sync develop with Main

.github/workflows/build-and-test-main.yml

@@ -6,7 +6,7 @@
 # separate terms of service, privacy policy, and support
 # documentation.
 
-name: Java CI with Maven
+name: Build and Test JAR
 
 on:
   push:
@@ -15,16 +15,16 @@ on:
     branches: [ "main" ]
 
 jobs:
-  build:
+  build_and_test:
 
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v4
-    - name: Set up JDK 17
+    - name: Set up JDK 21
       uses: actions/setup-java@v4
       with:
-        java-version: '17'
+        java-version: '21'
         distribution: 'temurin'
         cache: maven
     - name: Set up Python 3.11

.github/workflows/create-tagged-release.yml

@@ -1,99 +1,56 @@
-name: Maven Package
+name: Build JAR on Tag
 
 on:
   push:
     tags:
-      - '**'
+      - '*'
 
 jobs:
   build:
     runs-on: ubuntu-latest
+
     permissions:
-      contents: write
+      contents: write  # Ensure write permission for contents
       packages: write
 
     steps:
-    - uses: actions/checkout@v4
-
-    - name: Set up JDK 17
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Set up JDK
       uses: actions/setup-java@v4
       with:
-        java-version: '17'
         distribution: 'temurin'
-        server-id: github
-        settings-path: ${{ github.workspace }}
-
-    - name: Build with Maven
-      run: mvn versions:set -DnewVersion=${{ github.ref_name }} -B -U -DskipTests clean package --file pom.xml
-
-    - name: Create GitHub Release
-      id: create_release
-      uses: actions/github-script@v6
-      with:
-        script: |
-          const tag = context.ref.replace('refs/tags/', '');
-          let release;
-          try {
-            release = await github.rest.repos.getReleaseByTag({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              tag
-            });
-            core.setOutput('release_id', release.data.id);
-          } catch (error) {
-            if (error.status === 404) {
-              const release = await github.rest.repos.createRelease({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                tag_name: context.ref.replace('refs/tags/', ''),
-                name: `Release ${context.ref.replace('refs/tags/', '')}`,
-                draft: false,
-                prerelease: false
-              });
-              core.setOutput('release_id', release.data.id);
-            } else {
-              throw error;
-            }
-          }
-          core.setOutput('upload_url', release.data.upload_url);
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        java-version: '21'  # Matches the enforced version in the POM
+        cache: maven
 
-    - name: Upload JAR to Release
-      uses: actions/upload-release-asset@v1
+    - name: Cache Maven dependencies
+      uses: actions/cache@v4
       with:
-        upload_url: ${{ steps.create_release.outputs.upload_url }}
-        asset_path: target/python-generator-${{ github.ref_name }}.jar
-        asset_name: python-generator-${{ github.ref_name }}.jar
-        asset_content_type: application/java-archive
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        path: ~/.m2/repository
+        key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
 
-    - name: Create Source Code Zip
-      run: git archive -o source-${{ github.ref_name }}.zip HEAD
+    - name: Build with Maven
+      run: |
+        TAG_NAME=${GITHUB_REF#refs/tags/}
+        echo "Updating POM version to $TAG_NAME"
+        mvn -B versions:set -DnewVersion=$TAG_NAME
+        mvn -B package --file pom.xml -DskipTests
 
-    - name: Upload Source Code Zip
-      uses: actions/upload-release-asset@v1
+    - name: Revert POM changes
+      run: git checkout -- pom.xml
+
+    - name: Upload JAR files
+      uses: actions/upload-artifact@v4
       with:
-        upload_url: ${{ steps.create_release.outputs.upload_url }}
-        asset_path: source-${{ github.ref_name }}.zip
-        asset_name: source-${{ github.ref_name }}.zip
-        asset_content_type: application/zip
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-    - name: Create Source Code Tar.gz
-      run: git archive -o source-${{ github.ref_name }}.tar.gz --format=tar.gz HEAD
+        name: jar-files
+        path: target/*.jar
 
-    - name: Upload Source Code Tar.gz
-      uses: actions/upload-release-asset@v1
+    - name: Create GitHub Release
+      uses: softprops/action-gh-release@v2
       with:
-        upload_url: ${{ steps.create_release.outputs.upload_url }}
-        asset_path: source-${{ github.ref_name }}.tar.gz
-        asset_name: source-${{ github.ref_name }}.tar.gz
-        asset_content_type: application/gzip
+        files: target/*.jar
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Reset POM
-      run: git checkout -- pom.xml

