Merge tag 'rel/2.25.0' into 2.x-site-pro

Release `2.25.0`

Author: ppkarwasz

.cherry_picker.toml

@@ -0,0 +1,24 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+team = "apache"
+repo = "logging-log4j2"
+check_sha= "3da98f7c9de9bf4abb17e10dad678e05ab658a3a"
+fix_commit_msg = false
+default_branch = "2.x"
+require_version_in_branch_name=false
+draft_pr = true

.github/FUNDING.yml

@@ -0,0 +1,25 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+##
+# This file controls the "Sponsor" button in this repo.
+# For details see:
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
+#
+# WARNING: the `github` key accepts only 4 GitHub user ids, so we can not use this feature.
+#
+custom: "https://logging.apache.org/support.html#sponsors"
+tidelift: "maven/org.apache.logging.log4j:log4j-core"

.github/dependabot.yaml

@@ -44,7 +44,45 @@ registries:
 updates:
 
   - package-ecosystem: maven
-    directory: "/"
+    directories:
+      - "/log4j-1.2-api"
+      - "/log4j-api-test"
+      - "/log4j-api"
+      - "/log4j-appserver"
+      - "/log4j-cassandra"
+      - "/log4j-core-fuzz-test"
+      - "/log4j-core-its"
+      - "/log4j-core-test"
+      - "/log4j-core"
+      - "/log4j-couchdb"
+      - "/log4j-docker"
+      - "/log4j-fuzz-test"
+      - "/log4j-iostreams"
+      - "/log4j-jakarta-jms"
+      - "/log4j-jakarta-smtp"
+      - "/log4j-jakarta-web"
+      - "/log4j-jcl"
+      - "/log4j-jdbc-dbcp2"
+      - "/log4j-jpa"
+      - "/log4j-jpl"
+      - "/log4j-jul"
+      - "/log4j-layout-template-json-fuzz-test"
+      - "/log4j-layout-template-json-test"
+      - "/log4j-layout-template-json"
+      - "/log4j-mongodb"
+        # `log4j-mongodb4` is in a separate run
+      - "/log4j-osgi-test"
+      - "/log4j-parent"
+      - "/log4j-perf-test"
+        # `log4j-slf4j-impl` is in a separate run
+      - "/log4j-slf4j2-impl-fuzz-test"
+      - "/log4j-slf4j2-impl"
+      - "/log4j-spring-boot"
+      - "/log4j-spring-cloud-config-client"
+      - "/log4j-taglib"
+      - "/log4j-to-jul"
+      - "/log4j-to-slf4j"
+      - "/log4j-web"
     open-pull-requests-limit: 10
     schedule:
       interval: "daily"
@@ -54,31 +92,31 @@ updates:
     ignore:
       # Jetty 10.x does not have an internal logging API
       - dependency-name: "org.eclipse.jetty:*"
-        update-types: [ "version-update:semver-major" ]
+        versions: [ "[10,)" ]
       # EclipseLink 3.x is Jakarta EE 9
       - dependency-name: "org.eclipse.persistence:*"
-        update-types: [ "version-update:semver-major" ]
+        versions: [ "[3,)" ]
       # Spring 6.x is Jakarta EE 9
       - dependency-name: "org.springframework:*"
-        update-types: [ "version-update:semver-major" ]
+        versions: [ "[6,)" ]
       # Spring Boot 3.x is Jakarta EE 9
       - dependency-name: "org.springframework.boot:*"
-        update-types: [ "version-update:semver-major" ]
+        versions: [ "[3,)" ]
       # Spring Cloud 2022.x is Jakarta EE 9
       - dependency-name: "org.springframework.cloud:*"
-        update-types: [ "version-update:semver-major" ]
+        versions: [ "[2021,)" ]
       # Tomcat Juli 10.1.x requires Java 11
       - dependency-name: "org.apache.tomcat:*"
-        update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
+        versions: [ "[10.1,)" ]
       # Keep Logback version 1.2.x
       - dependency-name: "ch.qos.logback:*"
-        update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
+        versions: [ "[1.3,)" ]
       # Mockito 5.x requires Java 11
       - dependency-name: "org.mockito:*"
-        update-types: [ "version-update:semver-major" ]
+        versions: [ "[5,)" ]
       # JUnit Pioneer 2.x requires Java 11
       - dependency-name: "org.junit-pioneer:*"
-        update-types: [ "version-update:semver-major" ]
+        versions: [ "[2,)" ]
       # Apache Cassandra: keep version 3.x
       - dependency-name: "org.apache.cassandra:*"
         versions: [ "[4,)" ]
@@ -121,11 +159,13 @@ updates:
       # SLF4J should not perform major version upgrades
       - dependency-name: "org.slf4j:slf4j-api"
         update-types: [ "version-update:semver-major" ]
+      # Kafka 4.x is not compatible with our appender
+      - dependency-name: "org.apache.kafka:*"
+        versions: [ "[4,)" ]
 
