From 908422fc880f4fdd56c67bf606a511d9fe47b567 Mon Sep 17 00:00:00 2001 From: Ben Manes Date: Sun, 24 Mar 2024 12:04:59 -0700 Subject: [PATCH] add more linters --- .github/actions/run-gradle/action.yml | 3 +- .github/workflows/analysis.yml | 75 ---- .github/workflows/benchmarks.yml | 126 ------- .github/workflows/build.yml | 357 ------------------ .github/workflows/codacy.yml | 54 --- .github/workflows/codeql.yml | 66 ---- .github/workflows/dependency-check.yml | 63 ---- .github/workflows/dependency-review.yml | 28 -- .../dependency-submission-pr-retreive.yml | 40 -- .../dependency-submission-pr-submit.yml | 44 --- .github/workflows/dependency-submission.yml | 43 --- .github/workflows/examples.yml | 109 ------ .github/workflows/gitleaks.yml | 32 -- .../workflows/gradle-wrapper-validation.yml | 21 -- .github/workflows/qodana.yml | 68 ---- .github/workflows/release.yml | 35 -- .github/workflows/reviewdog.yml | 22 ++ .github/workflows/scorecards-analysis.yml | 2 +- .github/workflows/semgrep.yml | 41 -- .github/workflows/snyk.yml | 66 ---- .github/workflows/spelling.yml | 28 +- .github/workflows/{devskim.yml => trivy.yml} | 32 +- gradle/libs.versions.toml | 4 +- 23 files changed, 62 insertions(+), 1297 deletions(-) delete mode 100644 .github/workflows/analysis.yml delete mode 100644 .github/workflows/benchmarks.yml delete mode 100644 .github/workflows/build.yml delete mode 100644 .github/workflows/codacy.yml delete mode 100644 .github/workflows/codeql.yml delete mode 100644 .github/workflows/dependency-check.yml delete mode 100644 .github/workflows/dependency-review.yml delete mode 100644 .github/workflows/dependency-submission-pr-retreive.yml delete mode 100644 .github/workflows/dependency-submission-pr-submit.yml delete mode 100644 .github/workflows/dependency-submission.yml delete mode 100644 .github/workflows/examples.yml delete mode 100644 .github/workflows/gitleaks.yml delete mode 100644 .github/workflows/gradle-wrapper-validation.yml delete mode 100644 .github/workflows/qodana.yml delete mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/reviewdog.yml delete mode 100644 .github/workflows/semgrep.yml delete mode 100644 .github/workflows/snyk.yml rename .github/workflows/{devskim.yml => trivy.yml} (52%) diff --git a/.github/actions/run-gradle/action.yml b/.github/actions/run-gradle/action.yml index 40e08b461f..4c60cd5cab 100644 --- a/.github/actions/run-gradle/action.yml +++ b/.github/actions/run-gradle/action.yml @@ -2,7 +2,7 @@ name: Run Gradle description: Sets up Gradle JDKs and runs Gradle inputs: arguments: - required: true + required: false description: Gradle arguments java: required: true @@ -83,6 +83,7 @@ runs: gradle-home-cache-cleanup: true gradle-home-cache-strict-match: true - name: Run ${{ inputs.arguments }} + if: ${{ env.arguments != '' }} env: JAVA_HOME: ${{ steps.setup-gradle-jdk.outputs.path }} ORG_GRADLE_PROJECT_org.gradle.java.installations.auto-download: 'false' diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml deleted file mode 100644 index 7de3598ad5..0000000000 --- a/.github/workflows/analysis.yml +++ /dev/null @@ -1,75 +0,0 @@ -name: analysis -permissions: read-all -on: [ push, pull_request ] - -env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - ALLOWED_ENDPOINTS: > - api.adoptium.net:443 - api.github.com:443 - caffeine.gradle-enterprise.cloud:443 - downloads.gradle.org:443 - downloads.gradle-dn.com:443 - github.com:443 - jcenter.bintray.com:443 - objects.githubusercontent.com:443 - plugins.gradle.org:443 - plugins-artifacts.gradle.org:443 - repo.maven.apache.org:443 - repo1.maven.org:443 - services.gradle.org:443 - -jobs: - forbiddenApis: - runs-on: ubuntu-latest - env: - JAVA_VERSION: 21 - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }} - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Forbidden Apis - uses: ./.github/actions/run-gradle - with: - java: ${{ env.JAVA_VERSION }} - arguments: forbiddenApis -DforbiddenApis - - pmd: - runs-on: ubuntu-latest - env: - JAVA_VERSION: 22 - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }} - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Pmd - uses: ./.github/actions/run-gradle - with: - java: ${{ env.JAVA_VERSION }} - arguments: pmdJavaPoet pmdMain pmdCodeGen pmdJmh -Dpmd - - spotbugs: - runs-on: ubuntu-latest - env: - JAVA_VERSION: 22 - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }} - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Spotbugs - uses: ./.github/actions/run-gradle - with: - java: ${{ env.JAVA_VERSION }} - arguments: spotbugsJavaPoet spotbugsMain spotbugsCodeGen spotbugsJmh -Dspotbugs diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml deleted file mode 100644 index 4612cc9f87..0000000000 --- a/.github/workflows/benchmarks.yml +++ /dev/null @@ -1,126 +0,0 @@ -name: benchmarks -permissions: read-all -on: [ push, pull_request ] - -env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - PUBLISH_JDK: 21 - -jobs: - benchmarks: - runs-on: ubuntu-latest - strategy: - matrix: - java: [ 11, 21, 23, GraalVM ] - env: - JAVA_VERSION: ${{ matrix.java }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.adoptium.net:443 - api.github.com:443 - caffeine.gradle-enterprise.cloud:443 - download.java.net:443 - download.oracle.com:443 - downloads.gradle.org:443 - downloads.gradle-dn.com:443 - gds.oracle.com:443 - github.com:443 - jcenter.bintray.com:443 - objects.githubusercontent.com:443 - plugins.gradle.org:443 - plugins-artifacts.gradle.org:443 - repo.maven.apache.org:443 - repo1.maven.org:443 - raw.githubusercontent.com:443 - services.gradle.org:443 - www.graalvm.org:443 - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Compute JMH Benchmark - uses: ./.github/actions/run-gradle - with: - java: ${{ matrix.java }} - token: ${{ secrets.GITHUB_TOKEN }} - arguments: > - caffeine:jmh --no-daemon -q - -PincludePattern=ComputeBenchmark - -PbenchmarkParameters=computeType=Caffeine,Guava,ConcurrentHashMap - - name: Upload Compute JMH Results to Gist - uses: popsiclestick/gist-sync-action@88f8633178625914f2a01abf1a765f7272a580fa # v1.2.0 - if: > - github.event_name == 'push' - && github.event.repository.fork == false - && endsWith(github.ref, github.event.repository.default_branch) - with: - auth: ${{ secrets.GIST_TOKEN }} - gist_description: Compute JMH Results - gist_title: compute_results_${{ matrix.java }}.json - github_file: ./caffeine/build/reports/jmh/results.json - gist_url: https://gist.githubusercontent.com/ben-manes/511298014cc5629cbc5e57f09fd4c430 - - name: Get/Put JMH Benchmark - uses: ./.github/actions/run-gradle - with: - java: ${{ matrix.java }} - token: ${{ secrets.GITHUB_TOKEN }} - arguments: > - caffeine:jmh --no-daemon -q - -PincludePattern=GetPutBenchmark - -PbenchmarkParameters=cacheType=Caffeine,Guava,ConcurrentHashMap - - name: Upload Get/Put JMH Results to Gist - uses: popsiclestick/gist-sync-action@88f8633178625914f2a01abf1a765f7272a580fa # v1.2.0 - if: > - github.event_name == 'push' - && github.event.repository.fork == false - && endsWith(github.ref, github.event.repository.default_branch) - with: - auth: ${{ secrets.GIST_TOKEN }} - gist_description: Get/Put JMH Results - gist_title: getput_results_${{ matrix.java }}.json - github_file: ./caffeine/build/reports/jmh/results.json - gist_url: https://gist.githubusercontent.com/ben-manes/b231cf57cf8e144e2247716e777edcf3 - - name: Put/Remove JMH Benchmark - uses: ./.github/actions/run-gradle - with: - java: ${{ matrix.java }} - token: ${{ secrets.GITHUB_TOKEN }} - arguments: > - caffeine:jmh --no-daemon -q - -PincludePattern=PutRemoveBenchmark - -PbenchmarkParameters=cacheType=Caffeine,Guava,ConcurrentHashMap - - name: FrequencySketch JMH Benchmark - uses: ./.github/actions/run-gradle - with: - java: ${{ matrix.java }} - token: ${{ secrets.GITHUB_TOKEN }} - arguments: > - caffeine:jmh --no-daemon -q - -PincludePattern=FrequencySketchBenchmark - -PbenchmarkParameters=tableSize=134217728 - - name: TimerWheelBenchmark JMH Benchmark - uses: ./.github/actions/run-gradle - with: - java: ${{ matrix.java }} - token: ${{ secrets.GITHUB_TOKEN }} - arguments: caffeine:jmh --no-daemon -q -PincludePattern=TimerWheelBenchmark - - name: Publish JMH benchmarks - if: > - matrix.java == env.PUBLISH_JDK - && github.event_name == 'push' - && endsWith(github.ref, github.event.repository.default_branch) - run: | - { - echo '#### [Compute](https://jmh.morethan.io/?gists=511298014cc5629cbc5e57f09fd4c430)' - echo -n 'This benchmark that evaluates the overhead due to locking when the entry is' - echo -n 'present. The scenarios graphed are all threads retrieving a single entry' - echo -n '("sameKey") and threads retrieving different keys based on a Zipf distribution' - echo -n '("spread").' - echo -e '\n' - echo '#### [Get/Put](https://jmh.morethan.io/?gists=b231cf57cf8e144e2247716e777edcf3)' - echo -n 'A benchmark that evaluates the read/write performance of a cache. The cache is' - echo -n 'pre-populated for a 100% hit rate and a Zipf distribution of keys is used to' - echo -n 'mimic application usage patterns.' - } >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index dbff5ef265..0000000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,357 +0,0 @@ -name: build -on: - pull_request: {} - push: - branches: [master, v2.dev, v3.dev] -permissions: read-all - -env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - ALLOWED_ENDPOINTS: > - *.actions.githubusercontent.com:443 - api.adoptium.net:443 - api.github.com:443 - api.snapcraft.io:443 - caffeine.gradle-enterprise.cloud:443 - cdn.azul.com:443 - cloudflare.com:443 - docker.io:443 - download.java.net:443 - download.oracle.com:443 - downloads.gradle.org:443 - downloads.gradle-dn.com:443 - gds.oracle.com:443 - ghcr.io:443 - github.com:443 - jdk.java.net:443 - jcenter.bintray.com:443 - objects.githubusercontent.com:443 - oss.sonatype.org:443 - plugins.gradle.org:443 - plugins-artifacts.gradle.org:443 - raw.githubusercontent.com:443 - registry.npmjs.org:443 - repo.gradle.org:443 - repo.maven.apache.org:443 - repo1.maven.org:443 - scans-in.gradle.com:443 - services.gradle.org:443 - schemastore.org:443 - www.graalvm.org:443 - PUBLISH_JDK: 11 - EA_JDK: 23 - -jobs: - compile: - name: Compile - timeout-minutes: 15 - runs-on: ubuntu-latest - strategy: - matrix: - java: [ 11, 22, 23, GraalVM ] - env: - JAVA_VERSION: ${{ matrix.java }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }} - - name: Checkout - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Prepare GraalVM - if: env.JAVA_VERSION == 'GraalVM' - shell: bash - run: echo "GRADLE_ARGS=--no-build-cache" >> $GITHUB_ENV - - name: Compile - uses: ./.github/actions/run-gradle - with: - java: ${{ env.JAVA_VERSION }} - early-access: ${{ env.EA_JDK }} - token: ${{ secrets.GITHUB_TOKEN }} - arguments: check -x test ${{ env.GRADLE_ARGS }} - - name: Cancel if failed - uses: andymckay/cancel-action@271cfbfa11ca9222f7be99a47e8f929574549e0a # 0.4 - continue-on-error: true - if: failure() - - tests: - name: Tests - timeout-minutes: 60 - runs-on: ubuntu-latest - needs: compile - strategy: - matrix: - suite: - - caffeine:weakKeysAndStrongValuesStatsAsyncCaffeineSlowTest - - caffeine:weakKeysAndStrongValuesStatsSyncCaffeineSlowTest - - caffeine:strongKeysAndWeakValuesStatsSyncCaffeineSlowTest - - caffeine:strongKeysAndSoftValuesStatsSyncCaffeineSlowTest - - caffeine:strongKeysAndStrongValuesStatsAsyncCaffeineTest - - caffeine:weakKeysAndWeakValuesStatsSyncCaffeineSlowTest - - caffeine:weakKeysAndSoftValuesStatsSyncCaffeineSlowTest - - caffeine:strongKeysAndStrongValuesStatsSyncCaffeineTest - - caffeine:weakKeysAndStrongValuesStatsAsyncCaffeineTest - - caffeine:weakKeysAndStrongValuesStatsSyncCaffeineTest - - caffeine:weakKeysAndStrongValuesAsyncCaffeineSlowTest - - caffeine:strongKeysAndWeakValuesStatsSyncCaffeineTest - - caffeine:strongKeysAndSoftValuesStatsSyncCaffeineTest - - caffeine:weakKeysAndStrongValuesSyncCaffeineSlowTest - - caffeine:strongKeysAndWeakValuesSyncCaffeineSlowTest - - caffeine:strongKeysAndSoftValuesSyncCaffeineSlowTest - - caffeine:weakKeysAndWeakValuesStatsSyncCaffeineTest - - caffeine:weakKeysAndSoftValuesStatsSyncCaffeineTest - - caffeine:strongKeysAndStrongValuesAsyncCaffeineTest - - caffeine:weakKeysAndWeakValuesSyncCaffeineSlowTest - - caffeine:weakKeysAndSoftValuesSyncCaffeineSlowTest - - caffeine:strongKeysAndStrongValuesSyncCaffeineTest - - caffeine:weakKeysAndStrongValuesAsyncCaffeineTest - - caffeine:weakKeysAndStrongValuesSyncCaffeineTest - - caffeine:strongKeysAndWeakValuesSyncCaffeineTest - - caffeine:strongKeysAndSoftValuesSyncCaffeineTest - - caffeine:weakKeysAndWeakValuesSyncCaffeineTest - - caffeine:weakKeysAndSoftValuesSyncCaffeineTest - - caffeine:lincheckTest - - caffeine:isolatedTest - - caffeine:junitTest - - simulator:check - - jcache:check - - guava:check - java: [ 11, 22 ] - include: - - suite: caffeine:weakKeysAndStrongValuesStatsSyncGuavaSlowTest - java: 11 - - suite: caffeine:strongKeysAndWeakValuesStatsSyncGuavaSlowTest - java: 11 - - suite: caffeine:strongKeysAndSoftValuesStatsSyncGuavaSlowTest - java: 11 - - suite: caffeine:weakKeysAndWeakValuesStatsSyncGuavaSlowTest - java: 11 - - suite: caffeine:weakKeysAndSoftValuesStatsSyncGuavaSlowTest - java: 11 - - suite: caffeine:strongKeysAndStrongValuesStatsSyncGuavaTest - java: 11 - - suite: caffeine:weakKeysAndStrongValuesStatsSyncGuavaTest - java: 11 - - suite: caffeine:strongKeysAndWeakValuesStatsSyncGuavaTest - java: 11 - - suite: caffeine:strongKeysAndSoftValuesStatsSyncGuavaTest - java: 11 - - suite: caffeine:weakKeysAndStrongValuesSyncGuavaSlowTest - java: 11 - - suite: caffeine:strongKeysAndWeakValuesSyncGuavaSlowTest - java: 11 - - suite: caffeine:strongKeysAndSoftValuesSyncGuavaSlowTest - java: 11 - - suite: caffeine:weakKeysAndWeakValuesStatsSyncGuavaTest - java: 11 - - suite: caffeine:weakKeysAndSoftValuesStatsSyncGuavaTest - java: 11 - - suite: caffeine:weakKeysAndWeakValuesSyncGuavaSlowTest - java: 11 - - suite: caffeine:weakKeysAndSoftValuesSyncGuavaSlowTest - java: 11 - - suite: caffeine:strongKeysAndStrongValuesSyncGuavaTest - java: 11 - - suite: caffeine:weakKeysAndStrongValuesSyncGuavaTest - java: 11 - - suite: caffeine:strongKeysAndWeakValuesSyncGuavaTest - java: 11 - - suite: caffeine:strongKeysAndSoftValuesSyncGuavaTest - java: 11 - - suite: caffeine:weakKeysAndWeakValuesSyncGuavaTest - java: 11 - - suite: caffeine:weakKeysAndSoftValuesSyncGuavaTest - java: 11 - env: - JAVA_VERSION: ${{ matrix.java }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }} - - name: Checkout - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Run tests (${{ env.JAVA_VERSION }}) - uses: ./.github/actions/run-gradle - with: - java: ${{ env.JAVA_VERSION }} - arguments: ${{ matrix.suite }} - token: ${{ secrets.GITHUB_TOKEN }} - - name: Format Test Artifact Name - if: always() && (env.JAVA_VERSION == env.PUBLISH_JDK) - run: | - RAW_NAME=${{ matrix.suite }}-${{ env.JAVA_VERSION }} - ARTIFACT_NAME=$(echo $RAW_NAME | sed 's/:/-/g') - echo "ARTIFACT_NAME=$ARTIFACT_NAME" >> $GITHUB_ENV - - name: Compress test results - if: always() && (env.JAVA_VERSION == env.PUBLISH_JDK) - run: > - find . -path */jacoco/*.exec -o -path */results/*.xml - | tar czf ${{ env.ARTIFACT_NAME }}.tar.gz --files-from - - - name: Upload test results - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - if: always() && (env.JAVA_VERSION == env.PUBLISH_JDK) - with: - retention-days: 1 - name: ${{ env.ARTIFACT_NAME }}-results - path: ${{ env.ARTIFACT_NAME }}.tar.gz - - name: Cancel if failed - uses: andymckay/cancel-action@271cfbfa11ca9222f7be99a47e8f929574549e0a # 0.4 - continue-on-error: true - if: failure() - - coverage: - name: Coverage - runs-on: ubuntu-latest - needs: tests - if: (github.event_name == 'push') && (github.event.repository.fork == false) - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - ${{ env.ALLOWED_ENDPOINTS }} - artifacts.codacy.com:443 - api.codacy.com:443 - codecov.io:443 - coveralls.io:443 - fastly.com:443 - nodejs.org:443 - raw.githubusercontent.com - sonarcloud.io:443 - scanner.sonarcloud.io:443 - storage.googleapis.com:443 - uploader.codecov.io:443 - - name: Checkout - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - with: - fetch-depth: 0 - - name: Download Tests Results - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 - - name: Decompress - run: find . -type f -name '*.tar.gz' -exec sh -c 'tar -zxf {} --one-top-level' \; - - name: Combine Jacoco Reports - uses: ./.github/actions/run-gradle - with: - arguments: check -x test - java: ${{ env.PUBLISH_JDK }} - - name: Publish to Coveralls - uses: ./.github/actions/run-gradle - env: - COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }} - with: - arguments: coveralls - java: ${{ env.PUBLISH_JDK }} - continue-on-error: true - - name: Publish to Codecov - uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0 - with: - token: ${{ secrets.CODECOV_TOKEN }} - - name: Publish to Codacy - uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1.3.0 - with: - project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} - continue-on-error: true - - name: Publish to SonarQube - uses: ./.github/actions/run-gradle - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - with: - java: ${{ env.PUBLISH_JDK }} - arguments: sonar -Dsonar.branch.name=${GITHUB_REF##*/} - continue-on-error: true - - test-results: - name: Test Results - runs-on: ubuntu-latest - needs: tests - if: github.event_name == 'push' - permissions: - checks: write - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - ${{ env.ALLOWED_ENDPOINTS }} - badgen.net:443 - - name: Download Tests - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 - - name: Decompress - run: find . -type f -name '*.tar.gz' -exec sh -c 'tar -zxf {} --one-top-level' \; - - name: Publish Test Results - uses: EnricoMi/publish-unit-test-result-action@f355d34d53ad4e7f506f699478db2dd71da9de5f # v2.15.1 - continue-on-error: true - id: test-results - with: - json_thousands_separator: ',' - junit_files: '**/TEST-*.xml' - comment_mode: off - ignore_runs: true - job_summary: true - - name: Create badge - id: test-badge - env: - LABEL: tests - COLOR: 31c653 - STATUS: ${{ fromJSON(steps.test-results.outputs.json).formatted.stats.runs }} - continue-on-error: true - run: curl -s -f https://badgen.net/badge/${{env.LABEL}}/${{env.STATUS}}/${{env.COLOR}} > badge.svg - - name: Upload badge to Gist - uses: popsiclestick/gist-sync-action@88f8633178625914f2a01abf1a765f7272a580fa # v1.2.0 - if: > - github.event.repository.fork == false - && steps.test-badge.outcome == 'success' - && endsWith(github.ref, github.event.repository.default_branch) - with: - gist_url: https://gist.githubusercontent.com/ben-manes/c20eb418f0e0bd6dfe1c25beb35faae4 - auth: ${{ secrets.GIST_TOKEN }} - gist_description: Test Results - github_file: badge.svg - gist_title: badge.svg - - publish-snapshot: - name: Publish Snapshot - runs-on: ubuntu-latest - needs: tests - if: > - github.event_name == 'push' - && github.event.repository.fork == false - && endsWith(github.ref, github.event.repository.default_branch) - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - ${{ env.ALLOWED_ENDPOINTS }} - checkerframework.org:443 - docs.oracle.com:443 - errorprone.info:443 - lightbend.github.io:443 - guava.dev:443 - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Publish Snapshot - uses: ./.github/actions/run-gradle - env: - ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.NEXUS_USERNAME }} - ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.NEXUS_PASSWORD }} - ORG_GRADLE_PROJECT_signingKey: ${{ secrets.OSSRH_GPG_SECRET_KEY }} - ORG_GRADLE_PROJECT_signingKeyId: ${{ secrets.OSSRH_GPG_SECRET_KEY_ID }} - ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} - with: - attempt-limit: 3 - attempt-delay: 2 - java: ${{ env.PUBLISH_JDK }} - token: ${{ secrets.GITHUB_TOKEN }} - arguments: publishToSonatype --no-configuration-cache diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml deleted file mode 100644 index 69e204d1ad..0000000000 --- a/.github/workflows/codacy.yml +++ /dev/null @@ -1,54 +0,0 @@ -name: Codacy -permissions: read-all -on: [ push, pull_request ] - -jobs: - security-scan: - runs-on: ubuntu-latest - timeout-minutes: 15 - permissions: - actions: read - contents: read - security-events: write - if: github.event.repository.fork == false - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.codacy.com:443 - api.github.com:443 - auth.docker.io:443 - github.com:443 - golang.org:443 - objects.githubusercontent.com:443 - production.cloudflare.docker.com:443 - raw.githubusercontent.com:443 - registry-1.docker.io:443 - *.blob.core.windows.net:443 - - name: Checkout code - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Run Codacy Analysis - uses: codacy/codacy-analysis-cli-action@master - continue-on-error: true - with: - format: sarif - output: results.sarif - gh-code-scanning-compat: true - max-allowed-issues: 2147483647 - - name: Check file existence - id: check_files - uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0 - with: - files: results.sarif - - name: Remove duplicate runs - if: steps.check_files.outputs.files_exists == 'true' - run: jq -c '.runs |= unique_by({tool, invocations, results})' < results.sarif > codacy.sarif - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 - if: steps.check_files.outputs.files_exists == 'true' - continue-on-error: true - with: - sarif_file: codacy.sarif diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index e64f99af3d..0000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,66 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -name: "CodeQL" - -on: - push: - branches: [master] - pull_request: - # The branches below must be a subset of the branches above - branches: [master] - schedule: - - cron: '0 0 * * 4' - -permissions: - actions: read - contents: read - pull-requests: read - security-events: write - -env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - JAVA_VERSION: 21 - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.adoptium.net:443 - api.github.com:443 - caffeine.gradle-enterprise.cloud:443 - downloads.gradle.org:443 - downloads.gradle-dn.com:443 - github.com:443 - jcenter.bintray.com:443 - objects.githubusercontent.com:443 - plugins.gradle.org:443 - plugins-artifacts.gradle.org:443 - repo.maven.apache.org:443 - repo1.maven.org:443 - uploads.github.com:443 - services.gradle.org:443 - - name: Checkout repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Setup Gradle - uses: ./.github/actions/run-gradle - with: - java: ${{ env.JAVA_VERSION }} - token: ${{ secrets.GITHUB_TOKEN }} - - name: Initialize CodeQL - uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 - with: - languages: java - - name: Autobuild - uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml deleted file mode 100644 index 4dc7d65abb..0000000000 --- a/.github/workflows/dependency-check.yml +++ /dev/null @@ -1,63 +0,0 @@ -name: Dependency Check -on: - push: - pull_request: - schedule: - - cron: '0 0 * * 4' -permissions: read-all - -env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - JAVA_VERSION: 22 - -jobs: - dependency-check: - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.adoptium.net:443 - api.github.com:443 - caffeine.gradle-enterprise.cloud:443 - downloads.gradle.org:443 - downloads.gradle-dn.com:443 - github.com:443 - jcenter.bintray.com:443 - jeremylong.github.io:443 - nvd.nist.gov:443 - objects.githubusercontent.com:443 - ossindex.sonatype.org:443 - plugins.gradle.org:443 - plugins-artifacts.gradle.org:443 - repo.maven.apache.org:443 - repo1.maven.org:443 - raw.githubusercontent.com:443 - services.gradle.org:443 - www.cisa.gov:443 - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Run dependency-check - uses: ./.github/actions/run-gradle - continue-on-error: true - env: - NVD_API_KEY: ${{ secrets.NVD_API_KEY }} - with: - java: ${{ env.JAVA_VERSION }} - arguments: dependencyCheckAggregate --no-configuration-cache - - name: Check file existence - id: check_files - uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0 - with: - files: build/reports/dependency-check-report.sarif - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 - if: steps.check_files.outputs.files_exists == 'true' - with: - sarif_file: build/reports/dependency-check-report.sarif diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml deleted file mode 100644 index 0a4889a380..0000000000 --- a/.github/workflows/dependency-review.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Dependency Review -permissions: read-all -on: [pull_request] - -jobs: - dependency-review: - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - github.com:443 - - name: Checkout Repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Dependency Review - uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3 - with: - license-check: false - comment-summary-in-pr: on-failure - retry-on-snapshot-warnings: true - retry-on-snapshot-warnings-timeout: 600 diff --git a/.github/workflows/dependency-submission-pr-retreive.yml b/.github/workflows/dependency-submission-pr-retreive.yml deleted file mode 100644 index 993c80659a..0000000000 --- a/.github/workflows/dependency-submission-pr-retreive.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: Retrieve and submit dependency graph -permissions: read-all -on: - workflow_run: - workflows: ['Generate and save dependency graph'] - types: [completed] - -env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - JAVA_VERSION: 22 - -jobs: - submit-dependency-graph: - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.adoptium.net:443 - api.github.com:443 - caffeine.gradle-enterprise.cloud:443 - downloads.gradle.org:443 - downloads.gradle-dn.com:443 - github.com:443 - jcenter.bintray.com:443 - objects.githubusercontent.com:443 - plugins.gradle.org:443 - plugins-artifacts.gradle.org:443 - repo.maven.apache.org:443 - repo1.maven.org:443 - services.gradle.org:443 - - name: Retrieve and submit dependency graph - uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 - with: - dependency-graph: download-and-submit diff --git a/.github/workflows/dependency-submission-pr-submit.yml b/.github/workflows/dependency-submission-pr-submit.yml deleted file mode 100644 index c52a405210..0000000000 --- a/.github/workflows/dependency-submission-pr-submit.