Merge pull request #1166 from apache/7.0.x

Rebased 7.0.x

Author: sbglasius

.asf.yaml

@@ -1,12 +1,5 @@
 github:
   environments:
-    source:
-      required_reviewers:
-        - id: grails-committers
-          type: Team
-        - id: jdaugherty
-          type: User
-      wait_timer: 0
     release:
       required_reviewers:
         - id: grails-committers

.github/release-drafter.yml

@@ -132,6 +132,10 @@ version-resolver:
       - 'type: patch'
   default: patch
 template: |
+  ## Disclaimer: Release Created While Under Incubation
+  
+  Apache Grails is an effort undergoing incubation at The Apache Software Foundation (ASF), sponsored by the Apache Groovy Project. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF.
+  
   ## What's Changed
 
   $CHANGES

.github/renovate.json

@@ -44,7 +44,6 @@
         "org.grails:grails-plugin-databinding",
         "org.grails:grails-plugin-datasource",
         "org.grails:grails-plugin-domain-class",
-        "org.grails:grails-plugin-i18n",
         "org.grails:grails-plugin-interceptors",
         "org.grails:grails-plugin-mimetypes",
         "org.grails:grails-plugin-rest",

.github/vote_templates/announce.txt

@@ -0,0 +1,23 @@
+The Apache Grails (incubating) community is pleased to announce the release of Apache Grails (incubating) Spring Security Plugin ${VERSION}.
+
+Grails is a powerful Groovy-based web application framework for the JVM built on top of Spring Boot that has many plugins to further extend its functionality.
+
+This Spring Security Plugin release another milestone on our journey to a final 7.0 release. Users are encouraged to try the milestone to provide early feedback. Detailed upgrade instructions are available here: https://docs.grails.org/${VERSION}/guide/upgrading.html.
+
+The release notes are available here:
+https://github.com/apache/grails-spring-security/compare/v${VERSION}
+
+For the complete list of changes:
+https://github.com/apache/grails-spring-security/compare/v${PREVIOUS_VERSION}...v${VERSION}
+
+Apache Grails website: https://grails.apache.org/
+
+Download Links: https://grails.apache.org/download.html
+
+Grails Resources:
+- Grails Spring Security GitHub repo: https://github.com/apache/grails-spring-security
+- Issues: https://github.com/apache/grails-spring-security/issues
+- Mailing lists: https://grails.apache.org/community.html
+
+Happy Coding,
+The Apache Grails (incubating) Team

.github/vote_templates/groovy_pmc.txt

@@ -0,0 +1,30 @@
+Hi Everyone,
+
+The Apache Grails community has voted to approve the release of Apache Grails Spring Security Plugin ${VERSION}.
+
+As the incubation host, we now kindly request the Groovy PMC to review & approve our ASF release.
+
+Grails vote thread:
+* <VOTE THREAD LINK>
+
+Vote result thread:
+* https://<TODO>
+
+The tag for this release is:
+* (grails-spring-security) https://github.com/apache/grails-spring-security/releases/tag/v${VERSION}
+
+The artifacts to be voted on are located as follows (r${DIST_SVN_REVISION}):
+Source release: https://dist.apache.org/repos/dist/dev/incubator/grails/spring-security/${VERSION}/sources
+
+Release artifacts are signed with a key from the following file:
+https://dist.apache.org/repos/dist/release/incubator/grails/KEYS
+
+Please vote on releasing this package as Apache Grails (incubating) Spring Security Plugin ${VERSION}.
+
+Hints on validating checksums/signatures (but replace md5sum with sha512sum):
+https://www.apache.org/info/verification.html
+
+The vote for this release is open for a minimum of 72 hours.
+[ ] +1 Release Apache Grails (incubating) Spring Security Plugin ${VERSION}
+[ ]  0 I don't have a strong opinion about this, but I assume it's ok
+[ ] -1 Do not release Apache Grails (incubating) Spring Security Plugin ${VERSION} because...

