Fix GitHub workflow to release to Maven Central

Configure dependabot for Gradle
Update codeql-analysis.yml for Gradle
Create codeql-analysis.init.gradle

Author: purejava

.github/dependabot.yml

@@ -1,28 +1,12 @@
 version: 2
 updates:
-  - package-ecosystem: "maven"
+  - package-ecosystem: "gradle"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "saturday"
       time: "06:00"
       timezone: "Etc/UTC"
-    groups:
-      java-test-dependencies:
-        patterns:
-          - "org.junit.jupiter:*"
-      maven-build-plugins:
-        patterns:
-          - "org.apache.maven.plugins:*"
-          - "org.sonatype.plugins:*"
-      java-production-dependencies:
-        patterns:
-          - "*"
-        exclude-patterns:
-          - "org.openjfx:*"
-          - "org.apache.maven.plugins:*"
-          - "org.junit.jupiter:*"
-          - "org.sonatype.plugins:*"
 
   - package-ecosystem: "github-actions"
     directory: "/" # even for `.github/workflows`

.github/workflows/codeql-analysis.init.gradle

@@ -0,0 +1,21 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+allprojects {
+    tasks.withType(JavaCompile).configureEach {
+        outputs.doNotCacheIf("CodeQL scanning", { true })
+    }
+}

.github/workflows/codeql-analysis.yml

@@ -8,30 +8,105 @@ on:
   schedule:
     - cron: '34 10 * * 4'
 
+permissions: {}
+
 jobs:
-  analyse:
-    name: Analyse
+  CodeQL-Build:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
     runs-on: ubuntu-latest
-    if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')"
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['java', 'javascript']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
     steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 2
-      - uses: actions/setup-java@v4
-        with:
-          distribution: 'temurin'
-          java-version: '17'
-      - uses: actions/cache@v4
-        with:
-          path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: |
-            ${{ runner.os }}-maven-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: java
-      - name: Build
-        run: mvn -B compile
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      # Checkout must run before the caching key is computed using the `hashFiles` method
+
+    - name: Cache Gradle Modules
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.gradle/caches/modules-2/
+          ~/.gradle/caches/build-cache-1/
+          ~/.gradle/caches/signatures/
+          ~/.gradle/caches/keyrings/
+        key: ${{ runner.os }}-gradle-cache-${{ hashFiles('gradle/wrapper/gradle-wrapper.properties') }}
+        if: ${{ matrix.language == 'java' }}
+
+    - name: Disable checksum offloading
+      # See: https://github.com/actions/virtual-environments/issues/1187#issuecomment-686735760
+      run: sudo ethtool -K eth0 tx off rx off
+
+    # Install and setup JDK 17
+    - name: Setup JDK 17
+      uses: actions/setup-java@v4
+      with:
+        distribution: temurin
+        java-version: 17
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        tools: latest
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    - name: Compile with Gradle with Build Scan
+      if: ${{ matrix.language == 'java' && github.repository_owner == 'gradle' }}
+      run: ./gradlew --init-script .github/workflows/codeql-analysis.init.gradle -DcacheNode=us -S testClasses -Dhttp.keepAlive=false
+      env:
+        # Set the DEVELOCITY_ACCESS_KEY so that Gradle Build Scans are generated
+        DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+        # Potential stop-gap solution for ReadTimeout issues with the Gradle Build Cache
+        # https://gradle.slack.com/archives/CHDLT99C6/p1636477584059200
+        GRADLE_OPTS: -Dhttp.keepAlive=false
+        ORG_GRADLE_PROJECT_signingKey: ${{ secrets.GPG_PRIVATE_KEY }}
+        ORG_GRADLE_PROJECT_signingKeyId: ${{ secrets.GPG_PRIVATE_KEY_ID }}
+        ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.GPG_PASSPHRASE }}
+        ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.NEXUS_USERNAME }}
+        ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.NEXUS_PASSWORD }}
+
+    - name: Compile with Gradle without Build Scan
+      if: ${{ matrix.language == 'java' && github.repository_owner != 'gradle' }}
+      run: ./gradlew --init-script .github/workflows/codeql-analysis.init.gradle -S testClasses
+
+    - name: Cleanup Gradle Daemons
+      run: ./gradlew --stop
+      if: ${{ matrix.language == 'java' }}
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        config-file: ./.github/codeql/codeql-config.yml
+
+    - name: Cleanup Gradle Cache
+      # Cleans up the Gradle caches before being cached
+      run: |
+        rm -f ~/.gradle/caches/modules-2/modules-2.lock
+        rm -f ~/.gradle/caches/modules-2/gc.properties
+      if: ${{ matrix.language == 'java' }}

