.1 -> 0.3.13 (skipped: 0x_minor_breaking)
  ⤳ crontab 1.1.13 -> 1.2.0 (skipped: requires_major_dep)
  ⤳ ecto 3.12.3 -> 3.14.0 (skipped: requires_major_dep)
  ⤳ ecto_sql 3.12.0 -> 3.14.0 (skipped: requires_major_dep)
  ⤳ oban 2.18.3 -> 2.23.0 (skipped: requires_major_dep)
  ✗ cowboy 2.12.0 -> 2.16.1 (tests in root)
  ✗ opentelemetry_exporter 1.8.0 -> 1.10.0 (tests in root)
────────────────────────────────────────────────────────────

Run artifacts written to tmp/lockfile-bump/run-2026-06-19T10-35-47.230607Z
Apply the verified lockfiles later with: mix sentry.bump_lockfiles --apply tmp/lockfile-bump/run-2026-06-19T10-35-47.230607Z

You can also narrow it down ie:

dir(sentry-elixir) ⚡ mix sentry.bump_lockfiles --allow-major-for ecto,ecto_sql --only ecto,ecto_sql

Optimistic bump did not pass (applying allowed bumps would cross a major boundary); bisecting.
==> Trying root: ecto 3.12.3 -> 3.14.0
    skipped ecto (requires_major_dep)
==> Trying root: ecto_sql 3.12.0 -> 3.14.0
    skipped ecto_sql (requires_major_dep)
==> Trying phoenix_app: ecto 3.13.5 -> 3.14.0
    failed ecto (tests in phoenix_app)
==> Trying phoenix_app: ecto_sql 3.13.4 -> 3.14.0
    failed ecto_sql (tests in phoenix_app)

────────────────────────────────────────────────────────────
Dependency bump report
Overall status: partial
Bumped: 0  •  Skipped (major): 2  •  Failed: 2

root (unchanged)
  ⤳ ecto 3.12.3 -> 3.14.0 (skipped: requires_major_dep)
  ⤳ ecto_sql 3.12.0 -> 3.14.0 (skipped: requires_major_dep)

prod_mode (unchanged)

umbrella (unchanged)

phoenix_app (partial)
  ✗ ecto 3.13.5 -> 3.14.0 (tests in phoenix_app)
  ✗ ecto_sql 3.13.4 -> 3.14.0 (tests in phoenix_app)

legacy_otel (unchanged)
────────────────────────────────────────────────────────────

Run artifacts written to tmp/lockfile-bump/run-2026-06-19T11-22-47.132996Z

[solnic]

FYI that's a pessimistic timeout. During testing it finished in about 40 minutes.

[whatyouhide]

@solnic can you elaborate on why this is necessary?

[solnic]

@whatyouhide we run automatic lock bumps every Monday now (ie see #1091) and tracking down which bump broke what is a bit of a chore, so I wanted to add a tool that could help. I do understand this is a bit too big, so I'm gonna close it for now and use it myself to see how it goes in practice. Maybe we could revisit it later as a potential addition to the repo. /cc @sl0thentr0py

[whatyouhide]

@solnic I think I’m a bit more confused about why we run automatic lock bumps every Monday 😄 Nothing uses the mix.lock of a dependency so this is not going to chance absolutely anything for the users of this SDK, which is what causes my confusion.

[sl0thentr0py]

supply chain hardening because of recent attacks in package ecosystems, its for us, not our users