.github/vote_templates/staged.txt

@@ -0,0 +1,35 @@
+Hi Everyone,
+
+I am happy to start the VOTE thread for an Apache Grails (incubating) Spring Security Plugin release of version ${VERSION}!
+
+Release notes for the release are here:
+https://github.com/apache/grails-spring-security/releases/tag/v${VERSION}
+
+The tag for this release is:
+https://github.com/apache/grails-spring-security/releases/tag/v${VERSION}
+Tag commit id: ${VERSION_COMMIT_ID}
+
+The artifacts to be voted on are located as follows (r${DIST_SVN_REVISION}):
+Source release: https://dist.apache.org/repos/dist/dev/incubator/grails/spring-security/${VERSION}/sources
+
+Release artifacts are signed with a key from the following file:
+https://dist.apache.org/repos/dist/release/incubator/grails/KEYS
+
+Please vote on releasing this package as: Apache Grails (incubating) Spring Security Plugin ${VERSION}.
+
+Reminder on ASF release approval requirements for PPMC members:
+https://www.apache.org/legal/release-policy.html#release-approval
+
+Hints on validating checksums/signatures (but replace md5sum with sha512sum):
+https://www.apache.org/info/verification.html
+
+The vote is open for a minimum of 72 hours and passes if a majority of at least
+three +1 PPMC votes are cast.
+
+[ ] +1 Release Apache Grails (incubating) Spring Security Plugin ${VERSION}
+[ ]  0 I don't have a strong opinion about this, but I assume it's ok
+[ ] -1 Do not release Apache Grails (incubating) Spring Security Plugin ${VERSION} because...
+
+Here is my vote:
+
++1 (binding)

.github/workflows/release-abort.yml

@@ -0,0 +1,130 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "Release - Abort Release"
+on:
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: 'Release tag (e.g., v7.0.0-M5)'
+        required: true
+        type: string
+permissions:
+  contents: write
+  actions: write
+jobs:
+  abort:
+    name: "Abort Release"
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Output Agent IP" # in the event RAO blocks this agent, this can be used to debug it
+        run: curl -s https://api.ipify.org
+      - name: "Setup SVN and Tools"
+        run: sudo apt-get install -y subversion subversion-tools tree
+      - name: "Extract repository name"
+        id: extract_repository_name
+        run: |
+          echo "repository_name=${GITHUB_REPOSITORY##*/}" >> $GITHUB_OUTPUT
+      - name: "Extract release version"
+        id: release_version
+        run: |
+          version="${{ github.event.inputs.release_tag }}"
+          version="${version#v}"
+          echo "Extracted version: $version"
+          echo "value=${version}" >> $GITHUB_OUTPUT
+      - name: "Drop staging repository from Nexus"
+        continue-on-error: true
+        env:
+          NEXUS_STAGE_DEPLOYER_USER: ${{ secrets.NEXUS_STAGE_DEPLOYER_USER }}
+          NEXUS_STAGE_DEPLOYER_PW: ${{ secrets.NEXUS_STAGE_DEPLOYER_PW }}
+        run: |
+          export REPO_DESCRIPTION="${{ steps.extract_repository_name.outputs.repository_name }}:${{ steps.release_version.outputs.value }}"
+          export STAGING_REPOSITORY_ID=$(curl -s -u "$NEXUS_STAGE_DEPLOYER_USER:$NEXUS_STAGE_DEPLOYER_PW" -H "Accept: application/json" \
+            "https://repository.apache.org/service/local/staging/profile_repositories/${{ secrets.STAGING_PROFILE_ID }}" |
+            jq -r '.data[] | select(.description=="'"$REPO_DESCRIPTION"'") | .repositoryId')
+          
+          test -n "$STAGING_REPOSITORY_ID" || { echo "No repo with that description"; exit 1; }
+          
+          response=$(curl -s --request POST -u "$NEXUS_STAGE_DEPLOYER_USER:$NEXUS_STAGE_DEPLOYER_PW" \
+            --url https://repository.apache.org/service/local/staging/bulk/drop \
+            --header 'Content-Type: application/json' \
+            --header 'Accept: application/json' \
+            --header 'User-Agent: Grails Github Actions' \
+            --data '{ "data" : {"stagedRepositoryIds":["'"$STAGING_REPOSITORY_ID"'"], "description":"Drop '"$STAGING_REPOSITORY_ID"'." } }')
+
+          if [ ! -z "$response" ]; then
+              echo "Error while dropping staged repository $STAGING_REPOSITORY_ID : $response."
+              exit 1
+          else
+              echo "Successfully dropped repository $STAGING_REPOSITORY_ID."
+          fi
+      - name: "Remove Staged Artifacts"
+        continue-on-error: true
+        env:
+          SVN_USERNAME: ${{ secrets.SVC_DIST_GRAILS_USERNAME }}
+          SVN_PASSWORD: ${{ secrets.SVC_DIST_GRAILS_PASSWORD }}
+        run: |
+          export VERSION="${{ steps.release_version.outputs.value }}"
+          svnmucc --username "$SVN_USERNAME" --password "$SVN_PASSWORD" --non-interactive \
+                      -m "Remove grails dev version $VERSION" \
+                      rm "https://dist.apache.org/repos/dist/dev/incubator/grails/spring-security/$VERSION"
+      - name: "Cancel GitHub Actions"
+        continue-on-error: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OWNER: ${{ github.repository_owner }}
+          REPO: ${{ steps.extract_repository_name.outputs.repository_name }}
+        run: |
+          for status in queued in_progress; do
+            curl -s -H "Authorization: Bearer $GITHUB_TOKEN" \
+                 -H "Accept: application/vnd.github+json" \
+                 "https://api.github.com/repos/$OWNER/$REPO/actions/runs?event=release&status=$status&per_page=100" |
+            jq -r '.workflow_runs[].id'
+          done > run-ids.txt
+          
+          while read run_id; do
+            echo "cancelling $run_id"
+            curl -s -X POST \
+            -H "Authorization: Bearer $GITHUB_TOKEN" \
+            -H "Accept: application/vnd.github+json" \
+            "https://api.github.com/repos/$OWNER/$REPO/actions/runs/$run_id/cancel"
+          done < run-ids.txt
+          rm -f run-ids.txt || true
+      - name: "Remove GitHub Release & Tag"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ github.event.inputs.release_tag }}
+          OWNER: ${{ github.repository_owner }}
+          REPO: ${{ steps.extract_repository_name.outputs.repository_name }}
+        run: |
+          set -euo pipefail
+
+          if release_json="$(gh api -H 'Accept: application/vnd.github+json' \
+                                  "/repos/$OWNER/$REPO/releases/tags/$TAG" 2>/dev/null)"; then
+              if [ "$(jq -r '.prerelease' <<<"$release_json")" != "true" ]; then
+                  echo "❌ Release $TAG exists but is *not* marked as a pre-release. Aborting."
+                  exit 1
+              fi
+
+              release_id="$(jq -r '.id' <<<"$release_json")"
+              echo "Deleting pre-release $release_id linked to tag $TAG"
+              gh api -X DELETE "/repos/$OWNER/$REPO/releases/$release_id"
+          else
+              echo "No GitHub release found for tag $TAG – skipping release deletion"
+          fi
+          
+          ref="tags/$TAG"
+          echo "Deleting git ref $ref"
+          gh api -X DELETE "/repos/$OWNER/$REPO/git/refs/$ref" || echo "Tag $TAG already absent"

