Merge pull request #1116 from jdaugherty/7.0.x

Author: jdaugherty

.asf.yaml

@@ -0,0 +1,17 @@
+github:
+  environments:
+    source:
+      required_reviewers:
+        - id: grails-committers
+          type: Team
+      wait_timer: 0
+    release:
+      required_reviewers:
+        - id: grails-committers
+          type: Team
+      wait_timer: 0
+    docs:
+      required_reviewers:
+        - id: grails-committers
+          type: Team
+      wait_timer: 0

.github/workflows/gradle.yml

@@ -29,7 +29,7 @@ concurrency:
   cancel-in-progress: false
 jobs:
   coreTests:
-    if: ${{ contains(github.event.head_commit.message, '[skip tests]') }}
+    if: ${{ !contains(github.event.head_commit.message, '[skip tests]') }}
     runs-on: ubuntu-24.04
     steps:
       - name: "📥 Checkout repository"
@@ -46,7 +46,7 @@ jobs:
       - name: "🏃‍♂️ Run Tests"
         run: ./gradlew check --max-workers=2 --refresh-dependencies --continue
   functionalTests:
-    if: ${{ contains(github.event.head_commit.message, '[skip tests]') }}
+    if: ${{ !contains(github.event.head_commit.message, '[skip tests]') }}
     runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
@@ -68,7 +68,7 @@ jobs:
         run: ./gradlew core-examples-functional-test-app:check -DTESTCONFIG=${{ matrix.test-config }}
   publish:
     needs: [ coreTests, functionalTests ]
-    if: ${{ always() && github.repository_owner == 'apache' && github.event_name == 'push' && (needs.coreTests.result == 'success' || needs.coreTests.result == 'skipped') && (needs.functionalTests.result == 'success' || needs.functionalTests.result == 'skipped') }}
+    if: ${{ always() && github.repository_owner == 'apache' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && (needs.coreTests.result == 'success' || needs.coreTests.result == 'skipped') && (needs.functionalTests.result == 'success' || needs.functionalTests.result == 'skipped') }}
     runs-on: ubuntu-24.04
     permissions:
       contents: write

