diff --git a/.config/pmd/java/ruleset.xml b/.config/pmd/java/ruleset.xml
index 5f5884b0..02a037fb 100644
--- a/.config/pmd/java/ruleset.xml
+++ b/.config/pmd/java/ruleset.xml
@@ -196,9 +196,9 @@
+ language="java"
+ message="Setters of java.lang.System should not be called unless really needed"
+ class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
Calling setters of java.lang.System usually indicates bad design and likely causes unexpected behavior.
For example, it may break when multiple Threads are setting the value.
@@ -219,9 +219,9 @@
+ language="java"
+ message="Using Java Object (De-)Serialization is unsafe and has led to too many security vulnerabilities"
+ class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
Nearly every known usage of (Java) Object Deserialization has resulted in [a security vulnerability](https://cloud.google.com/blog/topics/threat-intelligence/hunting-deserialization-exploits?hl=en).
Vulnerabilities are so common that there are [dedicated projects for exploit payload generation](https://github.com/frohoff/ysoserial).
diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml
index a37abe70..5921f76c 100644
--- a/.github/workflows/broken-links.yml
+++ b/.github/workflows/broken-links.yml
@@ -19,7 +19,7 @@ jobs:
- name: Link Checker
id: lychee
- uses: lycheeverse/lychee-action@5c4ee84814c983aa7164eaee476f014e53ff3963 # v2
+ uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2
with:
fail: false # Don't fail on broken links, create an issue instead
@@ -29,7 +29,7 @@ jobs:
echo "number=$(gh issue list -l 'bug' -l 'automated' -L 1 -S 'in:title \"Link Checker Report\"' -s 'open' --json 'number' --jq '.[].number')" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ github.token }}
-
+
- name: Close issue if everything is fine
if: steps.lychee.outputs.exit_code == 0 && steps.find-issue.outputs.number != ''
run: gh issue close -r 'not planned' ${{ steps.find-issue.outputs.number }}
diff --git a/.github/workflows/check-build.yml b/.github/workflows/check-build.yml
index fdeead25..01f08402 100644
--- a/.github/workflows/check-build.yml
+++ b/.github/workflows/check-build.yml
@@ -26,25 +26,30 @@ jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 30
-
strategy:
matrix:
java: [17, 21]
distribution: [temurin]
-
steps:
- uses: actions/checkout@v5
-
+
- name: Set up JDK
- uses: actions/setup-java@v4
+ uses: actions/setup-java@v5
with:
distribution: ${{ matrix.distribution }}
java-version: ${{ matrix.java }}
- cache: 'maven'
-
+
+ - name: Cache Maven
+ uses: actions/cache@v4
+ with:
+ path: ~/.m2/repository
+ key: ${{ runner.os }}-mvn-build-${{ hashFiles('**/pom.xml') }}
+ restore-keys: |
+ ${{ runner.os }}-mvn-build-
+
- name: Build with Maven
run: ./mvnw -B clean package
-
+
- name: Check for uncommited changes
run: |
if [[ "$(git status --porcelain)" != "" ]]; then
@@ -74,21 +79,34 @@ jobs:
runs-on: ubuntu-latest
if: ${{ github.event_name != 'pull_request' || !startsWith(github.head_ref, 'renovate/') }}
timeout-minutes: 15
-
strategy:
matrix:
java: [17]
distribution: [temurin]
-
steps:
- uses: actions/checkout@v5
-
+
- name: Set up JDK
- uses: actions/setup-java@v4
+ uses: actions/setup-java@v5
with:
distribution: ${{ matrix.distribution }}
java-version: ${{ matrix.java }}
- cache: 'maven'
+
+ - name: Cache Maven
