Merge branch 'main' into renovate/xtext.version

Author: dschwartznyc

.github/workflows/build-and-test.yml

@@ -17,12 +17,12 @@ on:
 
 
 jobs:
-  build-and-test:
+  build-and-testExpected:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/release.yml

@@ -1,24 +1,40 @@
+# .github/workflows/release.yml
+
 name: Release
 
 on:
   workflow_dispatch:
+    inputs:
+      dry_run:
+        description: "DRY RUN: Do not push/tag or create a GitHub Release"
+        type: boolean
+        default: false
+      base_ref:
+        description: "Branch to release from (for testing)"
+        type: string
+        default: "main"
+
+permissions:
+  contents: write
 
 concurrency:
-  group: release-${{ github.ref }}
+  group: release-${{ github.event.inputs.base_ref || github.ref }}
   cancel-in-progress: true
 
 jobs:
-  tag:
+  prepare-release:
     runs-on: ubuntu-latest
     outputs:
       tag_name: ${{ steps.set_tag.outputs.tag_name }}
       dsl_version: ${{ steps.get_dsl_version.outputs.dsl_version }}
       artifact_id: ${{ steps.get_artifact_id.outputs.artifact_id }}
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
+      - name: Checkout base branch
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          ref: ${{ github.event.inputs.base_ref || 'main' }}
+          persist-credentials: true
 
       - name: Set up Java
         uses: actions/setup-java@v5
@@ -29,96 +45,170 @@ jobs:
 
       - name: Get DSL version from pom.xml
         id: get_dsl_version
+        shell: bash
         run: |
-          DSL_VERSION=$(mvn help:evaluate -Dexpression=rosetta.dsl.version -q -DforceStdout)
-          echo "dsl_version=$DSL_VERSION" >> $GITHUB_OUTPUT
+          set -euo pipefail
+          DSL_VERSION=$(mvn -q help:evaluate -Dexpression=rosetta.dsl.version -DforceStdout)
+          if [ -z "${DSL_VERSION:-}" ]; then
+            echo "Failed to resolve rosetta.dsl.version from pom.xml"
+            exit 1
+          fi
+          echo "dsl_version=$DSL_VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Get artifactId from pom.xml
         id: get_artifact_id
+        shell: bash
         run: |
-          ARTIFACT_ID=$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout)
-          echo "artifact_id=$ARTIFACT_ID" >> $GITHUB_OUTPUT
+          set -euo pipefail
+          ARTIFACT_ID=$(mvn -q help:evaluate -Dexpression=project.artifactId -DforceStdout)
+          if [ -z "${ARTIFACT_ID:-}" ]; then
+            echo "Failed to resolve project.artifactId from pom.xml"
+            exit 1
+          fi
+          echo "artifact_id=$ARTIFACT_ID" >> "$GITHUB_OUTPUT"
 
-      - name: Fetch all tags
-        run: git fetch --tags
+      - name: Ensure up-to-date and fetch tags
+        shell: bash
+        run: |
+          set -euo pipefail
+          git config --global pull.ff only
+          git fetch --prune --tags origin
+          git pull --ff-only origin "${{ github.event.inputs.base_ref || 'main' }}"
 
       - name: Determine next tag
         id: set_tag
+        shell: bash
         run: |
+          set -euo pipefail
           DSL_VERSION="${{ steps.get_dsl_version.outputs.dsl_version }}"
-          TAGS=$(git tag --list "${DSL_VERSION}.*" | sort -V)
-          if [ -z "$TAGS" ]; then
+          DSL_ESCAPED=$(printf '%s\n' "$DSL_VERSION" | sed -e 's/[]\/$*.^|[]/\\&/g')
+
+          EXISTING=$(git tag -l "${DSL_VERSION}.*" | grep -E "^${DSL_ESCAPED}\.[0-9]+$" || true)
+          if [ -z "$EXISTING" ]; then
             NEXT_TAG="${DSL_VERSION}.0"
           else
-            MAX_N=$(echo "$TAGS" | sed "s/^${DSL_VERSION}\.//" | sort -n | tail -1)
-            NEXT_N=$((MAX_N + 1))
-            NEXT_TAG="${DSL_VERSION}.${NEXT_N}"
+            MAX_N=$(echo "$EXISTING" | sed -E "s/^${DSL_ESCAPED}\.//" | sort -n | tail -1)
+            NEXT_TAG="${DSL_VERSION}.$((MAX_N + 1))"
           fi
-          echo "tag_name=$NEXT_TAG" >> $GITHUB_OUTPUT
+          echo "Next tag computed: $NEXT_TAG"
+          echo "tag_name=$NEXT_TAG" >> "$GITHUB_OUTPUT"
 
