diff --git a/.github/renovate.json b/.github/renovate.json index 99eeec105..7b17a79df 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -23,6 +23,16 @@ "/actions.*/" ] }, + { + "matchDatasources": [ + "maven" + ], + "matchManagers": [ + "maven", + "gradle" + ], + "allowedVersions": "!/.+-SNAPSHOT$/" + }, { "matchUpdateTypes": [ "patch" diff --git a/.github/workflows/central-sync.yml b/.github/workflows/central-sync.yml index feb3f3a56..2666eed5b 100644 --- a/.github/workflows/central-sync.yml +++ b/.github/workflows/central-sync.yml @@ -20,12 +20,12 @@ jobs: unset JAVA_HOME export PATH=$(echo "$PATH" | tr ':' '\n' | grep -v '/usr/lib/jvm' | paste -sd:) - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: v${{ github.event.inputs.release_version }} - - uses: gradle/actions/wrapper-validation@v6 + - uses: gradle/actions/wrapper-validation@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6 - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'temurin' java-version: | diff --git a/.github/workflows/graalvm-dev.yml b/.github/workflows/graalvm-dev.yml index beb5209cc..90db04776 100644 --- a/.github/workflows/graalvm-dev.yml +++ b/.github/workflows/graalvm-dev.yml @@ -18,9 +18,9 @@ jobs: outputs: matrix: ${{ steps.build-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Build Matrix - uses: micronaut-projects/github-actions/graalvm/build-matrix@master + uses: micronaut-projects/github-actions/graalvm/build-matrix@300bf6db7c062dcba77c90bb90e475df31b2acab # master id: build-matrix build: needs: build_matrix @@ -47,16 +47,16 @@ jobs: sudo rm -rf /usr/lib/jvm/* unset JAVA_HOME export PATH=$(echo "$PATH" | tr ':' '\n' | grep -v '/usr/lib/jvm' | paste -sd:) - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Pre-Build Steps - uses: micronaut-projects/github-actions/graalvm/pre-build@master + uses: micronaut-projects/github-actions/graalvm/pre-build@300bf6db7c062dcba77c90bb90e475df31b2acab # master id: pre-build with: java: ${{ matrix.java }} distribution: ${{ matrix.distribution }} nativeTestTask: ${{ matrix.native_test_task }} - name: Build Steps - uses: micronaut-projects/github-actions/graalvm/build@master + uses: micronaut-projects/github-actions/graalvm/build@300bf6db7c062dcba77c90bb90e475df31b2acab # master id: build env: GH_TOKEN_PUBLIC_REPOS_READONLY: ${{ secrets.GH_TOKEN_PUBLIC_REPOS_READONLY }} @@ -65,7 +65,7 @@ jobs: with: nativeTestTask: ${{ matrix.native_test_task }} - name: Post-Build Steps - uses: micronaut-projects/github-actions/graalvm/post-build@master + uses: micronaut-projects/github-actions/graalvm/post-build@300bf6db7c062dcba77c90bb90e475df31b2acab # master id: post-build with: java: ${{ matrix.java }} diff --git a/.github/workflows/graalvm-latest.yml b/.github/workflows/graalvm-latest.yml index 24405d031..199e83bab 100644 --- a/.github/workflows/graalvm-latest.yml +++ b/.github/workflows/graalvm-latest.yml @@ -18,15 +18,15 @@ jobs: if: github.repository != 'micronaut-projects/micronaut-project-template' runs-on: ubuntu-latest env: - DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - DEVELOCITY_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} - DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} + DEVELOCITY_ACCESS_KEY: ${{ github.event.pull_request == null && secrets.GRADLE_ENTERPRISE_ACCESS_KEY || '' }} + DEVELOCITY_CACHE_USERNAME: ${{ github.event.pull_request == null && secrets.GRADLE_ENTERPRISE_CACHE_USERNAME || '' }} + DEVELOCITY_CACHE_PASSWORD: ${{ github.event.pull_request == null && secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD || '' }} outputs: matrix: ${{ steps.build-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Build Matrix - uses: micronaut-projects/github-actions/graalvm/build-matrix@master + uses: micronaut-projects/github-actions/graalvm/build-matrix@300bf6db7c062dcba77c90bb90e475df31b2acab # master id: build-matrix with: java-version: '25' @@ -40,18 +40,18 @@ jobs: java: ['25'] native_test_task: ${{ fromJson(needs.build_matrix.outputs.matrix).native_test_task }} env: - DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - DEVELOCITY_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} - DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} + DEVELOCITY_ACCESS_KEY: ${{ github.event.pull_request == null && secrets.GRADLE_ENTERPRISE_ACCESS_KEY || '' }} + DEVELOCITY_CACHE_USERNAME: ${{ github.event.pull_request == null && secrets.GRADLE_ENTERPRISE_CACHE_USERNAME || '' }} + DEVELOCITY_CACHE_PASSWORD: ${{ github.event.pull_request == null && secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD || '' }} steps: - name: Remove system JDKs run: | sudo rm -rf /usr/lib/jvm/* unset JAVA_HOME export PATH=$(echo "$PATH" | tr ':' '\n' | grep -v '/usr/lib/jvm' | paste -sd:) - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Pre-Build Steps - uses: micronaut-projects/github-actions/graalvm/pre-build@master + uses: micronaut-projects/github-actions/graalvm/pre-build@300bf6db7c062dcba77c90bb90e475df31b2acab # master id: pre-build with: distribution: 'graalvm' @@ -59,16 +59,16 @@ jobs: java: ${{ matrix.java }} nativeTestTask: ${{ matrix.native_test_task }} - name: Build Steps - uses: micronaut-projects/github-actions/graalvm/build@master + uses: micronaut-projects/github-actions/graalvm/build@300bf6db7c062dcba77c90bb90e475df31b2acab # master id: build env: - GH_TOKEN_PUBLIC_REPOS_READONLY: ${{ secrets.GH_TOKEN_PUBLIC_REPOS_READONLY }} - GH_USERNAME: ${{ secrets.GH_USERNAME }} + GH_TOKEN_PUBLIC_REPOS_READONLY: ${{ github.event.pull_request == null && secrets.GH_TOKEN_PUBLIC_REPOS_READONLY || '' }} + GH_USERNAME: ${{ github.event.pull_request == null && secrets.GH_USERNAME || '' }} GRAALVM_QUICK_BUILD: true with: nativeTestTask: ${{ matrix.native_test_task }} - name: Post-Build Steps - uses: micronaut-projects/github-actions/graalvm/post-build@master + uses: micronaut-projects/github-actions/graalvm/post-build@300bf6db7c062dcba77c90bb90e475df31b2acab # master id: post-build with: java: ${{ matrix.java }} diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index 605280bba..8d101389b 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -21,17 +21,16 @@ jobs: matrix: java: ['25'] env: - DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - DEVELOCITY_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} - DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} - GH_TOKEN_PUBLIC_REPOS_READONLY: ${{ secrets.GH_TOKEN_PUBLIC_REPOS_READONLY }} - GH_USERNAME: ${{ secrets.GH_USERNAME }} + DEVELOCITY_ACCESS_KEY: ${{ github.event.pull_request == null && secrets.GRADLE_ENTERPRISE_ACCESS_KEY || '' }} + DEVELOCITY_CACHE_USERNAME: ${{ github.event.pull_request == null && secrets.GRADLE_ENTERPRISE_CACHE_USERNAME || '' }} + DEVELOCITY_CACHE_PASSWORD: ${{ github.event.pull_request == null && secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD || '' }} + GH_TOKEN_PUBLIC_REPOS_READONLY: ${{ github.event.pull_request == null && secrets.GH_TOKEN_PUBLIC_REPOS_READONLY || '' }} + GH_USERNAME: ${{ github.event.pull_request == null && secrets.GH_USERNAME || '' }} TESTCONTAINERS_RYUK_DISABLED: true - PREDICTIVE_TEST_SELECTION: "${{ github.event_name == 'pull_request' && 'true' || 'false' }}" - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }} - OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }} + SONAR_TOKEN: ${{ github.event.pull_request == null && secrets.SONAR_TOKEN || '' }} + GITHUB_TOKEN: ${{ github.event.pull_request == null && github.token || '' }} + OSS_INDEX_USERNAME: ${{ github.event.pull_request == null && secrets.OSS_INDEX_USERNAME || '' }} + OSS_INDEX_PASSWORD: ${{ github.event.pull_request == null && secrets.OSS_INDEX_PASSWORD || '' }} steps: # https://github.com/actions/virtual-environments/issues/709 - name: Remove system JDKs @@ -50,19 +49,19 @@ jobs: df -h - name: "📥 Checkout repository" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: "🔧 Setup GraalVM CE" - uses: graalvm/setup-graalvm@v1 + uses: graalvm/setup-graalvm@2149f395d36ce12ad4ee5d7f334b26bf081fa555 # v1 with: distribution: 'graalvm' java-version: ${{ matrix.java }} - github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ github.token }} - name: "🔧 Setup Gradle" - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6 - name: "❓ Optional setup step" run: | @@ -80,7 +79,7 @@ jobs: - name: "📊 Publish Test Report" if: always() - uses: mikepenz/action-junit-report@v6 + uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6 with: check_name: Java CI / Test Report (${{ matrix.java }}) report_paths: '**/build/test-results/test/TEST-*.xml' @@ -88,7 +87,7 @@ jobs: - name: "📜 Upload binary compatibility check results" if: matrix.java == '25' - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: binary-compatibility-reports path: "**/build/reports/binary-compatibility-*.html" @@ -101,7 +100,7 @@ jobs: run: ./gradlew publishToSonatype docs --no-daemon - name: "❓ Determine docs target repository" - uses: haya14busa/action-cond@v1 + uses: haya14busa/action-cond@94f77f7a80cd666cb3155084e428254fea4281fd # v1 id: docs_target with: cond: ${{ github.repository == 'micronaut-projects/micronaut-core' }} @@ -110,7 +109,7 @@ jobs: - name: "📑 Publish to Github Pages" if: success() && github.event_name == 'push' && matrix.java == '25' - uses: micronaut-projects/github-pages-deploy-action@master + uses: micronaut-projects/github-pages-deploy-action@76d63aafbab7108d74e83be4e5b3b0501382e829 # master env: TARGET_REPOSITORY: ${{ steps.docs_target.outputs.value }} GH_TOKEN: ${{ secrets.GH_TOKEN }} diff --git a/.github/workflows/publish-snapshot.yml b/.github/workflows/publish-snapshot.yml index cae7f962b..976a91053 100644 --- a/.github/workflows/publish-snapshot.yml +++ b/.github/workflows/publish-snapshot.yml @@ -15,15 +15,15 @@ jobs: sudo rm -rf /usr/lib/jvm/* unset JAVA_HOME export PATH=$(echo "$PATH" | tr ':' '\n' | grep -v '/usr/lib/jvm' | paste -sd:) - - uses: actions/checkout@v6 - - uses: actions/cache@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: ~/.gradle/caches key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }} restore-keys: | ${{ runner.os }}-gradle- - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'temurin' java-version: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7704cda85..0d0802f71 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,12 +19,12 @@ jobs: unset JAVA_HOME export PATH=$(echo "$PATH" | tr ':' '\n' | grep -v '/usr/lib/jvm' | paste -sd:) - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ secrets.GH_TOKEN }} - - uses: gradle/actions/wrapper-validation@v6 + - uses: gradle/actions/wrapper-validation@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6 - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'temurin' java-version: | @@ -33,7 +33,7 @@ jobs: id: release_version run: echo "release_version=${GITHUB_REF:11}" >> $GITHUB_OUTPUT - name: Run pre-release - uses: micronaut-projects/github-actions/pre-release@master + uses: micronaut-projects/github-actions/pre-release@300bf6db7c062dcba77c90bb90e475df31b2acab # master env: MICRONAUT_BUILD_EMAIL: ${{ secrets.MICRONAUT_BUILD_EMAIL }} with: @@ -92,13 +92,13 @@ jobs: GH_TOKEN_PUBLIC_REPOS_READONLY: ${{ secrets.GH_TOKEN_PUBLIC_REPOS_READONLY }} GH_USERNAME: ${{ secrets.GH_USERNAME }} - name: Export Gradle Properties - uses: micronaut-projects/github-actions/export-gradle-properties@master + uses: micronaut-projects/github-actions/export-gradle-properties@300bf6db7c062dcba77c90bb90e475df31b2acab # master - name: LATEST_TAG run: | echo "LATEST_TAG=$(curl -s -L -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r '.tag_name')" >> $GITHUB_ENV - name: Publish to Github Pages if: success() - uses: micronaut-projects/github-pages-deploy-action@master + uses: micronaut-projects/github-pages-deploy-action@76d63aafbab7108d74e83be4e5b3b0501382e829 # master env: BETA: ${{ !