Merge remote-tracking branch 'apache/2.x' into feature/2.x/separate-reproducibility-check

Author: ppkarwasz

.github/dependabot.yaml

@@ -45,7 +45,6 @@ updates:
 
   - package-ecosystem: maven
     directories:
-      - "/"
       - "/log4j-1.2-api"
       - "/log4j-api-test"
       - "/log4j-api"
@@ -59,6 +58,7 @@ updates:
       - "/log4j-docker"
       - "/log4j-fuzz-test"
       - "/log4j-iostreams"
+      - "/log4j-jakarta-jms"
       - "/log4j-jakarta-smtp"
       - "/log4j-jakarta-web"
       - "/log4j-jcl"
@@ -163,7 +163,6 @@ updates:
   - package-ecosystem: maven
     directories:
       - "/log4j-mongodb4"
-      - "/log4j-slf4j-impl"
     open-pull-requests-limit: 10
     schedule:
       interval: "daily"
@@ -174,9 +173,6 @@ updates:
       # MongoDB 4.x should only upgrade to 4.x
       - dependency-name: "org.mongodb:*"
         versions: [ "[5,)" ]
-      # SLF4J 1.7.x should only upgrade to 1.7.x and
-      - dependency-name: "org.slf4j:slf4j-api"
-        versions: [ "[1,)" ]
 
   - package-ecosystem: github-actions
     directory: "/"

.github/workflows/build.yaml

@@ -30,9 +30,9 @@ jobs:
 
   build:
     if: github.actor != 'dependabot[bot]'
-    uses: apache/logging-parent/.github/workflows/build-reusable.yaml@feature/reproducibility-check
+    uses: apache/logging-parent/.github/workflows/build-reusable.yaml@rel/12.0.0
     secrets:
-      DV_ACCESS_TOKEN: ${{ startsWith(github.ref_name, 'release/') && '' || secrets.GE_ACCESS_TOKEN }}
+      DV_ACCESS_TOKEN: ${{ startsWith(github.ref_name, 'release/') && '' || secrets.DEVELOCITY_ACCESS_KEY }}
     with:
       java-version: |
         8
@@ -43,10 +43,8 @@ jobs:
 
   deploy-snapshot:
     needs: build
-    # FIXME: Restore `2.x` before merging
-    # if: github.repository == 'apache/logging-log4j2' && github.ref_name == '2.x'
-    if: github.repository == 'apache/logging-log4j2' && github.ref == 'refs/pull/3105/merge'
-    uses: apache/logging-parent/.github/workflows/deploy-snapshot-reusable.yaml@feature/reproducibility-check
+    if: github.repository == 'apache/logging-log4j2' && github.ref_name == '2.x'
+    uses: apache/logging-parent/.github/workflows/deploy-snapshot-reusable.yaml@rel/12.0.0
     # Secrets for deployments
     secrets:
       NEXUS_USERNAME: ${{ secrets.NEXUS_USER }}
@@ -59,7 +57,7 @@ jobs:
   deploy-release:
     needs: build
     if: github.repository == 'apache/logging-log4j2' && startsWith(github.ref_name, 'release/')
-    uses: apache/logging-parent/.github/workflows/deploy-release-reusable.yaml@feature/reproducibility-check
+    uses: apache/logging-parent/.github/workflows/deploy-release-reusable.yaml@rel/12.0.0
     # Secrets for deployments
     secrets:
       GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}
@@ -80,7 +78,7 @@ jobs:
     needs: [ deploy-snapshot, deploy-release ]
     if: ${{ always() && (needs.deploy-snapshot.result == 'success' || needs.deploy-release.result == 'success') }}
     name: "verify-reproducibility (${{ needs.deploy-release.result == 'success' && needs.deploy-release.outputs.project-version || needs.deploy-snapshot.outputs.project-version }})"
-    uses: apache/logging-parent/.github/workflows/verify-reproducibility-reusable.yaml@feature/reproducibility-check
+    uses: apache/logging-parent/.github/workflows/verify-reproducibility-reusable.yaml@12.0.0
     with:
       nexus-url: ${{ needs.deploy-release.result == 'success' && needs.deploy-release.outputs.nexus-url || needs.deploy-snapshot.outputs.nexus-url }}
       # Encode the `runs-on` input as JSON array

