Merge branch 'master' into feat/slsa

Author: ppkarwasz

fb-excludes.xml

@@ -18,8 +18,9 @@
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
 
-  <!-- Mutable objects are not passed to untrusted methods, so we exclude these checks -->
+  <!-- SLSA provenance data models and mojos are intentionally mutable; defensive copying adds no safety. -->
   <Match>
+    <Package name="~org[.]apache[.]commons[.]release[.]plugin[.](mojos|slsa[.]v1_2)" />
     <Bug pattern="EI_EXPOSE_REP,EI_EXPOSE_REP2" />
   </Match>
 

pom.xml

@@ -22,7 +22,7 @@
   <parent>
     <groupId>org.apache.commons</groupId>
     <artifactId>commons-parent</artifactId>
-    <version>98</version>
+    <version>99</version>
   </parent>
   <artifactId>commons-release-plugin</artifactId>
   <packaging>maven-plugin</packaging>
@@ -53,24 +53,13 @@
       <url>scm:svn:https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-release-plugin</url>
     </site>
   </distributionManagement>
-  <!-- Temporarily add Apache Snapshots repository -->
-  <repositories>
-    <repository>
-      <id>apache.snapshots</id>
-      <name>Apache Snapshot Repository</name>
-      <url>https://repository.apache.org/snapshots</url>
-      <releases>
-        <enabled>false</enabled>
-      </releases>
-    </repository>
-  </repositories>
   <properties>
     <failOnError>false</failOnError>
     <maven.compiler.source>1.8</maven.compiler.source>
     <maven.compiler.target>1.8</maven.compiler.target>
     <!-- 3.8.2 fails with some class not found error -->
     <!-- 3.8.3 fails because MavenProject.getAttachedArtifacts() returns an IMMUTABLE collection and we want to change it! -->
-    <maven.dependency.version>3.9.14</maven.dependency.version>
+    <maven.dependency.version>3.9.15</maven.dependency.version>
     <commons.componentid>release-plugin</commons.componentid>
     <commons.dist.subdir>release-plugin</commons.dist.subdir>
     <commons.jira.id>COMMONSSITE</commons.jira.id>
@@ -146,7 +135,7 @@
     <dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
-      <version>2.21.0</version>
+      <version>2.22.0</version>
     </dependency>
     <dependency>
       <groupId>org.apache.maven</groupId>
@@ -187,7 +176,7 @@
     <dependency>
       <groupId>commons-codec</groupId>
       <artifactId>commons-codec</artifactId>
-      <version>1.22.0-SNAPSHOT</version>
+      <version>1.22.0</version>
     </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>

src/changes/changes.xml

@@ -28,11 +28,12 @@
       <!-- FIX -->
       <!-- ADD -->
       <!-- UPDATE -->
-      <action type="update" dev="ggregory" due-to="Gary Gregory">Bump org.apache.commons:commons-parent from 96 to 98.</action>
-      <action type="update" dev="ggregory" due-to="Gary Gregory">Bump commons-codec:commons-codec from 1.20.0 to 1.21.0.</action>
+      <action type="update" dev="ggregory" due-to="Gary Gregory">Bump org.apache.commons:commons-parent from 96 to 99.</action>
+      <action type="update" dev="ggregory" due-to="Gary Gregory">Bump commons-codec:commons-codec from 1.20.0 to 1.22.0.</action>
       <action type="update" dev="ggregory" due-to="Gary Gregory, Dependabot">Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness from 3.4.0 to 3.5.1 #426.</action>
-      <action type="update" dev="ggregory" due-to="Gary Gregory, Dependabot">Bump maven.dependency.version from 3.9.12 to 3.9.14 #424.</action>
+      <action type="update" dev="ggregory" due-to="Gary Gregory, Dependabot">Bump maven.dependency.version from 3.9.12 to 3.9.15 #424.</action>
       <action type="update" dev="ggregory" due-to="Gary Gregory, Dependabot">Bump org.codehaus.mojo:jdepend-maven-plugin from 2.1 to 2.2.0 #425.</action>
+      <action type="update" dev="ggregory" due-to="Gary Gregory">Bump commons-io:commons-io from 2.21.0 to 2.22.0.</action>
     </release>
     <release version="1.9.2" date="2026-01-25" description="This is a feature and maintenance release. Java 8 or later is required.">
       <!-- FIX -->

src/main/resources/commons-xdoc-templates/vote-txt-template.txt

@@ -138,6 +138,8 @@ Linux: uname -a
 
 To check that a build is reproducible, run:
 
+# Verify using a JDK major version matching: @JAVA_VERSION@
+export TZ="@TIMEZONE@"
 mvn clean verify artifact:compare -DskipTests -Dreference.repo=https://repository.apache.org/content/repositories/staging/ '-Dbuildinfo.ignore=*/*.spdx.json'
 
 Note that this excludes SPDX files from the check.

src/main/scripts/generate-xdocs.build.xml

@@ -126,6 +126,8 @@
              <filter token="TAGCOMMIT"      value="${git.tag.commit}"/>
              <filter token="SITEURL"        value="${svn.site.url}"/>
              <filter token="NEXUS_REPO_ID"  value="${commons.nexus.repo.id}"/>
+             <filter token="JAVA_VERSION"   value="${java.version}"/>
+             <filter token="TIMEZONE"       value="${user.timezone}"/>
             </filterset>
         </copy>