   - package-ecosystem: maven
     directories:
       - "/log4j-mongodb4"
-      - "/log4j-slf4j-impl"
     open-pull-requests-limit: 10
     schedule:
       interval: "daily"
@@ -136,9 +176,6 @@ updates:
       # MongoDB 4.x should only upgrade to 4.x
       - dependency-name: "org.mongodb:*"
         versions: [ "[5,)" ]
-      # SLF4J 1.7.x should only upgrade to 1.7.x and
-      - dependency-name: "org.slf4j:slf4j-api"
-        versions: [ "[1,)" ]
 
   - package-ecosystem: github-actions
     directory: "/"

.github/generate-email.sh

@@ -28,12 +28,12 @@ stderr() {
 
 fail_for_invalid_args() {
     stderr "Invalid arguments!"
-    stderr "Expected arguments: <vote|announce> <version> <commitId>"
+    stderr "Expected arguments: <vote|announce> <version> <commitId> <nexusUrl>"
     exit 1
 }
 
 # Check arguments
-[ $# -ne 3 ] && fail_for_invalid_args
+[ $# -ne 4 ] && fail_for_invalid_args
 
 # Constants
 PROJECT_NAME="Apache Log4j"
@@ -43,6 +43,7 @@ PROJECT_SITE="https://logging.apache.org/$PROJECT_ID"
 PROJECT_STAGING_SITE="${PROJECT_SITE/apache.org/staged.apache.org}"
 PROJECT_REPO="https://github.com/apache/logging-log4j2"
 COMMIT_ID="$3"
+NEXUS_URL="$4"
 PROJECT_DIST_URL="https://dist.apache.org/repos/dist/dev/logging/$PROJECT_ID/$PROJECT_VERSION"
 
 # Check release notes file
@@ -71,7 +72,7 @@ Website: $PROJECT_STAGING_SITE/$PROJECT_VERSION/index.html
 GitHub: $PROJECT_REPO
 Commit: $COMMIT_ID
 Distribution: $PROJECT_DIST_URL
-Nexus: https://repository.apache.org/content/repositories/orgapachelogging-<FIXME>
+Nexus: $NEXUS_URL
 Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
 Review kit: https://logging.apache.org/logging-parent/release-review-instructions.html
 

.github/pull_request_template.md

@@ -1,9 +1,40 @@
-[A clear and concise description of what the pull request is for along with a reference to the associated issue IDs, if they exist.]
+**INSERT HERE** a clear and concise description of what the pull request is for along with a reference to the associated issue IDs, if they exist.
+
+> [!IMPORTANT]  
+> Base your changes on `2.x` branch if you are targeting Log4j 2; use `main` otherwise.
 