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: Generate and save dependency graph -permissions: read-all -on: [ pull_request ] - -env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - JAVA_VERSION: 21 - -jobs: - dependency-submission: - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.adoptium.net:443 - api.github.com:443 - caffeine.gradle-enterprise.cloud:443 - downloads.gradle.org:443 - downloads.gradle-dn.com:443 - github.com:443 - jcenter.bintray.com:443 - objects.githubusercontent.com:443 - plugins.gradle.org:443 - plugins-artifacts.gradle.org:443 - repo.maven.apache.org:443 - repo1.maven.org:443 - services.gradle.org:443 - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Set up JDK ${{ env.JAVA_VERSION }} - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - java-version: ${{ env.JAVA_VERSION }} - distribution: temurin - - name: Submit Dependency Graph - uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 - with: - cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} - dependency-graph: generate-and-upload diff --git a/.github/workflows/dependency-submission.yml b/.github/workflows/dependency-submission.yml deleted file mode 100644 index a4ab2d01ae..0000000000 --- a/.github/workflows/dependency-submission.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Dependency Submission -permissions: read-all -on: [ push ] - -env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - JAVA_VERSION: 21 - -jobs: - dependency-submission: - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.adoptium.net:443 - api.github.com:443 - caffeine.gradle-enterprise.cloud:443 - downloads.gradle.org:443 - downloads.gradle-dn.com:443 - github.com:443 - jcenter.bintray.com:443 - objects.githubusercontent.com:443 - plugins.gradle.org:443 - plugins-artifacts.gradle.org:443 - repo.maven.apache.org:443 - repo1.maven.org:443 - services.gradle.org:443 - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Set up JDK ${{ env.JAVA_VERSION }} - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - java-version: ${{ env.JAVA_VERSION }} - distribution: temurin - - name: Submit Dependency Graph - uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 - with: - cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} diff --git a/.github/workflows/examples.yml b/.github/workflows/examples.yml deleted file mode 100644 index 482792f0ed..0000000000 --- a/.github/workflows/examples.yml +++ /dev/null @@ -1,109 +0,0 @@ -name: examples -permissions: read-all -on: [ push, pull_request ] - -env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - JAVA_VERSION: 21 - -jobs: - examples: - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - api.adoptium.net:443 - caffeine.gradle-enterprise.cloud:443 - download.oracle.com:443 - downloads.gradle.org:443 - downloads.gradle-dn.com:443 - gds.oracle.com:443 - github.com:443 - jcenter.bintray.com:443 - objects.githubusercontent.com:443 - plugins.gradle.org:443 - plugins-artifacts.gradle.org:443 - repo.maven.apache.org:443 - repo1.maven.org:443 - services.gradle.org:443 - www.graalvm.org:443 - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Set up JDK ${{ env.JAVA_VERSION }} - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 - with: - java-version: ${{ env.JAVA_VERSION }} - distribution: temurin - - name: Setup Gradle - uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0 - with: - add-job-summary: never - cache-read-only: false - gradle-home-cache-cleanup: true - - name: Simulator - run: > - ./gradlew simulator:run - -Dcaffeine.simulator.report.output=$(pwd)/simulation.md - -Dcaffeine.simulator.files.paths.0="corda:trace_vaultservice.gz" - -Dcaffeine.simulator.files.paths.1="lirs:loop.trace.gz" - -Dcaffeine.simulator.files.paths.2="corda:trace_vaultservice.gz" - - name: Publish Simulator Results - run: | - { - echo '### Adaptivity' - echo '```' - cat $(pwd)/simulation.md - echo '```' - } >> $GITHUB_STEP_SUMMARY - - name: Chart Simulation - run: ./gradlew -q simulator:simulate --maximumSize=100,200,300 - - name: Memory Overhead - run: ./gradlew -q caffeine:memoryOverhead - - name: Stresser (read) - run: > - timeout 1m ./gradlew -q caffeine:stress --workload=read - || ([[ $? -eq 124 ]] && echo "Timeout reached, but that's OK") - - name: Stresser (write) - run: > - timeout 1m ./gradlew -q caffeine:stress --workload=write - || ([[ $? -eq 124 ]] && echo "Timeout reached, but that's OK") - - name: Stresser (refresh) - run: > - timeout 1m ./gradlew -q caffeine:stress --workload=refresh - || ([[ $? -eq 124 ]] && echo "Timeout reached, but that's OK") - - name: Write-behind (rxjava) - working-directory: examples/write-behind-rxjava - run: ./gradlew build - - name: Coalescing Bulkloader (reactor) - working-directory: examples/coalescing-bulkloader-reactor - run: ./gradlew build - - name: Hibernate (jcache) - working-directory: examples/hibernate - run: ./gradlew build - - name: Resilience (failsafe) - working-directory: examples/resilience-failsafe - run: ./gradlew build - - name: Prepare for Graal Native Image - uses: ./.github/actions/run-gradle - env: - SNAPSHOT: true - with: - java: GraalVM - token: ${{ secrets.GITHUB_TOKEN }} - arguments: -q caffeine:clean caffeine:jar - - name: Graal Native Image - uses: ./.github/actions/run-gradle - env: - SNAPSHOT: true - with: - java: GraalVM - token: ${{ secrets.GITHUB_TOKEN }} - arguments: > - --project-dir examples/graal-native - -Pagent run - metadataCopy --task run --dir src/main/resources/META-INF/native-image - nativeRun nativeTest diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml deleted file mode 100644 index 4fe7046b4d..0000000000 --- a/.github/workflows/gitleaks.