Merge branch 'develop' into renovate/releases-docker.jfrog.io-jfrog-artifactory-oss-7.x

Author: ijusti

.devcontainer/devcontainer.json

@@ -0,0 +1,21 @@
+{
+  "image": "mcr.microsoft.com/devcontainers/java:3-17",
+  "features": {
+    "ghcr.io/devcontainers/features/java:1": {
+      "version": "17",
+      "jdkDistro": "ammzn",
+      "installMaven": "true",
+      "installGradle": "false"
+    }
+  },
+  "customizations": {
+    // Configure properties specific to VS Code.
+    "vscode": {
+      // Add the IDs of extensions you want installed when the container is created.
+      "extensions": [
+        "streetsidesoftware.code-spell-checker",
+        "vscjava.vscode-java-pack"
+      ]
+    }
+  }
+}

.github/dependabot.yml

@@ -1,22 +1,9 @@
 version: 2
 updates:
-  - package-ecosystem: "maven"
-    directory: "/"
-    target-branch: "develop"
-    schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 50
-    ignore:
-      - dependency-name: "com.amazonaws:*"
-        update-types: ["version-update:semver-patch"]
   - package-ecosystem: "github-actions"
     directory: "/"
     target-branch: "develop"
     labels:
       - "housekeeping"
     schedule:
       interval: "monthly"
-  - package-ecosystem: "docker"
-    directory: "/"
-    schedule:
-      interval: "weekly"

.github/renovate.json

@@ -0,0 +1,76 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "branchPrefix": "renovate/",
+  "gitAuthor": "Renovate Bot <renovate@whitesourcesoftware.com>",
+  "prHourlyLimit": 10,
+  "prConcurrentLimit": 20,
+  "dependencyDashboard": true,
+  "commitBodyTable": true,
+  "rebaseWhen": "behind-base-branch",
+  "schedule": [
+    "before 8am"
+  ],
+  "labels": [
+    "dependencies"
+  ],
+  "platformAutomerge": true,
+  "customManagers": [
+    {
+      "description": "Process // renovate comments in Java files",
+      "customType": "regex",
+      "fileMatch": [
+        "\\.java$"
+      ],
+      "matchStrings": [
+        "//\\s*renovate:\\s*datasource=(?<datasource>[a-zA-Z0-9-]+).*?\\r?\\n\\s*return\\s*\"(?<depName>[^:]+):?(?<currentValue>[\\w.-]*)\""
+      ],
+      "versioningTemplate": "docker"
+    },
+    {
+      "description": "Process embedded docker images in properties and adoc",
+      "customType": "regex",
+      "fileMatch": [
+        "\\.properties$",
+        "\\.adoc$"
+      ],
+      "matchStrings": [
+        "\\*.+?`embedded\\.\\w+?\\.(?:dockerImage|docker-image)`.*'(?<depName>[^:]+):?(?<currentValue>[\\w.-]*)'"
+      ],
+      "datasourceTemplate": "docker",
+      "versioningTemplate": "docker"
+    },
+    {
+      "description": "Process embedded docker images in Spring metadata",
+      "customType": "regex",
+      "fileMatch": [
+        "additional-spring-configuration-metadata\\.json$"
+      ],
+      "matchStrings": [
+        "\"embedded\\.\\w+?\\.(?:dockerImage|docker-image)\",(?:.|\\r?\\n)*?\"value\"\\s*:\\s*\"(?<depName>[^:]+):?(?<currentValue>[\\w.-]*)\""
+      ],
+      "datasourceTemplate": "docker",
+      "versioningTemplate": "docker"
+    }
+  ],
+  "packageRules": [
+    {
+      "description": "Apply specific label for all Docker-related updates",
+      "matchDatasources": [
+        "docker"
+      ],
+      "labels": [
+        "docker-update-images"
+      ]
+    },
+    {
+      "description": "Automerge minor and patch updates universally",
+      "matchUpdateTypes": [
+        "minor",
+        "patch",
+        "pin",
+        "digest"
+      ],
+      "automerge": true
+    }
+  ]
+}

.github/workflows/changelog-release-drafter.yml

@@ -5,11 +5,12 @@ on:
     branches:
       - develop
       - support/2.3.X
+      - support/3.0.X
 
 jobs:
   update_release_draft:
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v6
+      - uses: release-drafter/release-drafter@v7
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/codeql-analysis.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@master
@@ -20,8 +20,9 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL'
+          timeout: 10m
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/labeler.yml

@@ -9,6 +9,6 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@v6
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/maven.yml

