Updating ast-cli version and binaries 2.3.54 (#485)

cx-atish-jadhav · cx-luis-ventuzelos · web-flow · commit 6661e6016c1a · 2026-06-18T18:19:44.000+01:00
* Updating ast-cli version and binaries

* Harden workflows: scope permissions, fix set-output, replace dev-drprasad, remove repository_dispatch, comment notify and spotbugs

* Remove Maven cache from release and CI workflows

* Add publish input to gate Maven Central deploy

---------

Co-authored-by: Luís Ventuzelos &lt;207163323+cx-luis-ventuzelos@users.noreply.github.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -21,14 +21,6 @@ jobs:
       - name: Checkout LFS objects
         run: git lfs checkout
 
-      - name: Cache local Maven repository
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-        with:
-          path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: |
-            ${{ runner.os }}-maven-
-
       - name: Set up JDK 11
         uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0
         with:
@@ -82,8 +74,8 @@ jobs:
       - name: Build with Maven
         run: mvn -B verify -DskipTests -Dgpg.skip --file pom.xml
 
-      - name: Run SpotBugs Analysis
-        if: ${{ github.actor != 'dependabot[bot]' }}
-        uses: jwgmeligmeyling/spotbugs-github-action@b8e2c3523acb34c87f14e18cbcd2d87db8c8584e #v1.2
-        with:
-          path: '**/spotbugsXml.xml'
+      # - name: Run SpotBugs Analysis
+      #   if: ${{ github.actor != 'dependabot[bot]' }}
+      #   uses: jwgmeligmeyling/spotbugs-github-action@b8e2c3523acb34c87f14e18cbcd2d87db8c8584e #v1.2
+      #   with:
+      #     path: '**/spotbugsXml.xml'
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -5,20 +5,24 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   delete_tag:
+    permissions:
+      contents: write
     runs-on: cx-public-ubuntu-x64
     steps:
-      - name: Delete release
-        uses: dev-drprasad/delete-tag-and-release@8cd619d00037e4aeb781909c9a6b03940507d0da  # v1.0.1
+      - name: Delete release and tag
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          delete_release: true
-          tag_name: 1.0.0-SNAPSHOT
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release delete "1.0.0-SNAPSHOT" --yes --cleanup-tag --repo ${{ github.repository }} || true
+
   nightly:
     needs: delete_tag
-    uses: CheckmarxDev/ast-cli-java-wrapper/.github/workflows/release.yml@main
+    uses: Checkmarx/ast-cli-java-wrapper/.github/workflows/release.yml@main
     with:
       tag: "1.0.0-SNAPSHOT"
       dev: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,6 +16,11 @@ on:
         description: 'Version of the CLI to bundle'
         required: false
         type: string
+      publish:
+        description: 'Publish package to Maven Central'
+        required: false
+        default: false
+        type: boolean
   workflow_call:
     inputs:
       tag:
@@ -31,9 +36,20 @@ on:
         description: 'Version of the CLI to bundle'
         required: false
         type: string
+      publish:
+        description: 'Publish package to Maven Central'
+        required: false
+        default: false
+        type: boolean
+
+permissions:
+  contents: read
 
 jobs:
   release:
+    permissions:
+      id-token: write
+      contents: write
     runs-on: cx-public-ubuntu-x64
     outputs:
       CLI_VERSION: ${{ steps.extract_cli_version.outputs.CLI_VERSION }}
@@ -57,7 +73,7 @@ jobs:
           CLI_VERSION=$(./src/main/resources/cx-linux version | grep -Eo '^[0-9]+\.[0-9]+\.[0-9]+')
           echo "CLI version being packed is $CLI_VERSION"
           echo "CLI_VERSION=$CLI_VERSION" >> $GITHUB_ENV
-          echo "::set-output name=CLI_VERSION::$CLI_VERSION"
+          echo "CLI_VERSION=$CLI_VERSION" >> $GITHUB_OUTPUT
 
       - name: Check if CLI version is latest
         if: ${{ github.event.inputs.dev == 'false' && !github.event.inputs.cliTag && github.ref == 'refs/heads/main' }}
@@ -85,15 +101,7 @@ jobs:
           git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
           git tag -a "${tag}" -m "${message}"
           git push origin "${tag}"
-          echo "::set-output name=TAG_NAME::${{ inputs.tag }}"
-
-      - name: Cache local Maven repository
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-        with:
-          path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: |
-            ${{ runner.os }}-maven-
+          echo "TAG_NAME=${{ inputs.tag }}" >> $GITHUB_OUTPUT
 
       - name: Set up Maven Central Repository
         uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0
@@ -118,6 +126,7 @@ jobs:
           echo "AID_PROP=${prop}" >> $GITHUB_ENV
 