.github/workflows/release.yml

@@ -31,9 +31,14 @@ jobs:
     runs-on: ubuntu-24.04
     outputs:
       release_version: ${{ steps.release_version.outputs.value }}
+      extract_repository_name: ${{ steps.extract_repository_name.outputs.repository_name }}
     steps:
       - name: "Output Agent IP" # in the event RAO blocks this agent, this can be used to debug it
         run: curl -s https://api.ipify.org
+      - name: "Extract repository name"
+        id: extract_repository_name
+        run: |
+          echo "repository_name=${GITHUB_REPOSITORY##*/}" >> $GITHUB_OUTPUT
       - name: "📥 Checkout repository"
         uses: actions/checkout@v4
       - name: 'Ensure Common Build Date' # to ensure a reproducible build
@@ -51,7 +56,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           distribution: liberica
-          java-version: '17.0.14' # this must be a specific version for reproducible builds
+          java-version: '17.0.15' # this must be a specific version for reproducible builds
       - name: "🐘 Setup Gradle"
         uses: gradle/actions/setup-gradle@v4
         with:
@@ -70,12 +75,26 @@ jobs:
           NEXUS_PUBLISH_PASSWORD: ${{ secrets.NEXUS_STAGE_DEPLOYER_PW }}
           NEXUS_PUBLISH_URL: 'https://repository.apache.org/service/local/'
           NEXUS_PUBLISH_STAGING_PROFILE_ID: ${{ secrets.STAGING_PROFILE_ID }}
-          NEXUS_PUBLISH_DESCRIPTION: 'grails-spring-security:${{ steps.release_version.outputs.value }}'
+          NEXUS_PUBLISH_DESCRIPTION: '${{ steps.extract_repository_name.outputs.repository_name }}:${{ steps.release_version.outputs.value }}'
           SIGNING_KEY: ${{ secrets.GPG_KEY_ID }}
         run: >
-          ./gradlew --refresh-dependencies
+          ./gradlew
           publishToSonatype
           closeSonatypeStagingRepository
+          aggregateChecksums
+          aggregatePublishedArtifacts
+      - name: "Upload checksums"
+        uses: softprops/action-gh-release@v2
+        with:
+          files: build/CHECKSUMS.txt
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: "Upload published artifacts"
+        uses: softprops/action-gh-release@v2
+        with:
+          files: build/PUBLISHED_ARTIFACTS.txt
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Generate Build Date file"
         run: echo "$SOURCE_DATE_EPOCH" >> build/BUILD_DATE.txt
       - name: "Upload Build Date file"
@@ -84,6 +103,133 @@ jobs:
           files: build/BUILD_DATE.txt
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  source:
+    # to ensure we never publish any build artifacts, run the source distribution as a separate build workflow
+    environment: source
+    name: "Source Distribution"
+    needs: publish
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    outputs:
+      extract_repository_name: ${{ steps.extract_repository_name.outputs.repository_name }}
+    steps:
+      - name: "Extract repository name"
+        id: extract_repository_name
+        run: |
+          echo "repository_name=${GITHUB_REPOSITORY##*/}" >> $GITHUB_OUTPUT
+      - name: "📥 Checkout repository"
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.repository }}
+          ref: ${{ github.ref_name }}
+          path: project
+      - name: "🗑️ Remove unnecessary files"
+        run: |
+          rm -f project/gradle/wrapper/gradle-wrapper.jar
+          rm -f project/gradle/wrapper/gradle-wrapper.properties
+          rm -f project/gradlew
+          rm -f project/.asf.yaml
+      - name: "Download CHECKSUMS.txt and rename to CHECKSUMS"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cd project
+          release_url=$(gh release view ${{ github.ref_name }} --json assets --repo ${{ github.repository }} --jq '.assets[] | select(.name == "CHECKSUMS.txt") | .url')
+          curl -L -H "Authorization: token $GH_TOKEN" -o CHECKSUMS "$release_url"
+      - name: "Download PUBLISHED_ARTIFACTS.txt and rename to PUBLISHED_ARTIFACTS"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cd project
+          release_url=$(gh release view ${{ github.ref_name }} --json assets --repo ${{ github.repository }} --jq '.assets[] | select(.name == "PUBLISHED_ARTIFACTS.txt") | .url')
+          curl -L -H "Authorization: token $GH_TOKEN" -o PUBLISHED_ARTIFACTS "$release_url"
+      - name: "Download BUILD_DATE.txt and rename to BUILD_DATE"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cd project
+          release_url=$(gh release view ${{ github.ref_name }} --json assets --repo ${{ github.repository }} --jq '.assets[] | select(.name == "BUILD_DATE.txt") | .url')
+          curl -L -H "Authorization: token $GH_TOKEN" -o BUILD_DATE "$release_url"
+      - name: "Ensure source files use common date"
+        run: |
+          SOURCE_DATE_EPOCH=$(cat project/BUILD_DATE)
+          find . -depth \( -type f -o -type d \) -exec touch -d "@${SOURCE_DATE_EPOCH}" {} +
+      - name: "📦 Create source distribution ZIP"
+        run: |
+          version="${{ github.ref_name }}"
+          version="${version#v}"  # Strip 'v' prefix
+          zip -r "apache-${{ steps.extract_repository_name.outputs.repository_name }}-${version}-incubating-src.zip" project -x 'project/.git/*' -x 'project/.github/*'
+      - name: '🔐 Set up GPG'
+        run: |
+          echo "${{ secrets.GRAILS_GPG_KEY }}" | gpg --batch --import
+          gpg --list-keys
+        env:
+          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
+      - name: "🔏 Sign source distribution ZIP"
+        env:
+          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
+        run: |
+          version="${{ github.ref_name }}"
+          version="${version#v}"  # Strip 'v' prefix
+          gpg --default-key "${GPG_KEY_ID}" --batch --yes --pinentry-mode loopback --armor --detach-sign apache-${{ steps.extract_repository_name.outputs.repository_name }}-${version}-incubating-src.zip
+      - name: "📦 Create source distribution checksum"
+        run: |
+          version="${{ github.ref_name }}"
+          version="${version#v}"  # Strip 'v' prefix
+          sha512sum apache-${{ steps.extract_repository_name.outputs.repository_name }}-${version}-incubating-src.zip > "apache-${{ steps.extract_repository_name.outputs.repository_name }}-${version}-incubating-src.zip.sha512"
+      - name: "🚀 Upload ZIP and Signature to GitHub Release"
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ github.ref_name }}
+          files: |
+            apache-${{ steps.extract_repository_name.outputs.repository_name }}-*-incubating-src.zip
+            apache-${{ steps.extract_repository_name.outputs.repository_name }}-*-incubating-src.zip.sha512
+            apache-${{ steps.extract_repository_name.outputs.repository_name }}-*-incubating-src.zip.asc
+      - name: "Remove CHECKSUMS.txt asset from release"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -e
+          cd project
+          gh release --repo ${{ github.repository }} delete-asset ${{ github.ref_name }} CHECKSUMS.txt --yes
+      - name: "Remove BUILD_DATE.txt asset from release"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -e
+          cd project
+          gh release --repo ${{ github.repository }} delete-asset ${{ github.ref_name }} BUILD_DATE.txt --yes
+      - name: "Remove PUBLISHED_ARTIFACTS.txt asset from release"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -e
+          cd project
+          gh release --repo ${{ github.repository }} delete-asset ${{ github.ref_name }} PUBLISHED_ARTIFACTS.txt --yes
+  release:
+    environment: release
+    needs: [publish, source]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+    steps:
+      - name: "📥 Checkout repository"
+        uses: actions/checkout@v4
+        with:
+          ref: v${{ needs.publish.outputs.release_version }}
+      - name: "☕️ Setup JDK"
+        uses: actions/setup-java@v4
+        with:
+          distribution: liberica
+          java-version: '17.0.15' # this must be a specific version for reproducible builds
+      - name: "🐘 Setup Gradle"
+        uses: gradle/actions/setup-gradle@v4
+        with:
+          develocity-access-key: ${{ secrets.GRAILS_DEVELOCITY_ACCESS_KEY  }}
+      - name: "⚙️ Run post-release"
+        uses: apache/grails-github-actions/post-release@asf
   docs:
     environment: docs
     name: "Publish Documentation"
@@ -97,12 +243,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: v${{ needs.publish.outputs.release_version }}
-      - name: 'Ensure Common Build Date' # to ensure a reproducible build
-        run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "$GITHUB_ENV"
       - name: "☕️ Setup JDK"
         uses: actions/setup-java@v4
         with:
-          java-version: 17
+          java-version: '17.0.15' # this must be a specific version for reproducible builds
           distribution: liberica
       - name: "🐘 Setup Gradle"
         uses: gradle/actions/setup-gradle@v4
@@ -118,29 +262,4 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GRADLE_PUBLISH_RELEASE: 'true'
           SOURCE_FOLDER: build/docs
-          VERSION: ${{ steps.release_version.outputs.value }}
-  release:
-    environment: release
-    needs: publish
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      issues: write
-    steps:
-      - name: "📥 Checkout repository"
-        uses: actions/checkout@v4
-        with:
-          ref: v${{ needs.publish.outputs.release_version }}
-      - name: 'Ensure Common Build Date' # to ensure a reproducible build
-        run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "$GITHUB_ENV"
-      - name: "☕️ Setup JDK"
-        uses: actions/setup-java@v4
-        with:
-          distribution: liberica
-          java-version: 17
-      - name: "🐘 Setup Gradle"
-        uses: gradle/actions/setup-gradle@v4
-        with:
-          develocity-access-key: ${{ secrets.GRAILS_DEVELOCITY_ACCESS_KEY  }}
-      - name: "⚙️ Run post-release"
-        uses: apache/grails-github-actions/post-release@asf
+          VERSION: ${{ needs.publish.outputs.release_version }}

