chore(fips): merge main into fips

Merges main (v0.15.0) into the fips branch.

Conflict resolution:
- ECKeyPair.java: Combined main's structure (ECCurve enum, KeyPair field,
  new methods like getPEMPublicKeyFromX509Cert) with fips's FIPS-compatible
  crypto changes (no explicit BouncyCastle provider, standard Java interfaces
  for ECPublicKey/ECPrivateKey, KeyFactory.getInstance("EC")).
- ECKeyPairTest.java: Kept fips's removal of extractPemPubKeyFromX509 test
  (which used BC-specific .getQ()), incorporated main's new
  createSymmetricKeysWithOtherCurves test, and enabled publicKeyFromECPoint
  assertion using ECCurve.getCurveName().
- NanoTDF.java: Accepted main's deletion since all NanoTDF dependencies
  (ECCMode, NanoTDFType, etc.) were also removed in main.

Signed-off-by: GitHub <noreply@github.com>

Co-authored-by: mkleene <262667+mkleene@users.noreply.github.com>

Author: Copilot

release-please_main-branch.json …e-please/release-please-config.main.jsonrelease-please_main-branch.json renamed to .github/release-please/release-please-config.main.json release-please_main-branch.json renamed to .github/release-please/release-please-config.main.json

@@ -12,6 +12,10 @@
     {
       "type": "generic",
       "path": "cmdline/src/main/java/io/opentdf/platform/Command.java"
+    },
+    {
+      "type": "generic",
+      "path": "sdk/src/main/java/io/opentdf/platform/sdk/Version.java"
     }
   ]
 }

release-please_release-branches.json …ease-please-config.release_branches.jsonrelease-please_release-branches.json renamed to .github/release-please/release-please-config.release_branches.json release-please_release-branches.json renamed to .github/release-please/release-please-config.release_branches.json

@@ -12,6 +12,10 @@
     {
       "type": "generic",
       "path": "cmdline/src/main/java/io/opentdf/platform/Command.java"
+    },
+    {
+      "type": "generic",
+      "path": "sdk/src/main/java/io/opentdf/platform/sdk/Version.java"
     }
   ]
 }

.github/release-please/release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "0.15.0"
+}

.github/workflows/checks.yaml

@@ -4,6 +4,7 @@ on:
   pull_request:
     branches:
       - main
+      - 'release/**'
   push:
     branches:
       - main
@@ -42,18 +43,22 @@ jobs:
             revert
           # Scopes include:
           #   - ci: anything related to ci
-          #   - cmdline: changes to @opentdf/ctl
+          #   - cmdline: changes to cmdline
           #   - docs: anything related solely to documentation
           #   - main: bot generated commits
-          #   - sdk: changes to @opentdf/sdk (was lib)
+          #   - sdk: changes to sdk
           #   - tests: test only changes
+          #   - examples: examples only changes
+          #   - release/v0.\d+: release-please release branch PRs
           scopes: |
             ci
             cmdline
             docs
             main
             sdk
             tests
+            examples
+            release/v0\.\d+
 
   mavenverify:
     runs-on: ubuntu-latest
@@ -72,7 +77,7 @@ jobs:
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: "17"
-          distribution: "adopt"
+          distribution: "temurin"
           server-id: github
       - name: Cache SonarCloud packages
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
@@ -100,7 +105,7 @@ jobs:
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: "17"
-          distribution: "adopt"
+          distribution: "temurin"
           server-id: github
       - name: Build java SDK
         run: |
@@ -114,14 +119,14 @@ jobs:
         uses: opentdf/platform/test/start-up-with-containers@main
         with:
           platform-ref: main
-        
+
       - name: Get grpcurl
         run: go install github.com/fullstorydev/grpcurl/cmd/grpcurl@v1.8.9
       - name: Make sure that the platform is up
         run: |
           grpcurl -plaintext localhost:8080 list && \
           grpcurl -plaintext localhost:8080 kas.AccessService/PublicKey
-      
+
       - name: Validate the SDK through the command line interface
         run: |
           printf 'here is some data to encrypt' > data
@@ -158,30 +163,6 @@ jobs:
           fi
         working-directory: cmdline
 