.github/workflows/codeql-analysis.yaml

@@ -30,7 +30,7 @@ permissions: read-all
 jobs:
 
   analyze:
-    uses: apache/logging-parent/.github/workflows/codeql-analysis-reusable.yaml@rel/11.3.0
+    uses: apache/logging-parent/.github/workflows/codeql-analysis-reusable.yaml@rel/12.0.0
     with:
       java-version: |
         8

.github/workflows/deploy-site.yaml

@@ -33,7 +33,7 @@ jobs:
 
   deploy-site-stg:
     if: github.repository == 'apache/logging-log4j2' && github.ref_name == '2.x'
-    uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/11.3.0
+    uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/12.0.0
     # Secrets for committing the generated site
     secrets:
       GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}
@@ -51,7 +51,7 @@ jobs:
 
   deploy-site-pro:
     if: github.repository == 'apache/logging-log4j2' && github.ref_name == '2.x-site-pro'
-    uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/11.3.0
+    uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/12.0.0
     # Secrets for committing the generated site
     secrets:
       GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}
@@ -81,7 +81,7 @@ jobs:
 
   deploy-site-rel:
     needs: export-version
-    uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/11.3.0
+    uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/12.0.0
     # Secrets for committing the generated site
     secrets:
       GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}

.github/workflows/develocity-publish-build-scans.yaml

@@ -31,10 +31,12 @@ jobs:
     steps:
 
       - name: Setup Build Scan link capture
-        uses: gradle/develocity-actions/maven-setup@9f1bf05334de7eb619731d5466c35a153742311d   # 1.2
+        uses: gradle/develocity-actions/setup-maven@b8d3a572314ffff3b940a2c1b7b384d4983d422d   # 1.3
+        with:
+          capture-build-scan-links: true
 
       - name: Publish Build Scans
-        uses: gradle/develocity-actions/maven-publish-build-scan@9f1bf05334de7eb619731d5466c35a153742311d   # 1.2
+        uses: gradle/develocity-actions/maven-publish-build-scan@b8d3a572314ffff3b940a2c1b7b384d4983d422d   # 1.3
         with:
-          develocity-url: 'https://ge.apache.org'
-          develocity-access-key: ${{ secrets.GE_ACCESS_TOKEN }}
+          develocity-url: 'https://develocity.apache.org'
+          develocity-access-key: ${{ secrets.DEVELOCITY_ACCESS_KEY }}

.github/workflows/merge-dependabot.yaml

@@ -30,9 +30,9 @@ jobs:
 
   build:
     if: github.repository == 'apache/logging-log4j2' && github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]'
-    uses: apache/logging-parent/.github/workflows/build-reusable.yaml@rel/11.3.0
+    uses: apache/logging-parent/.github/workflows/build-reusable.yaml@rel/12.0.0
     secrets:
-      DV_ACCESS_TOKEN: ${{ secrets.GE_ACCESS_TOKEN }}
+      DV_ACCESS_TOKEN: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
     with:
       java-version: |
         8
@@ -42,7 +42,7 @@ jobs:
 
   merge-dependabot:
     needs: build
-    uses: apache/logging-parent/.github/workflows/merge-dependabot-reusable.yaml@rel/11.3.0
+    uses: apache/logging-parent/.github/workflows/merge-dependabot-reusable.yaml@rel/12.0.0
     with:
       java-version: 17
     permissions:

.mvn/develocity.xml

@@ -2,7 +2,7 @@
 <develocity>
     <projectId>logging-log4j2</projectId>
     <server>
-        <url>https://ge.apache.org</url>
+        <url>https://develocity.apache.org</url>
     </server>
     <buildScan>
         <capture>

BUILDING.adoc

@@ -172,3 +172,59 @@ CI=true ./mvnw ...
 === Compilation in IntelliJ IDEA fails with `java: plug-in not found: ErrorProne`
 