+ uses: actions/cache@v4
+ with:
+ path: ~/.m2/repository
+ key: ${{ runner.os }}-mvn-checkstyle-${{ hashFiles('**/pom.xml') }}
+ restore-keys: |
+ ${{ runner.os }}-mvn-checkstyle-
+
+ - name: CheckStyle Cache
+ uses: actions/cache@v4
+ with:
+ path: '**/target/checkstyle-cachefile'
+ key: ${{ runner.os }}-checkstyle-${{ hashFiles('**/pom.xml') }}
+ restore-keys: |
+ ${{ runner.os }}-checkstyle-
- name: Run Checkstyle
run: ./mvnw -B checkstyle:check -P checkstyle -T2C
@@ -97,21 +115,34 @@ jobs:
runs-on: ubuntu-latest
if: ${{ github.event_name != 'pull_request' || !startsWith(github.head_ref, 'renovate/') }}
timeout-minutes: 15
-
strategy:
matrix:
java: [17]
distribution: [temurin]
-
steps:
- uses: actions/checkout@v5
- name: Set up JDK
- uses: actions/setup-java@v4
+ uses: actions/setup-java@v5
with:
distribution: ${{ matrix.distribution }}
java-version: ${{ matrix.java }}
- cache: 'maven'
+
+ - name: Cache Maven
+ uses: actions/cache@v4
+ with:
+ path: ~/.m2/repository
+ key: ${{ runner.os }}-mvn-pmd-${{ hashFiles('**/pom.xml') }}
+ restore-keys: |
+ ${{ runner.os }}-mvn-pmd-
+
+ - name: PMD Cache
+ uses: actions/cache@v4
+ with:
+ path: '**/target/pmd/pmd.cache'
+ key: ${{ runner.os }}-pmd-${{ hashFiles('**/pom.xml') }}
+ restore-keys: |
+ ${{ runner.os }}-pmd-
- name: Run PMD
run: ./mvnw -B test pmd:aggregate-pmd-no-fork pmd:check -P pmd -DskipTests -T2C
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e415f670..0639fc65 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,20 +11,30 @@ permissions:
contents: write
pull-requests: write
+# DO NOT RESTORE CACHE for critical release steps to prevent a (extremely unlikely) scenario
+# where a supply chain attack could be achieved due to poisoned cache
jobs:
check-code:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@v5
-
+
- name: Set up JDK
- uses: actions/setup-java@v4
+ uses: actions/setup-java@v5
with:
java-version: '17'
distribution: 'temurin'
- cache: 'maven'
-
+
+ # Try to reuse existing cache from check-build
+ - name: Try restore Maven Cache
+ uses: actions/cache/restore@v4
+ with:
+ path: ~/.m2/repository
+ key: ${{ runner.os }}-mvn-build-${{ hashFiles('**/pom.xml') }}
+ restore-keys: |
+ ${{ runner.os }}-mvn-build-
+
- name: Build with Maven
run: ./mvnw -B clean package -T2C
@@ -54,15 +64,15 @@ jobs:
upload_url: ${{ steps.create-release.outputs.upload_url }}
steps:
- uses: actions/checkout@v5
-
+
- name: Configure Git
run: |
git config --global user.email "actions@github.com"
git config --global user.name "GitHub Actions"
-
+
- name: Un-SNAP
run: ./mvnw -B versions:set -DremoveSnapshot -DprocessAllModules -DgenerateBackupPoms=false
-
+
- name: Get version
id: version
run: |
@@ -70,7 +80,7 @@ jobs:
echo "release=$version" >> $GITHUB_OUTPUT
echo "releasenumber=${version//[!0-9]/}" >> $GITHUB_OUTPUT
working-directory: ${{ env.PRIMARY_MAVEN_MODULE }}
-
+
- name: Commit and Push
run: |
git add -A
@@ -78,7 +88,7 @@ jobs:
git push origin
git tag v${{ steps.version.outputs.release }}
git push origin --tags
-
+
- name: Create Release
id: create-release
uses: shogo82148/actions-create-release@4661dc54f7b4b564074e9fbf73884d960de569a3 # v1
@@ -106,7 +116,7 @@ jobs:
timeout-minutes: 60
steps:
- uses: actions/checkout@v5
-
+
- name: Init Git and pull
run: |
git config --global user.email "actions@github.com"