@@ -16,7 +16,7 @@ on:
       - support/3.0.X
 
 jobs:
-  build-jdk8:
+  build-jdk21:
     runs-on: ubuntu-latest
     name: Build project
     concurrency:
@@ -25,23 +25,61 @@ jobs:
       cancel-in-progress: true
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
-          fetch-depth: 0
+          fetch-depth: 0 # Required by GIB to calculate Git diffs
+
       - name: Cache Maven packages
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2
+
       - name: Set up JDK
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           distribution: 'corretto'
           java-version: '21'
+
+      - name: Determine GIB Reference
+        id: gib-base
+        run: |
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
+            # For PRs, compare against the remote target branch
+            echo "BASE_REF=refs/remotes/origin/${{ github.base_ref }}" >> $GITHUB_ENV
+          else
+            # For pushes, compare against the previous commit
+            echo "BASE_REF=${{ github.event.before }}" >> $GITHUB_ENV
+          fi
+
+      - name: Check for SNAPSHOT dependencies in dependency management
+        run: |
+          ./mvnw help:effective-pom --batch-mode --no-transfer-progress -q > effective-pom.xml
+          SNAPSHOTS=$(grep "SNAPSHOT" effective-pom.xml || true)
+          rm -f effective-pom.xml
+          if [ -n "$SNAPSHOTS" ]; then
+            echo "::error::SNAPSHOT versions found in effective POM dependency management:"
+            echo "$SNAPSHOTS"
+            echo "Run 'mvn help:effective-pom | grep SNAPSHOT' locally to find them."
+            exit 1
+          fi
+
       - name: Build with Maven
-        run: ./mvnw -version && whoami && umask -S && umask a+rw && umask -S && ./mvnw clean verify -P docker-clean -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.count=3 --no-snapshot-updates --batch-mode --no-transfer-progress
+        run: |
+          ./mvnw -version && whoami && umask -S && umask a+rw && umask -S && \
+          ./mvnw clean verify \
+            -P docker-clean \
+            -Dhttp.keepAlive=false \
+            -Dmaven.wagon.http.pool=false \
+            -Dmaven.wagon.http.retryHandler.count=3 \
+            --no-snapshot-updates \
+            --batch-mode \
+            --no-transfer-progress \
+            -Dgib.referenceBranch=$BASE_REF \
+            -Dgib.buildDownstream=always
+
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v6
         env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/release-support-stream.yml

@@ -1,9 +1,10 @@
 name: Support Stream Branch Publish to the Maven Central Repository
 
 on:
-  workflow_dispatch:
+  push:
     branches:
       - 'support/**'
+  workflow_dispatch:
     inputs:
       version:
         description: "Version to be released"
@@ -30,18 +31,25 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
+      - name: Generate App Token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_APP_PRIVATE_KEY }}
+    
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           ref: ${{github.event.inputs.branch}}
-          token: ${{ secrets.RELEASE_PERSONAL_ACCESS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Set up JDK
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           distribution: 'corretto'
           java-version: ${{github.event.inputs.java-version}}
-          server-id: ossrh
+          server-id: central
           server-username: MAVEN_USERNAME
           server-password: MAVEN_PASSWORD
           gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
@@ -54,7 +62,7 @@ jobs:
 
       - name: Publish to the Maven Central Repository
         if: ${{ success() }}
-        run: ./mvnw --batch-mode --no-transfer-progress -Dgib.disable=true -P ossrh -DskipTests deploy
+        run: ./mvnw --batch-mode --no-transfer-progress -Dgib.disable=true -P central -DskipTests deploy
         env:
           MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
           MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
@@ -64,6 +72,6 @@ jobs:
         if: ${{ success() }}
         uses: actions-js/push@v1.5
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.app-token.outputs.token }}
           message: 'Release ${{github.event.inputs.version}}'
           branch: ${{github.event.inputs.branch}}

.github/workflows/release.yml

@@ -3,23 +3,48 @@ name: Publish to the Maven Central Repository
 on:
   release:
     types: [ published ]
+  workflow_dispatch:
+    inputs:
+      dryRun:
+        description: "Dry-Run"
+        default: false
+        required: false
+        type: boolean
+      logLevel:
+        description: "Log-Level"
+        required: false
+        default: 'debug'
+        type: choice
+        options:
+          - info
+          - warn
+          - debug
+          - error
+          - fatal
 
 jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_APP_PRIVATE_KEY }}
+    
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           ref: ${{github.event.release.target_commitish}}
-          token: ${{ secrets.RELEASE_PERSONAL_ACCESS_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Set up JDK
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           distribution: 'corretto'
           java-version: '21'
-          server-id: ossrh
+          server-id: central
           server-username: MAVEN_USERNAME
           server-password: MAVEN_PASSWORD
           gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
@@ -32,7 +57,7 @@ jobs:
 
       - name: Publish to the Maven Central Repository
         if: ${{ success() }}
-        run: ./mvnw --batch-mode --no-transfer-progress -Dgib.disable=true -P ossrh -DskipTests deploy
+        run: ./mvnw --batch-mode --no-transfer-progress -Dgib.disable=true -P central -DskipTests deploy
         env:
           MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
           MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
@@ -42,6 +67,6 @@ jobs:
         if: ${{ success() }}
         uses: actions-js/push@master
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.app-token.outputs.token }}
           message: 'Release ${{github.event.release.tag_name}}'
           branch: ${{ github.event.release.target_commitish }}