.github/workflows/release-notes.yml

@@ -21,46 +21,24 @@ on:
     branches:
       - '[4-9]+.[0-9]+.x'
   pull_request:
-    types: [opened, reopened, synchronize]
-  pull_request_target:
-    types: [opened, reopened, synchronize]
-  workflow_dispatch:
+    types: [ opened, reopened, synchronize, labeled ]
+    pull_request_target:
+      types: [ opened, reopened, synchronize, labeled ]
+    workflow_dispatch:
+# queue jobs and only allow 1 run per branch due to the likelihood of hitting GitHub resource limits
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
 jobs:
-  release_notes:
+  update_release_draft:
+    permissions:
+      # write permission is required to create a github release
+      contents: write
+      # write permission is required for autolabeler
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - name: Check if it has release drafter config file
-        id: check_release_drafter
-        run: |
-          has_release_drafter=$([ -f .github/release-drafter.yml ] && echo "true" || echo "false")
-          echo "has_release_drafter=${has_release_drafter}" >> $GITHUB_OUTPUT
-      - name: Extract branch name
-        id: extract_branch
-        run: echo "value=${GITHUB_REF:11}" >> $GITHUB_OUTPUT
-      # If it has release drafter:
-      - uses: release-drafter/release-drafter@v6
-        if: steps.check_release_drafter.outputs.has_release_drafter == 'true'
+      - name: "📝 Update Release Draft"
+        uses: release-drafter/release-drafter@v6
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-        with:
-          commitish: ${{ steps.extract_branch.outputs.value }}
-      # Otherwise:
-      - name: Export Gradle Properties
-        if: steps.check_release_drafter.outputs.has_release_drafter == 'false'
-        uses: apache/grails-github-actions/export-gradle-properties@asf
-      - uses: apache/grails-github-actions/release-notes@asf
-        if: steps.check_release_drafter.outputs.has_release_drafter == 'false'
-        id: release_notes
-        with:
-          token: ${{ secrets.GH_TOKEN }}
-      - uses: ncipollo/release-action@1e3e9c6637e5566e185b7ab66f187539c5a76da7
-        if: steps.check_release_drafter.outputs.has_release_drafter == 'false' && steps.release_notes.outputs.generated_changelog == 'true'
-        with:
-          allowUpdates: true
-          commit: ${{ steps.release_notes.outputs.current_branch }}
-          draft: true
-          name: ${{ env.title }} ${{ steps.release_notes.outputs.next_version }}
-          tag: v${{ steps.release_notes.outputs.next_version }}
-          bodyFile: CHANGELOG.md
-          token: ${{ secrets.GH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}