-      - name: Create and push tag
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Guard only allow real release from main
+        if: ${{ github.event.inputs.dry_run != 'true' }}
+        shell: bash
         run: |
-          TAG_NAME="${{ steps.set_tag.outputs.tag_name }}"
-          if git rev-parse "$TAG_NAME" >/dev/null 2>&1; then
-            echo "Tag $TAG_NAME already exists. Exiting."
+          set -euo pipefail
+          if [ "${{ github.event.inputs.base_ref || 'main' }}" != "main" ]; then
+            echo "Unable to perform a release from '${{ github.event.inputs.base_ref }}'. Use main or set dry_run=true."
             exit 1
           fi
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git tag "$TAG_NAME"
-          git push origin "$TAG_NAME"
 
-  build-and-release:
-    needs: tag
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-
-      - name: Set up Java
-        uses: actions/setup-java@v5
-        with:
-          distribution: temurin
-          java-version: 21
-          cache: maven
+      - name: Bump version, tag, and push (skipped in dry run)
+        env:
+          TAG_NAME: ${{ steps.set_tag.outputs.tag_name }}
+          DRY_RUN: ${{ github.event.inputs.dry_run }}
+          BASE_REF: ${{ github.event.inputs.base_ref || 'main' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [ "${DRY_RUN}" = "true" ]; then
+            echo "[DRY RUN] Would set project version to ${TAG_NAME}, commit, tag, and push atomically to ${BASE_REF}."
+            exit 0
+          fi
 
-      - name: Save original pom.xml
-        run: cp pom.xml pom.xml.bak
+          mvn -q -B versions:set -DnewVersion="${TAG_NAME}" -DgenerateBackupPoms=false
+          if ! git diff --quiet; then
+            git config user.name "github-actions[bot]"
+            git config user.email "github-actions[bot]@users.noreply.github.com"
+            git add -A
+            git commit -m "Release ${TAG_NAME}: set project version to ${TAG_NAME}"
+          else
+            echo "No changes to commit (version already ${TAG_NAME})."
+          fi
 
-      - name: Update pom.xml version to match tag
-        run: |
-          mvn -B versions:set -DnewVersion=${{ needs.tag.outputs.tag_name }}
-          mvn -B versions:commit
+          git fetch --prune --tags origin
+          if git rev-parse "${TAG_NAME}" >/dev/null 2>&1; then
+            echo "Tag ${TAG_NAME} already exists. Exiting."
+            exit 1
+          fi
 
-      - name: Build JARs
-        run: mvn -B clean package
+          git tag -a "${TAG_NAME}" -m "Release ${TAG_NAME}"
+          git push --atomic origin HEAD:"${BASE_REF}" "${TAG_NAME}"
 