(github.event.release.tag_name == env.LATEST_TAG) || github.event.release.draft || github.event.release.prerelease || contains(steps.release_version.outputs.release_version, 'M') || contains(steps.release_version.outputs.release_version, 'RC') }} GH_TOKEN: ${{ secrets.GH_TOKEN }} @@ -111,7 +111,7 @@ jobs: DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} - name: Run post-release if: success() - uses: micronaut-projects/github-actions/post-release@master + uses: micronaut-projects/github-actions/post-release@300bf6db7c062dcba77c90bb90e475df31b2acab # master env: MICRONAUT_BUILD_EMAIL: ${{ secrets.MICRONAUT_BUILD_EMAIL }} with: @@ -143,7 +143,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0 with: base64-subjects: "${{ needs.provenance-subject.outputs.artifacts-sha256 }}" upload-assets: true # Upload to a new release. @@ -156,6 +156,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ github.sha }} - name: Download artifacts uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: diff --git a/.github/workflows/sonatype.yml b/.github/workflows/sonatype.yml index 28b0a56bd..e2587725f 100644 --- a/.github/workflows/sonatype.yml +++ b/.github/workflows/sonatype.yml @@ -21,17 +21,16 @@ jobs: matrix: java: ['25'] env: - DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - DEVELOCITY_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} - DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} - GH_TOKEN_PUBLIC_REPOS_READONLY: ${{ secrets.GH_TOKEN_PUBLIC_REPOS_READONLY }} - GH_USERNAME: ${{ secrets.GH_USERNAME }} + DEVELOCITY_ACCESS_KEY: ${{ github.event.pull_request == null && secrets.GRADLE_ENTERPRISE_ACCESS_KEY || '' }} + DEVELOCITY_CACHE_USERNAME: ${{ github.event.pull_request == null && secrets.GRADLE_ENTERPRISE_CACHE_USERNAME || '' }} + DEVELOCITY_CACHE_PASSWORD: ${{ github.event.pull_request == null && secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD || '' }} + GH_TOKEN_PUBLIC_REPOS_READONLY: ${{ github.event.pull_request == null && secrets.GH_TOKEN_PUBLIC_REPOS_READONLY || '' }} + GH_USERNAME: ${{ github.event.pull_request == null && secrets.GH_USERNAME || '' }} TESTCONTAINERS_RYUK_DISABLED: true - PREDICTIVE_TEST_SELECTION: "${{ github.event_name == 'pull_request' && 'true' || 'false' }}" - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }} - OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }} + SONAR_TOKEN: ${{ github.event.pull_request == null && secrets.SONAR_TOKEN || '' }} + GITHUB_TOKEN: ${{ github.event.pull_request == null && github.token || '' }} + OSS_INDEX_USERNAME: ${{ github.event.pull_request == null && secrets.OSS_INDEX_USERNAME || '' }} + OSS_INDEX_PASSWORD: ${{ github.event.pull_request == null && secrets.OSS_INDEX_PASSWORD || '' }} steps: # https://github.com/actions/virtual-environments/issues/709 - name: Remove system JDKs @@ -50,19 +49,19 @@ jobs: df -h - name: "📥 Checkout repository" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: "🔧 Setup GraalVM CE" - uses: graalvm/setup-graalvm@v1 + uses: graalvm/setup-graalvm@2149f395d36ce12ad4ee5d7f334b26bf081fa555 # v1 with: distribution: 'graalvm' java-version: ${{ matrix.java }} - github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ github.token }} - name: "🔧 Setup Gradle" - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6 - name: "❓ Optional setup step" run: | @@ -73,7 +72,7 @@ jobs: id: sonatypescan run: | ./gradlew ossIndexAudit --no-parallel --info - + - name: "❓ Optional cleanup step" run: | [ -f ./cleanup.sh ] && ./cleanup.sh || [ ! -f ./cleanup.sh ]