.sdkmanrc

@@ -1 +1,2 @@
 java=17.0.15-librca
+gradle=8.14

README.md

@@ -19,7 +19,27 @@ limitations under the License.
 Grails Spring Security
 ======================
 
-See [documentation](https://apache.github.io/grails-spring-security/latest) for further information.
+See [documentation](https://apache.github.io/grails-spring-security/latest) for detailed information.
+
+### Building
+
+To build this project from source, first bootstrap gradle:
+
+     cd gradle-bootstrap
+     gradle
+     cd -
+
+After bootstrap the project, you can build it with the command:
+
+     ./gradlew build
+
+To run the build only, and skip the tests, run:
+
+     ./gradlew build -PskipTests
+
+Then publish the jar files to mavenLocal for usage:
+
+    ./gradlew publishToMavenLocal
 
 ### Branch structure 
 
@@ -44,19 +64,3 @@ spring:
       - org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration
       - org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration
 ```
-
-### Building
-
-To build this project from source, first bootstrap gradle:
-
-     cd gradle-bootstrap
-     gradle
-     cd -
-
-After bootstrap the project, you can build it with the command: 
-
-     ./gradlew build
-
-To run the build only, and skip the tests, run:
-    
-     ./gradlew build -PskipTests

build.gradle

@@ -1,7 +1,3 @@
-import java.time.Instant
-import java.time.ZoneOffset
-import java.time.format.DateTimeFormatter
-
 /*
  *  Licensed to the Apache Software Foundation (ASF) under one
  *  or more contributor license agreements.  See the NOTICE file
@@ -20,6 +16,9 @@ import java.time.format.DateTimeFormatter
  *  specific language governing permissions and limitations
  *  under the License.
  */
+import java.time.Instant
+import java.time.ZoneOffset
+import java.time.format.DateTimeFormatter
 
 ext {
     isReproducibleBuild = System.getenv("SOURCE_DATE_EPOCH") != null
@@ -45,6 +44,15 @@ allprojects {
             }
         }
     }
+
+    configurations.configureEach {
+        resolutionStrategy.eachDependency { DependencyResolveDetails details ->
+            if (details.requested.group == 'org.seleniumhq.selenium') {
+                details.useVersion('4.25.0')
+                details.because('Temporary workaround because of https://issues.chromium.org/issues/42323769')
+            }
+        }
+    }
 }
 
 subprojects {

gradle.properties

@@ -17,16 +17,17 @@
 #  under the License.
 #
 projectVersion=7.0.0-SNAPSHOT
-grailsVersion=7.0.0-SNAPSHOT
+grailsVersion=7.0.0-M4
 javaVersion=17
 
+unboundidLdapSdk=7.0.2
 apacheDsVersion=1.5.4
 asciidoctorGradlePluginVersion=4.0.4
 casClientCoreVersion=4.0.4
 commonsLangVersion=2.6
 dumbsterVersion=1.6
 gradleCryptoChecksumVersion=1.4.0
-grailsRedisVersion=5.0.0-M3
+grailsRedisVersion=5.0.0-SNAPSHOT
 mailVersion=5.0.0-SNAPSHOT
 micronautVersion=4.5.3
 pac4jVersion=6.0.6