-      - name: Revert pom.xml to original
-        run: mv pom.xml.bak pom.xml
+  build-and-verify-release:
+    needs: prepare-release
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout the tag (real release)
+      if: ${{ github.event.inputs.dry_run != 'true' }}
+      uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+        ref: ${{ needs.prepare-release.outputs.tag_name }}
+
+    - name: Checkout the base branch (dry run)
+      if: ${{ github.event.inputs.dry_run == 'true' }}
+      uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+        ref: ${{ github.event.inputs.base_ref || 'main' }}
+
+    - name: Set up Java
+      uses: actions/setup-java@v5
+      with:
+        distribution: temurin
+        java-version: 21
+        cache: maven
+
+    - name: In dry run - set project version to computed tag (no commit)
+      if: ${{ github.event.inputs.dry_run == 'true' }}
+      env:
+        TAG_NAME: ${{ needs.prepare-release.outputs.tag_name }}
+      shell: bash
+      run: |
+        set -euo pipefail
+        mvn -q -B versions:set -DnewVersion="${TAG_NAME}" -DgenerateBackupPoms=false
+        # No commit; only adjust the working tree so the built artifact names match
+
+    - name: Build JARs
+      shell: bash
+      run: mvn -B clean package
+
+    - name: Collect artifact paths
+      id: archive
+      shell: bash
+      run: |
+        set -euo pipefail
+        ARTIFACT_ID="${{ needs.prepare-release.outputs.artifact_id }}"
+        TAG_NAME="${{ needs.prepare-release.outputs.tag_name }}"
+        JAR="target/${ARTIFACT_ID}-${TAG_NAME}.jar"
+        JDOC="target/${ARTIFACT_ID}-${TAG_NAME}-javadoc.jar"
+        if [ ! -f "$JAR" ]; then echo "Missing $JAR"; ls -l target || true; exit 1; fi
+        if [ ! -f "$JDOC" ]; then echo "Missing $JDOC"; ls -l target || true; exit 1; fi
+        echo "jar_path=$JAR" >> "$GITHUB_OUTPUT"
+        echo "javadoc_jar_path=$JDOC" >> "$GITHUB_OUTPUT"
+
+    - name: In dry run - upload build outputs as workflow artifacts
+      if: ${{ github.event.inputs.dry_run == 'true' }}
+      uses: actions/upload-artifact@v6
+      with:
+        name: dry-run-${{ needs.prepare-release.outputs.tag_name }}
+        path: |
+          ${{ steps.archive.outputs.jar_path }}
+          ${{ steps.archive.outputs.javadoc_jar_path }}
+        retention-days: 3
+
+    - name: Create GitHub Release (real release)
+      if: ${{ github.event.inputs.dry_run != 'true' }}
+      uses: softprops/action-gh-release@v2
+      with:
+        tag_name: ${{ needs.prepare-release.outputs.tag_name }}
+        name: ${{ needs.prepare-release.outputs.tag_name }}
+        body: |
+          Automated release for DSL version ${{ needs.prepare-release.outputs.dsl_version }}
+        files: |
+          ${{ steps.archive.outputs.jar_path }}
+          ${{ steps.archive.outputs.javadoc_jar_path }}
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Archive JARs
-        id: archive
-        run: |
-          ARTIFACT_ID="${{ needs.tag.outputs.artifact_id }}"
-          TAG_NAME="${{ needs.tag.outputs.tag_name }}"
-          JAR="target/${ARTIFACT_ID}-${TAG_NAME}.jar"
-          JAVADOC_JAR="target/${ARTIFACT_ID}-${TAG_NAME}-javadoc.jar"
-          echo "jar_path=$JAR" >> $GITHUB_OUTPUT
-          echo "javadoc_jar_path=$JAVADOC_JAR" >> $GITHUB_OUTPUT
-
-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ needs.tag.outputs.tag_name }}
-          name: ${{ needs.tag.outputs.tag_name }}
-          body: |
-            Automated release for DSL version ${{ needs.tag.outputs.dsl_version }}
-          files: |
-            ${{ steps.archive.outputs.jar_path }}
-            ${{ steps.archive.outputs.javadoc_jar_path }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/renovate.yml

@@ -4,12 +4,16 @@
 
 name: Renovate
 
-on:
+on: 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
   # Runs the workflow on a schedule (e.g., every day at 2 AM)
   schedule:
     - cron: '0 2 * * *'
+  push:
+    paths:
+      - .github/renovate.json
+      - .github/workflows/renovate.yml
 
 jobs:
   renovate:
@@ -22,18 +26,13 @@ jobs:
       security-events: read    # read Dependabot vulnerability alerts
     steps:
       # Checks out the repository under $GITHUB_WORKSPACE
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       # Runs the Renovate GitHub Action
       - name: Renovate
-        uses: renovatebot/github-action@v43.0.18
+        uses: renovatebot/github-action@v44.1.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }} # required to create PRs/issues
           configurationFile: .github/renovate.json
         env:
-          RENOVATE_REPOSITORIES: ${{ github.repository }} # scan current repo
-
-  # Optional: run your build/test workflow after Renovate finishes
-  build_and_test:
-    needs: renovate
-    uses: ./.github/workflows/build-and-test.yml
+          RENOVATE_REPOSITORIES: ${{ github.repository }} # scan current repo

.github/workflows/scan-cve.yml

@@ -6,19 +6,26 @@ on:
   push:
     branches:
       - main
+  workflow_dispatch:
+
 
 # Cancel previous jobs
 concurrency:
   group: cve-scan-${{ github.ref }}
   cancel-in-progress: true
+
+permissions:
+  contents: read
+  security-events: write
+
 
 jobs:
   depchecktest:
     runs-on: ubuntu-latest
     name: depecheck_test
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Setup JDK 21
         uses: actions/setup-java@v5
         with:
@@ -28,10 +35,11 @@ jobs:
         run: mvn -B clean package -DskipTests
         working-directory: .
       - name: Depcheck
-        uses: dependency-check/Dependency-Check_Action@main
+        uses: dependency-check/Dependency-Check_Action@1.1.0
         id: Depcheck
         env:
           JAVA_HOME: /opt/jdk
+
         with:
           project: ${{github.repository}}
           path: '.'
@@ -45,7 +53,7 @@ jobs:
             --out ./reports
       - name: Upload Test results
         if: ${{ always() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: Depcheck report
           path:  ${{github.workspace}}/reports