.github/workflows/release_to_maven.yml

@@ -1,31 +1,51 @@
 name: Publish to Maven Central
+
 on:
   workflow_dispatch:
     inputs:
       tag:
         description: 'Tag'
         required: true
         default: '0.0.0'
+      sonatypeUsername:
+        description: 'Sonatype username'
+        type: string
+        required: true
+      sonatypePassword:
+        description: 'Sonatype password'
+        type: string
+        required: true
+
 jobs:
   publish:
     runs-on: ubuntu-latest
+
     steps:
       - uses: actions/checkout@v4
-      - name: Import GPG key
+
+      - name: Setup GPG key information
         run: |
-          echo "$GPG_SIGNING_KEY_PW" | gpg --batch --import --yes --passphrase-fd 0 <(echo -n "$GPG_SIGNING_KEY" | base64 --decode)
           mkdir -p ~/.gradle
-          echo -n "signing.gnupg.passphrase=${GPG_SIGNING_KEY_PW}" >> ~/.gradle/gradle.properties
+          echo "signing.gnupg.homeDir=/home/runner/.gnupg" >> ~/.gradle/gradle.properties
+          echo "signing.gnupg.executable=gpg" >> ~/.gradle/gradle.properties
+          echo "signing.gnupg.keyName=ABC48776" >> ~/.gradle/gradle.properties
+          echo "signing.gnupg.passphrase=${GPG_SIGNING_KEY_PW}" >> ~/.gradle/gradle.properties
         env:
-          GPG_SIGNING_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
           GPG_SIGNING_KEY_PW: ${{ secrets.GPG_PASSPHRASE }}
+
       - name: Set up Java
         uses: actions/setup-java@v4
         with:
           java-version: '17'
           distribution: 'temurin'
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v4
+
       - name: Publish package
-        run: gradle publishToSonatype closeSonatypeStagingRepository
+        run: ./gradlew publishToSonatype closeSonatypeStagingRepository -PsonatypeUsername=2tezCY9e -PsonatypePassword=RE4rqMPUlTCY2ZWXE1PA1jzCBh9HBdVYoGPUlDos2DNh
         env:
-          ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.NEXUS_USERNAME }}
-          ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.NEXUS_PASSWORD }}
+          SONATYPE_USERNAME: ${{ inputs.sonatypeUsername }}
+          SONATYPE_PASSWORD: ${{ inputs.sonatypePassword }}
+          GPG_SIGNING_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_SIGNING_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

build.gradle

@@ -64,6 +64,10 @@ publishing {
                     developerConnection = 'scm:git:ssh://github.com/purejava/keepassxc-proxy-access.git'
                     url = 'https://github.com/purejava/keepassxc-proxy-access/tree/main'
                 }
+                issueManagement {
+                    system = 'GitHub Issues'
+                    url = 'https://github.com/purejava/keepassxc-proxy-access/issues'
+                }
             }
         }
     }
@@ -82,6 +86,8 @@ nexusPublishing {
 
 if (!version.toString().endsWith("-SNAPSHOT")) {
     signing {
+        useGpgCmd()
+        sign configurations.runtimeElements
         sign publishing.publications.mavenJava
     }
 }

gradle.properties

@@ -5,6 +5,10 @@ org.gradle.configuration-cache=false
 org.gradle.parallel=true
 org.gradle.caching=true
 
-signing.keyId=ABC48776
-signing.secretKeyRingFile=/Users/ralph/.gnupg/secring.gpg
+signing.gnupg.executable=/usr/local/bin/gpg
+signing.gnupg.homeDir=/Users/ralph/.gnupg
+signing.gnupg.keyName=ABC48776
+signing.gnupg.passphrase=
 
+sonatypeUsername=
+sonatypePassword=