       - name: Publish package
+        if: inputs.publish == true
         run: mvn --batch-mode deploy -DskipTests ${{ env.AID_PROP }}
         env:
           MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
@@ -131,26 +140,26 @@ jobs:
           tag_name: ${{ inputs.tag }}
           prerelease: ${{ inputs.dev }}
 
-  notify:
-    if: inputs.dev == false
-    needs: release
-    uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main
-    with:
-      product_name: Java Wrapper
-      release_version: ${{ needs.release.outputs.TAG_NAME }}
-      cli_release_version: ${{ needs.release.outputs.CLI_VERSION }}
-      release_author: "Sypher Team"
-      release_url: https://github.com/Checkmarx/ast-cli-java-wrapper/releases/tag/${{ needs.release.outputs.TAG_NAME }}
-      jira_product_name: JAVA_WRAPPER
-    secrets: inherit
+  # notify:
+  #   if: inputs.dev == false
+  #   needs: release
+  #   uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main
+  #   with:
+  #     product_name: Java Wrapper
+  #     release_version: ${{ needs.release.outputs.TAG_NAME }}
+  #     cli_release_version: ${{ needs.release.outputs.CLI_VERSION }}
+  #     release_author: "Sypher Team"
+  #     release_url: https://github.com/Checkmarx/ast-cli-java-wrapper/releases/tag/${{ needs.release.outputs.TAG_NAME }}
+  #     jira_product_name: JAVA_WRAPPER
+  #   secrets: inherit
 
-  dispatch_auto_release:
-    name: Update Jenkins/Jetbrains/Eclipse Extensions With new Wrapper Version
-    if: inputs.dev == false
-    needs: notify
-    uses: Checkmarx/plugins-release-workflow/.github/workflows/dispatch-workflow.yml@main
-    with:
-      cli_version: ${{ needs.release.outputs.CLI_VERSION }}
-      is_cli_release: false
-      is_java_release: true
-    secrets: inherit
+  # dispatch_auto_release:
+  #   name: Update Jenkins/Jetbrains/Eclipse Extensions With new Wrapper Version
+  #   if: inputs.dev == false
+  #   needs: notify
+  #   uses: Checkmarx/plugins-release-workflow/.github/workflows/dispatch-workflow.yml@main
+  #   with:
+  #     cli_version: ${{ needs.release.outputs.CLI_VERSION }}
+  #     is_cli_release: false
+  #     is_java_release: true
+  #   secrets: inherit
diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml
@@ -2,8 +2,6 @@ name: Update checkmarx ast cli
 
 on:
   workflow_dispatch:
-  repository_dispatch:
-    types: [cli-version-update]
 
 permissions:
   contents: read
@@ -31,8 +29,8 @@ jobs:
       - name: Get Latest Checkmarx API version
         id: checkmarx-ast-cli
         run: |
-          echo ::set-output name=release_tag::$(curl -sL https://api.github.com/repos/checkmarx/ast-cli/releases/latest | jq -r ".tag_name")
-          echo ::set-output name=current_tag::$(<checkmarx-ast-cli.version)
+          echo "release_tag=$(curl -sL https://api.github.com/repos/checkmarx/ast-cli/releases/latest | jq -r '.tag_name')" >> $GITHUB_OUTPUT
+          echo "current_tag=$(<checkmarx-ast-cli.version)" >> $GITHUB_OUTPUT
 
       - name: Update Checkmarx cli version
         if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag
diff --git a/checkmarx-ast-cli.version b/checkmarx-ast-cli.version
@@ -1 +1 @@
-2.3.48
+2.3.54
diff --git a/src/main/resources/cx-linux b/src/main/resources/cx-linux
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:f73e555c94ea77a10d31e37de49e40d3468ec2787e4e6d917539409210a8fe8d
-size 81281208
+oid sha256:776d9864c0104e1d0023641ef931bd1c58478cf56768ce77f2bfbfd6e9e64493
+size 80568482
diff --git a/src/main/resources/cx-linux-arm b/src/main/resources/cx-linux-arm
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:101acdd3d54073d9964986e279da786e527d0e649f5ae5473a79481bbb8389ef
-size 76415160
+oid sha256:d40b3cfb9f930e96a9d6b494d4c7b9cd98e3bb857e55a0f55c92d764bb8c3c1a
+size 75235490
diff --git a/src/main/resources/cx-mac b/src/main/resources/cx-mac
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:71a744df366cddf2312b2e4a51f1174ab785d06b48506e08c3c8ee9cde8f82cf
-size 162260464
+oid sha256:df4a2d6b72936afa65df8730f0ee491f6d518286421063f50df2e48d3d5b56f9
+size 160422432
diff --git a/src/main/resources/cx.exe b/src/main/resources/cx.exe
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:489659950e778b01bf66ba126cd52a1acf8f124db62407b190516c12648baf6b
-size 83262400
+oid sha256:c7227ac9dd89f344c12629d367774a2428595b3daff0a2e710981d924f13dbf4
+size 82488128