.github/workflows/cve-scanning.yml

@@ -0,0 +1,43 @@
+name: CVE Scanning for Maven
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+ depchecktest:
+    runs-on: ubuntu-latest
+    name: depecheck_test
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup JDK 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+      - name: Build with Maven
+        run: mvn install -DskipTests
+        working-directory: .
+      - name: Depcheck
+        uses: dependency-check/Dependency-Check_Action@1b5d19fd4a32ff0ff982e8c9d8e27dbf7ac8a46c
+        id: Depcheck
+        env:
+          JAVA_HOME: /opt/jdk
+        with:
+          project: ${{github.repository}}
+          path: '.'
+          format: 'HTML'
+          out: 'reports' # this is the default, no need to specify unless you wish to override it
+          args: >
+            --suppression ./allow-list.xml
+            --failOnCVSS 7
+            --enableRetired
+
+      - name: Upload Test results
+        if: ${{ always() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: Depcheck report
+          path:  ${{github.workspace}}/reports

.github/workflows/license-scanning-maven.yml

@@ -0,0 +1,80 @@
+name: License Scanning for Maven
+
+on:
+  schedule:
+    - cron: '0 8,18 * * 1-5'
+  push:
+    paths:
+      - './pom.xml'
+      - '.github/workflows/license-scanning-maven.yml'
+
+env:
+  ALLOW_LICENSES: "
+    licenses/license/name!='Apache License, Version 2.0' and
+    not(contains(licenses/license/url, '://www.apache.org/licenses/LICENSE-2.0.txt')) and
+    not(contains(licenses/license/url, '://opensource.org/licenses/Apache-2.0')) and
+
+    licenses/license/name!='BSD License' and
+    not(contains(licenses/license/url, 'antlr.org/license.html')) and
+
+    licenses/license/name!='New BSD License' and
+    not(contains(licenses/license/url, '://www.opensource.org/licenses/bsd-license.php')) and
+
+    licenses/license/name!='BSD-3-Clause' and
+    not(contains(licenses/license/url, '://asm.ow2.io/license.html')) and
+
+    licenses/license/name!='Eclipse Public License - v 1.0' and
+    not(contains(licenses/license/url, '://www.eclipse.org/legal/epl-v10.html')) and
+
+    licenses/license/name!='Eclipse Public License - v 2.0' and
+    not(contains(licenses/license/url, '://www.eclipse.org/legal/epl-v20.html')) and
+    not(contains(licenses/license/url, '://www.eclipse.org/legal/epl-2.0')) and
+
+    licenses/license/name!='GNU Lesser General Public License' and
+    not(contains(licenses/license/url, '://www.gnu.org/licenses/old-licenses/lgpl-2.1.html')) and
+
+    licenses/license/name!='GNU General Public License (GPL), version 2, with the Classpath exception' and
+    not(contains(licenses/license/url, '://openjdk.java.net/legal/gplv2+ce.html')) and
+
+    licenses/license/name!='The MIT License' and
+    not(contains(licenses/license/url, '://opensource.org/licenses/MIT')) and
+    not(contains(licenses/license/url, '://www.opensource.org/licenses/mit-license.php')) and
+
+    licenses/license/name!='CDDL + GPLv2 with classpath exception' and
+    not(contains(licenses/license/url, '://github.com/javaee/javax.annotation/blob/master/LICENSE')) and
+
+    licenses/license/name!='Public Domain'
+    "
+  REPORT_PATH: "target/generated-resources/licenses.xml"
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
+      with:
+        java-version: 17
+        cache: maven
+        distribution: 'adopt'
+    - name: Install XQ
+      run: pip install xq
+    - name: Build with Maven
+      run: mvn clean install -Dmaven.test.skip=true
+      working-directory: .
+    - name: License XML report
+      run: mvn org.codehaus.mojo:license-maven-plugin:2.0.0:download-licenses
+      working-directory: .
+    - name: Validate XML report
+      run: |
+        LICENSE_REPORT=`xq "//dependency[licenses/license/name!=${{ env.ALLOW_LICENSES }}]" ./${{ env.REPORT_PATH }}`
+        LINES_FOUND=`echo $LICENSE_REPORT | wc -l`
+        echo "License issues found ..."
+        if [ $LINES_FOUND -gt 1 ]; then echo $LICENSE_REPORT ; exit -1; fi
+      working-directory: .
+    - name: Upload license XML reports
+      uses: actions/upload-artifact@v4
+      with:
+        name: license-xml-report
+        path: './**/${{ env.REPORT_PATH }}'

RELEASE.md

@@ -2,7 +2,7 @@
 
 _What is being released?_
 
-This release adds support for meta data and for serialization / deserialization consistient with the [serialization specifications in CDM issue #3236](https://github.com/finos/common-domain-model/issues/3236)
+This release adds support for meta data and for serialization / deserialization consistent with the [serialization specifications in CDM issue #3236](https://github.com/finos/common-domain-model/issues/3236)
 
 Also included is support for circular dependencies and increased testing of operators.