-      - name: Encrypt/Decrypt NanoTDF
-        run: |
-          echo 'here is some data to encrypt' > data
-
-          java -jar target/cmdline.jar \
-            --client-id=opentdf-sdk \
-            --client-secret=secret \
-            --platform-endpoint=http://localhost:8080 \
-            -h\
-            encryptnano --kas-url=http://localhost:8080 --attr https://example.com/attr/attr1/value/value1 -f data -m 'here is some metadata' > nano.ntdf
-
-          java -jar target/cmdline.jar \
-            --client-id=opentdf-sdk \
-            --client-secret=secret \
-            --platform-endpoint=http://localhost:8080 \
-            -h\
-            decryptnano -f nano.ntdf > decrypted
-          
-          if ! diff -q data decrypted; then
-            printf 'decrypted data is incorrect [%s]' "$(< decrypted)"
-            exit 1
-          fi
-        working-directory: cmdline
-
       - name: Encrypt/Decrypt Assertions
         run: |
           echo "basic assertions"
@@ -202,7 +183,7 @@ jobs:
             --platform-endpoint=http://localhost:8080 \
             -h\
             decrypt -f test.tdf > decrypted
-          
+
           if ! diff -q data decrypted; then
             printf 'decrypted data is incorrect [%s]' "$(< decrypted)"
             exit 1
@@ -233,7 +214,7 @@ jobs:
             --platform-endpoint=http://localhost:8080 \
             -h\
             decrypt --with-assertion-verification-keys="$SIGNED_ASSERTION_VERIFICATON_HS256" -f test.tdf > decrypted
-          
+
           if ! diff -q data decrypted; then
             printf 'decrypted data is incorrect [%s]' "$(< decrypted)"
             exit 1
@@ -254,69 +235,25 @@ jobs:
             --platform-endpoint=http://localhost:8080 \
             -h\
             decrypt --with-assertion-verification-keys "$SIGNED_ASSERTION_VERIFICATON_RS256" -f test.tdf > decrypted
-          
-          if ! diff -q data decrypted; then
-            printf 'decrypted data is incorrect [%s]' "$(< decrypted)"
-            exit 1
-          fi
-        working-directory: cmdline
-
-      - name: Start additional kas
-        uses: opentdf/platform/test/start-additional-kas@main
-        with:
-          kas-port: 8282
-          kas-name: beta
-
-      - name: Make sure that the second platform is up
-        run: |
-          grpcurl -plaintext localhost:8282 kas.AccessService/PublicKey
-      - name: Validate multikas through the command line interface
-        run: |
-          printf 'here is some data to encrypt' > data
-
-          java -jar target/cmdline.jar \
-            --client-id=opentdf-sdk \
-            --client-secret=secret \
-            --platform-endpoint=http://localhost:8080 \
-            -h\
-            encrypt --kas-url=http://localhost:8080,http://localhost:8282 -f data -m 'here is some metadata' > test.tdf
-
-          java -jar target/cmdline.jar \
-            --client-id=opentdf-sdk \
-            --client-secret=secret \
-            --platform-endpoint=http://localhost:8080 \
-            -h\
-            decrypt -f test.tdf --kas-allowlist http://localhost:8080,http://localhost:8282  > decrypted
-
-          java -jar target/cmdline.jar \
-            --client-id=opentdf-sdk \
-            --client-secret=secret \
-            --platform-endpoint=http://localhost:8080 \
-            -h\
-            metadata -f test.tdf --kas-allowlist http://localhost:8080,http://localhost:8282 > metadata
 
           if ! diff -q data decrypted; then
             printf 'decrypted data is incorrect [%s]' "$(< decrypted)"
             exit 1
           fi
-
-          if [ "$(< metadata)" != 'here is some metadata' ]; then
-            printf 'metadata is incorrect [%s]\n' "$(< metadata)"
-            exit 1
-          fi
         working-directory: cmdline
 
   platform-xtest:
     permissions:
       contents: read
       packages: read
-    needs: platform-integration
+      checks: write
+      pull-requests: write
     uses: opentdf/tests/.github/workflows/xtest.yml@main
     with:
       focus-sdk: java
       java-ref: ${{ github.ref }} latest
-      platform-ref: main lts
-  
+      platform-ref: main latest
+
   ci:
     needs:
       - platform-integration

.github/workflows/codeql.yaml

@@ -4,8 +4,6 @@ on:
   schedule:
     - cron: '0 13 * * 1' # At 1:00 PM UTC every Monday
   pull_request:
-    paths:
-      - '.github/workflows/codeql.yaml'
 
 jobs:
   analyze:

.github/workflows/dev-artifact.yaml

@@ -0,0 +1,55 @@
+name: Publish Dev Artifact
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+  contents: write
+
+jobs:
+  publish-dev-artifact:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup Buf
+        uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Cache Maven packages
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+
+      - name: Set up JDK
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+        with:
+          java-version: "17"
+          distribution: "temurin"
+
+      - name: Build cmdline
+        run: mvn --batch-mode clean package -DskipTests
+        env:
+          BUF_INPUT_HTTPS_USERNAME: opentdf-bot
+          BUF_INPUT_HTTPS_PASSWORD: ${{ secrets.PERSONAL_ACCESS_TOKEN_OPENTDF }}
+
+      - name: Update dev tag
+        run: |
+          git tag -f dev
+          git push origin dev -f
+
+      - name: Publish dev release
+        uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
+        with:
+          tag_name: dev
+          name: "dev (${{ github.sha }})"
+          body: |
+            Development build from main branch.
+
+            **Commit:** [`${{ github.sha }}`](${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }})
+          prerelease: true
+          files: cmdline/target/cmdline.jar

.github/workflows/release.yaml

@@ -35,8 +35,8 @@ jobs:
         if: github.ref == 'refs/heads/main'
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
-          java-version: "11"
-          distribution: "adopt"
+          java-version: "17"
+          distribution: "temurin"
           # write settings.xml
           server-id: github-pkg
           server-username: GITHUB_ACTOR
@@ -57,8 +57,8 @@ jobs:
         if: startsWith(github.ref, 'refs/tags/')
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
-          java-version: "11"
-          distribution: "adopt"
+          java-version: "17"
+          distribution: "temurin"
           # write settings.xml
           server-id: central
           server-username: MAVEN_USERNAME