 Try removing all _"Override compiler parameters per-module"_ entries in _"Settings > Build, Execution, Deployment > Compiler > Java Compiler"_.
+
+[#development-api-compatibility]
+=== Fixing API compatibility check failures
+
+Log4j uses the
+https://github.com/bndtools/bnd/tree/master/maven-plugins/bnd-baseline-maven-plugin[BND Baseline Maven Plugin]
+to enforce its
+https://semver.org/[semantic versioning policy].
+Following the
+https://bnd.bndtools.org/chapters/170-versioning.html#best-practices[OSGi versioning best practices], both Log4j artifacts and packages are versioned.
+If you modify Log4j's public API, a BND Baseline error like the following will occur:
+
+[source]
+----
+  Name                        Type     Delta      New    Old    Suggest  If Prov.
+  org.apache.logging.foo      PACKAGE  UNCHANGED  2.1.0  2.1.0  ok       -
+* org.apache.logging.foo.bar  PACKAGE  MINOR      2.3.4  2.3.4  2.4.0    -
+  MINOR        PACKAGE    org.apache.logging.foo.bar
+  ...
+----
+
+The solution of the error depends on the change kind (`Delta`):
+
+[#development-api-compatibility-micro]
+`MICRO`::
++
+For patch level changes modify the `package-info.java` file of the `org.apache.logging.foo.bar` package and update the `@Version` annotation to the number suggested by BND: increment just the patch number.
++
+[source,java]
+----
+@Version("2.3.5")
+package org.apache.logging.foo.bar;
+----
+
+[#development-api-compatibility-minor]
+`MINOR`::
++
+Changes of type `MINOR` require more work:
++
+--
+* Make sure that the current Log4j version is a minor upgrade over the last released version.
+If that is not the case (e.g., it is `2.34.5-SNAPSHOT`) modify the `<revision>` property in the main POM file (e.g., change it to `2.35.0-SNAPSHOT`).
+* Make sure to add a
+https://logging.apache.org/log4j/tools/log4j-changelog.html#changelog-entry-file[changelog entry]
+of type `added`, `changed` or `deprecated` to your PR.
+* As in the
+<<development-api-compatibility-micro,`MICRO` case>>
+modify the `package-info.java` file of the package and update the `@Version` annotation to the **next Log4j version** (`2.35.0` in the example) and **not** the minimal version number suggested by BND.
+The purpose of this policy is to have an alignment between package versions and the last Log4j version, where an API change occurred.
+--
+
+[#development-api-compatibility-major]
+`MAJOR`::
++
+Changes of type `MAJOR` (i.e. breaking changes) are not accepted in the `2.x` branch.
+If you believe it is not a breaking change (e.g., you removed a class **documented** as private), the development team will guide you on how to solve it.

log4j-1.2-api/pom.xml

@@ -43,11 +43,12 @@
       com.sun.jdmk.comm;resolution:=optional,
       <!-- JMS is optional -->
       javax.jms;version="[1.1,3)";resolution:=optional,
-      <!-- Log4j Core is optional -->
-      org.apache.logging.log4j.core.*;resolution:=optional
     </bnd-extra-package-options>
+    <bnd-extra-module-options>
+      <!-- Log4j Core is optional -->
+      org.apache.logging.log4j.core;static=true
+    </bnd-extra-module-options>
     <Fragment-Host>org.apache.logging.log4j.core</Fragment-Host>
-    <!-- we have an `bnd.bnd` file to override the parent's defaults -->
   </properties>
 
   <dependencies>
@@ -112,6 +113,7 @@
       <scope>test</scope>
     </dependency>
 
+    <!-- JUnit -->
     <dependency>
       <groupId>org.junit.jupiter</groupId>
       <artifactId>junit-jupiter-engine</artifactId>
@@ -123,10 +125,9 @@
       <artifactId>junit-jupiter-params</artifactId>
       <scope>test</scope>
     </dependency>
-
     <dependency>
-      <groupId>org.junit.vintage</groupId>
-      <artifactId>junit-vintage-engine</artifactId>
+      <groupId>org.hamcrest</groupId>
+      <artifactId>hamcrest</artifactId>
       <scope>test</scope>
     </dependency>
 

log4j-1.2-api/src/main/java/org/apache/log4j/Level.java

@@ -115,8 +115,7 @@ protected Level(
             final String levelStr,
             final int syslogEquivalent,
             final org.apache.logging.log4j.Level version2Equivalent) {
-        super(level, levelStr, syslogEquivalent);
-        this.version2Level = version2Equivalent != null ? version2Equivalent : OptionConverter.createLevel(this);
+        super(level, levelStr, syslogEquivalent, version2Equivalent);
     }
 
     /**
@@ -222,6 +221,7 @@ private void readObject(final ObjectInputStream s) throws IOException, ClassNotF
         if (levelStr == null) {
             levelStr = Strings.EMPTY;
         }
+        version2Level = OptionConverter.createLevel(this);
     }
 
     /**