 ## Checklist
 
-* Base your changes on `2.x` branch if you are targeting Log4j 2; use `main` otherwise
-* `./mvnw verify` succeeds (if it fails due to code formatting issues reported by Spotless, simply run `./mvnw spotless:apply` and retry)
-* Non-trivial changes contain an entry file in the `src/changelog/.2.x.x` directory
-* Tests for the changes are provided
-* [Commits are signed](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) (optional, but highly recommended)
+Before we can review and merge your changes, please go through the checklist below. If you're still working on some items, feel free to submit your pull request as a draft—our CI will help guide you through the remaining steps.
+
+### ✅ Required checks
+
+- [ ] **License**: I confirm that my changes are submitted under the [Apache License, Version 2.0](https://apache.org/licenses/LICENSE-2.0).
+- [ ] **Commit signatures**: All commits are signed and verifiable. (See [GitHub Docs on Commit Signature Verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)).
+- [ ] **Code formatting**: The code is formatted according to the project’s style guide.
+  <details>
+    <summary>How to check and fix formatting</summary>
+
+    - To **check** formatting: `./mvnw spotless:check`
+    - To **fix** formatting: `./mvnw spotless:apply`
+
+    See [the build instructions](https://logging.apache.org/log4j/2.x/development.html#building) for details.
+  </details>
+- [ ] **Build & Test**: I verified that the project builds and all unit tests pass.
+  <details>
+    <summary>How to build the project</summary>
+
+    Run: `./mvnw verify`
+
+    See [the build instructions](https://logging.apache.org/log4j/2.x/development.html#building) for details.
+  </details>
+
+### 🧪 Tests (select one)
+
+- [ ] I have added or updated tests to cover my changes.
+- [ ] No additional tests are needed for this change.
+
+### 📝 Changelog (select one)
+
+- [ ] I added a changelog entry in `src/changelog/.2.x.x`. (See [Changelog Entry File Guide](https://logging.apache.org/log4j/tools/log4j-changelog.html#changelog-entry-file)).
+- [ ] This is a trivial change and does not require a changelog entry.

.github/workflows/build.yaml

@@ -30,21 +30,21 @@ jobs:
 
   build:
     if: github.actor != 'dependabot[bot]'
-    uses: apache/logging-parent/.github/workflows/build-reusable.yaml@rel/12.0.0
+    uses: apache/logging-parent/.github/workflows/build-reusable.yaml@rel/12.1.1
     secrets:
-      DV_ACCESS_TOKEN: ${{ startsWith(github.ref_name, 'release/') && '' || secrets.GE_ACCESS_TOKEN }}
+      DV_ACCESS_TOKEN: ${{ startsWith(github.ref_name, 'release/') && '' || secrets.DEVELOCITY_ACCESS_KEY }}
     with:
       java-version: |
         8
         17
       site-enabled: true
-      reproducibility-check-enabled: ${{ startsWith(github.ref_name, 'release/') }}
+      reproducibility-check-enabled: false
       develocity-enabled: ${{ ! startsWith(github.ref_name, 'release/') }}
 
   deploy-snapshot:
     needs: build
     if: github.repository == 'apache/logging-log4j2' && github.ref_name == '2.x'
-    uses: apache/logging-parent/.github/workflows/deploy-snapshot-reusable.yaml@rel/12.0.0
+    uses: apache/logging-parent/.github/workflows/deploy-snapshot-reusable.yaml@rel/12.1.1
     # Secrets for deployments
     secrets:
       NEXUS_USERNAME: ${{ secrets.NEXUS_USER }}
@@ -57,7 +57,7 @@ jobs:
   deploy-release:
     needs: build
     if: github.repository == 'apache/logging-log4j2' && startsWith(github.ref_name, 'release/')
-    uses: apache/logging-parent/.github/workflows/deploy-release-reusable.yaml@rel/12.0.0
+    uses: apache/logging-parent/.github/workflows/deploy-release-reusable.yaml@rel/12.1.1
     # Secrets for deployments
     secrets:
       GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}
@@ -73,3 +73,25 @@ jobs:
         8
         17
       project-id: log4j
+
+  verify-reproducibility:
+    needs: [ deploy-snapshot, deploy-release ]
+    if: ${{ always() && (needs.deploy-snapshot.result == 'success' || needs.deploy-release.result == 'success') }}
+    name: "verify-reproducibility (${{ needs.deploy-release.result == 'success' && needs.deploy-release.outputs.project-version || needs.deploy-snapshot.outputs.project-version }})"
+    uses: apache/logging-parent/.github/workflows/verify-reproducibility-reusable.yaml@rel/12.1.1
+    with:
+      nexus-url: ${{ needs.deploy-release.result == 'success' && needs.deploy-release.outputs.nexus-url || 'https://repository.apache.org/content/groups/snapshots' }}
+      # Encode the `runs-on` input as JSON array
+      runs-on: '["ubuntu-latest", "macos-latest"]'
+
+  # Run integration-tests automatically after a snapshot or RC is published
+  integration-test:
+    needs: [ deploy-snapshot, deploy-release ]
+    if: ${{ always() && (needs.deploy-snapshot.result == 'success' || needs.deploy-release.result == 'success') }}
+    name: "integration-test (${{ needs.deploy-release.result == 'success' && needs.deploy-release.outputs.project-version || needs.deploy-snapshot.outputs.project-version }})"
+    uses: apache/logging-log4j-samples/.github/workflows/integration-test.yaml@main
+    with:
+      log4j-version: ${{ needs.deploy-release.result == 'success' && needs.deploy-release.outputs.project-version || needs.deploy-snapshot.outputs.project-version }}
+      log4j-repository-url: ${{ needs.deploy-release.result == 'success' && needs.deploy-release.outputs.nexus-url || needs.deploy-snapshot.outputs.nexus-url }}
+      # Use the `main` branch of `logging-log4j-samples`
+      samples-ref: 'refs/heads/main'