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: gitleaks -on: - pull_request: {} - push: - branches: [master, v3.dev] -permissions: read-all - -env: - ALLOWED_ENDPOINTS: > - api.github.com:443 - github.com:443 - objects.githubusercontent.com:443 - -jobs: - scan: - name: gitleaks - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }} - - name: Checkout - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - with: - fetch-depth: 0 - - name: Run gitleaks - uses: gitleaks/gitleaks-action@e6dab246340401bf53eec993b8f05aebe80ac636 # v2.3.4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml deleted file mode 100644 index a70b5cce7d..0000000000 --- a/.github/workflows/gradle-wrapper-validation.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Validate Gradle Wrapper -on: [push, pull_request] -permissions: read-all - -jobs: - validation: - name: Validation - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - downloads.gradle.org:443 - downloads.gradle-dn.com:443 - github.com:443 - services.gradle.org:443 - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - uses: gradle/wrapper-validation-action@699bb18358f12c5b78b37bb0111d3a0e2276e0e2 # v2.1.1 diff --git a/.github/workflows/qodana.yml b/.github/workflows/qodana.yml deleted file mode 100644 index 6370f95831..0000000000 --- a/.github/workflows/qodana.yml +++ /dev/null @@ -1,68 +0,0 @@ -name: Qodana -permissions: read-all -on: [ push, pull_request ] - -env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - JAVA_VERSION: 11 - -jobs: - qodana: - runs-on: ubuntu-latest - permissions: - checks: write - actions: read - contents: read - security-events: write - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.adoptium.net:443 - api.foojay.io:443 - api.github.com:443 - auth.docker.io:443 - caffeine.gradle-enterprise.cloud:443 - checkerframework.org:443 - docs.oracle.com:443 - download.jetbrains.com:443 - download-cdn.jetbrains.com:443 - downloads.gradle.org:443 - downloads.gradle-dn.com:443 - errorprone.info:443 - github.com:443 - guava.dev:443 - jcenter.bintray.com:443 - lightbend.github.io:443 - objects.githubusercontent.com:443 - packages.jetbrains.team:443 - pkg-cdn.jetbrains.team:443 - plugins.gradle.org:443 - plugins.jetbrains.com:443 - plugins-artifacts.gradle.org:443 - prod.fus.aws.intellij.net:443 - production.cloudflare.docker.com:443 - registry-1.docker.io:443 - repo.gradle.org:443 - repo.maven.apache.org:443 - repo1.maven.org:443 - resources.jetbrains.com:443 - services.gradle.org:443 - - name: Checkout - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Build - uses: ./.github/actions/run-gradle - with: - java: ${{ env.JAVA_VERSION }} - arguments: build -x test - - name: Qodana - Code Inspection - uses: JetBrains/qodana-action@e42ff2d2727091337983f607598abbbce4e25f1f # v2023.3.1 - with: - upload-result: true - - name: Upload SARIF file for GitHub Advanced Security Dashboard - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 - with: - sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index b6c1dfc850..0000000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: release -on: - release: - types: [created] -permissions: read-all - -env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - JAVA_VERSION: 11 - -jobs: - release: - runs-on: ubuntu-latest - if: github.event.repository.fork == false - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: audit - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Releasing - uses: ./.github/actions/run-gradle - env: - ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.NEXUS_USERNAME }} - ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.NEXUS_PASSWORD }} - ORG_GRADLE_PROJECT_signingKey: ${{ secrets.OSSRH_GPG_SECRET_KEY }} - ORG_GRADLE_PROJECT_signingKeyId: ${{ secrets.OSSRH_GPG_SECRET_KEY_ID }} - ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} - with: - java: ${{ env.JAVA_VERSION }} - token: ${{ secrets.GITHUB_TOKEN }} - arguments: > - publishToSonatype closeAndReleaseSonatypeStagingRepository -Prelease - --no-configuration-cache diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml new file mode 100644 index 0000000000..094bfdaf5f --- /dev/null +++ b/.github/workflows/reviewdog.yml @@ -0,0 +1,22 @@ +name: reviewdog +permissions: read-all +on: [ push, pull_request ] + +jobs: + actionlint: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + - uses: actions/checkout@v3 + # - name: actionlint + # uses: reviewdog/action-actionlint@v1 + # with: + # reporter: github-check + # github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index 5c927b9cc7..4ee6d80da0 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -29,13 +29,13 @@ jobs: api.osv.dev:443 api.securityscorecards.dev:443 bestpractices.coreinfrastructure.org:443 - bestpractices.dev:443 fulcio.sigstore.dev:443 github.com:443 oss-fuzz-build-logs.storage.googleapis.com:443 rekor.sigstore.dev:443 sigstore-tuf-root.storage.googleapis.com:443 tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: Checkout code uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml deleted file mode 100644 index 9f1d2c7550..0000000000 --- a/.github/workflows/semgrep.