Merge branch 'main' into issues/3485-console-launcher-select-multiple-values

# Conflicts:
#	junit-platform-console/src/main/java/org/junit/platform/console/options/TestDiscoveryOptionsMixin.java
#	platform-tests/src/test/java/org/junit/platform/console/options/CommandLineOptionsParsingTests.java

Author: juliette-derancourt

.github/actions/run-gradle/action.yml

@@ -21,7 +21,8 @@ runs:
       run: |
         ./gradlew \
         -Porg.gradle.java.installations.auto-download=false \
-        -Pjunit.develocity.predictiveTestSelection.enabled=${{ github.event_name == 'pull_request' }} \
+        -Pjunit.develocity.predictiveTestSelection.enabled=true \
+        -Pjunit.develocity.predictiveTestSelection.selectRemainingTests=${{ github.event_name != 'pull_request' }} \
         "-Dscan.value.GitHub job=${{ github.job }}" \
         javaToolchains \
         ${{ inputs.arguments }}

.github/workflows/close-inactive-issues.yml

@@ -3,6 +3,7 @@ on:
   schedule:
     - cron: "30 1 * * *"
   workflow_dispatch:
+permissions: read-all
 jobs:
   close-issues:
     runs-on: ubuntu-latest

.github/workflows/codeql-analysis.yml

@@ -13,6 +13,8 @@ on:
   schedule:
     - cron: '0 19 * * 3'
 
+permissions: read-all
+
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
@@ -32,7 +34,7 @@ jobs:
     - name: Check out repository
       uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # v3
+      uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3
       with:
         languages: ${{ matrix.language }}
         tools: linked
@@ -44,4 +46,4 @@ jobs:
           -Dscan.tag.CodeQL \
           allMainClasses
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # v3
+      uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3

.github/workflows/cross-version.yml

@@ -11,6 +11,8 @@ on:
     branches:
       - '*'
 
+permissions: read-all
+
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 

.github/workflows/gradle-dependency-submission.yml

@@ -5,13 +5,14 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
+permissions: read-all
 
 jobs:
   dependency-submission:
     if: github.repository == 'junit-team/junit5'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
     - name: Check out repository
       uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

.github/workflows/label-opened-issues.yml

@@ -3,6 +3,7 @@ on:
   issues:
     types:
       - opened
+permissions: read-all
 jobs:
   label_issues:
     runs-on: ubuntu-latest

.github/workflows/main.yml

@@ -9,6 +9,8 @@ on:
     branches:
       - '*'
 
+permissions: read-all
+
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 

.github/workflows/ossf-scorecard.yml

@@ -0,0 +1,62 @@
+name: OpenSSF Scorecard supply-chain security analysis
+
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '31 20 * * 6'
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.pre.node20
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3
+        with:
+          sarif_file: results.sarif

.github/workflows/reproducible-build.yml

@@ -9,6 +9,8 @@ on:
     branches:
       - '*'
 
+permissions: read-all
+
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 

.github/workflows/unlabel-closed-issues.yml

@@ -3,6 +3,7 @@ on:
   issues:
     types:
       - closed
+permissions: read-all
 jobs:
   label_issues:
     runs-on: ubuntu-latest