.github/workflows/close-stale.yaml

@@ -28,7 +28,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e    # v9.0.0
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639    # v9.1.0
         with:
           # Labels need to match with the ones in `labeler.yaml`!
           only-labels: waiting-for-user

.github/workflows/codeql-analysis.yaml

@@ -30,7 +30,7 @@ permissions: read-all
 jobs:
 
   analyze:
-    uses: apache/logging-parent/.github/workflows/codeql-analysis-reusable.yaml@rel/12.0.0
+    uses: apache/logging-parent/.github/workflows/codeql-analysis-reusable.yaml@rel/12.1.1
     with:
       java-version: |
         8

.github/workflows/deploy-site.yaml

@@ -33,7 +33,7 @@ jobs:
 
   deploy-site-stg:
     if: github.repository == 'apache/logging-log4j2' && github.ref_name == '2.x'
-    uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/12.0.0
+    uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/12.1.1
     # Secrets for committing the generated site
     secrets:
       GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}
@@ -51,7 +51,7 @@ jobs:
 
   deploy-site-pro:
     if: github.repository == 'apache/logging-log4j2' && github.ref_name == '2.x-site-pro'
-    uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/12.0.0
+    uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/12.1.1
     # Secrets for committing the generated site
     secrets:
       GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}
@@ -81,7 +81,7 @@ jobs:
 
   deploy-site-rel:
     needs: export-version
-    uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/12.0.0
+    uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/12.1.1
     # Secrets for committing the generated site
     secrets:
       GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}

.github/workflows/develocity-publish-build-scans.yaml

@@ -31,10 +31,12 @@ jobs:
     steps:
 
       - name: Setup Build Scan link capture
-        uses: gradle/develocity-actions/maven-setup@9f1bf05334de7eb619731d5466c35a153742311d   # 1.2
+        uses: gradle/develocity-actions/setup-maven@4a2aed82eea165ba2d5c494fc2a8730d7fdff229   # 1.4
+        with:
+          capture-build-scan-links: true
 
       - name: Publish Build Scans
-        uses: gradle/develocity-actions/maven-publish-build-scan@9f1bf05334de7eb619731d5466c35a153742311d   # 1.2
+        uses: gradle/develocity-actions/maven-publish-build-scan@4a2aed82eea165ba2d5c494fc2a8730d7fdff229   # 1.4
         with:
-          develocity-url: 'https://ge.apache.org'
-          develocity-access-key: ${{ secrets.GE_ACCESS_TOKEN }}
+          develocity-url: 'https://develocity.apache.org'
+          develocity-access-key: ${{ secrets.DEVELOCITY_ACCESS_KEY }}