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: Semgrep -permissions: read-all -on: - pull_request: {} - push: - branches: [master, v2.dev, v3.dev] - -jobs: - semgrep: - name: Scan - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - container: - # Incompatible with Harden Runner - image: returntocorp/semgrep - steps: - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - run: semgrep scan --sarif --output=results.sarif - env: - SEMGREP_RULES: >- - p/java - p/github-actions - p/semgrep-rule-lints - p/semgrep-misconfigurations - - name: Check file existence - id: check_files - uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0 - with: - files: results.sarif - - name: Remove duplicate rules - if: steps.check_files.outputs.files_exists == 'true' - run: jq -c '.runs[0].tool.driver.rules |= unique_by(.id)' < results.sarif > semgrep.sarif - - name: Upload SARIF file for GitHub Advanced Security Dashboard - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 - if: steps.check_files.outputs.files_exists == 'true' - continue-on-error: true - with: - sarif_file: semgrep.sarif diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml deleted file mode 100644 index 7e92b5d01a..0000000000 --- a/.github/workflows/snyk.yml +++ /dev/null @@ -1,66 +0,0 @@ -name: snyk -on: - push: - branches: [master, v2.dev, v3.dev] -permissions: read-all - -env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - -jobs: - snyk: - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - if: github.event.repository.fork == false - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.adoptium.net:443 - api.foojay.io - api.github.com:443 - api.snyk.io:443 - caffeine.gradle-enterprise.cloud:443 - downloads.gradle.org:443 - downloads.gradle-dn.com:443 - github.com:443 - jcenter.bintray.com:443 - objects.githubusercontent.com:443 - plugins.gradle.org:443 - plugins-artifacts.gradle.org:443 - repo.maven.apache.org:443 - repo1.maven.org:443 - services.gradle.org:443 - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Run Snyk test - uses: snyk/actions/gradle-jdk17@master - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - command: test - args: --sarif-file-output=snyk.sarif --all-sub-projects -- --no-configuration-cache - - name: Check file existence - id: check_files - uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0 - with: - files: snyk.sarif - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 - if: steps.check_files.outputs.files_exists == 'true' - with: - sarif_file: snyk.sarif - - name: Run Snyk monitor - uses: snyk/actions/gradle-jdk17@master - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - command: monitor - args: --all-sub-projects -- --no-configuration-cache diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml index a1a3cce3ba..f5add410f2 100644 --- a/.github/workflows/spelling.yml +++ b/.github/workflows/spelling.yml @@ -3,8 +3,25 @@ permissions: read-all on: [ push, pull_request ] jobs: - spellcheck: - name: Check spelling + misspell: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + objects.githubusercontent.com:443 + - uses: actions/checkout@v3 + - name: Misspell + uses: reviewdog/action-misspell@v1 + with: + reporter: github-check + github_token: ${{ secrets.GITHUB_TOKEN }} + + typos: runs-on: ubuntu-latest steps: - name: Harden Runner @@ -15,11 +32,6 @@ jobs: allowed-endpoints: > github.com:443 objects.githubusercontent.com:443 - raw.githubusercontent.com:443 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Install - run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b . - - name: Spell Check with Misspell - run: ./misspell -error . - - name: Spell Check with Typos + - name: Typos uses: crate-ci/typos@bcafd462cb07ef7ba57e34abf458fe20767e808b # v1.19.0 diff --git a/.github/workflows/devskim.yml b/.github/workflows/trivy.yml similarity index 52% rename from .github/workflows/devskim.yml rename to .github/workflows/trivy.yml index ef9a853b55..cacebc5a4f 100644 --- a/.github/workflows/devskim.yml +++ b/.github/workflows/trivy.yml @@ -1,19 +1,12 @@ -name: DevSkim +name: trivy permissions: read-all - -on: - push: - branches: [master, v2.dev, v3.dev] - pull_request: - branches: [master, v2.dev, v3.dev] - schedule: - - cron: '40 22 * * 0' +on: [ push, pull_request ] jobs: - lint: - name: DevSkim + trivy: runs-on: ubuntu-20.04 permissions: + checks: write actions: read contents: read security-events: write @@ -25,12 +18,17 @@ jobs: egress-policy: block allowed-endpoints: > api.github.com:443 + ghcr.io:443 github.com:443 - - name: Checkout code - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Run DevSkim scanner - uses: microsoft/DevSkim-Action@914fa647b406c387000300b2f09bb28691be2b6d # v1.0.14 - - name: Upload DevSkim scan results to GitHub Security tab + pkg-containers.githubusercontent.com:443 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: fs + format: sarif + output: trivy-results.sarif + - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 with: - sarif_file: devskim-results.sarif + sarif_file: trivy-results.sarif diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index d940a94bb0..6ffc2c83da 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -1,5 +1,5 @@ [versions] -asm = "9.6" +asm = "9.7" auto-value = "1.10.4" awaitility = "4.2.1" bcel = "6.8.2" @@ -33,7 +33,7 @@ felix-framework = "7.0.5" felix-scr = "2.2.10" findsecbugs = "1.13.0" flip-tables = "1.1.1" -forbidden-apis = "3.6" +forbidden-apis = "3.7" google-java-format = "1.21.0" guava = "33.1.0-jre" guice = "6.0.0"