@@ -114,7 +124,7 @@ jobs:
git pull
- name: Set up JDK
- uses: actions/setup-java@v4
+ uses: actions/setup-java@v5
with: # running setup-java overwrites the settings.xml
distribution: 'temurin'
java-version: '17'
@@ -122,7 +132,7 @@ jobs:
server-password: PACKAGES_CENTRAL_TOKEN
gpg-passphrase: MAVEN_GPG_PASSPHRASE
gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Only import once
-
+
- name: Publish to GitHub Packages Central
run: ../mvnw -B deploy -P publish -DskipTests -DaltDeploymentRepository=github-central::https://maven.pkg.github.com/xdev-software/central
working-directory: ${{ env.PRIMARY_MAVEN_MODULE }}
@@ -131,7 +141,7 @@ jobs:
MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
- name: Set up JDK
- uses: actions/setup-java@v4
+ uses: actions/setup-java@v5
with: # running setup-java again overwrites the settings.xml
distribution: 'temurin'
java-version: '17'
@@ -154,7 +164,7 @@ jobs:
timeout-minutes: 15
steps:
- uses: actions/checkout@v5
-
+
- name: Init Git and pull
run: |
git config --global user.email "actions@github.com"
@@ -162,11 +172,19 @@ jobs:
git pull
- name: Setup - Java
- uses: actions/setup-java@v4
+ uses: actions/setup-java@v5
with:
java-version: '17'
distribution: 'temurin'
- cache: 'maven'
+
+ # Try to reuse existing cache from check-build
+ - name: Try restore Maven Cache
+ uses: actions/cache/restore@v4
+ with:
+ path: ~/.m2/repository
+ key: ${{ runner.os }}-mvn-build-${{ hashFiles('**/pom.xml') }}
+ restore-keys: |
+ ${{ runner.os }}-mvn-build-
- name: Build site
run: ../mvnw -B compile site -DskipTests -T2C
@@ -185,7 +203,7 @@ jobs:
timeout-minutes: 10
steps:
- uses: actions/checkout@v5
-
+
- name: Init Git and pull
run: |
git config --global user.email "actions@github.com"
@@ -200,7 +218,7 @@ jobs:
git add -A
git commit -m "Preparing for next development iteration"
git push origin
-
+
- name: pull-request
env:
GH_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/test-deploy.yml b/.github/workflows/test-deploy.yml
index 795bd6e8..b75a246e 100644
--- a/.github/workflows/test-deploy.yml
+++ b/.github/workflows/test-deploy.yml
@@ -14,7 +14,7 @@ jobs:
- uses: actions/checkout@v5
- name: Set up JDK
- uses: actions/setup-java@v4
+ uses: actions/setup-java@v5
with: # running setup-java overwrites the settings.xml
distribution: 'temurin'
java-version: '17'
@@ -22,16 +22,16 @@ jobs:
server-password: PACKAGES_CENTRAL_TOKEN
gpg-passphrase: MAVEN_GPG_PASSPHRASE
gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Only import once
-
+
- name: Publish to GitHub Packages Central
run: ../mvnw -B deploy -P publish -DskipTests -DaltDeploymentRepository=github-central::https://maven.pkg.github.com/xdev-software/central
working-directory: ${{ env.PRIMARY_MAVEN_MODULE }}
env:
PACKAGES_CENTRAL_TOKEN: ${{ secrets.PACKAGES_CENTRAL_TOKEN }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
-
+
- name: Set up JDK
- uses: actions/setup-java@v4
+ uses: actions/setup-java@v5
with: # running setup-java again overwrites the settings.xml
distribution: 'temurin'
java-version: '17'
diff --git a/.github/workflows/update-from-template.yml b/.github/workflows/update-from-template.yml
index 5b55f2bd..47466f01 100644
--- a/.github/workflows/update-from-template.yml
+++ b/.github/workflows/update-from-template.yml
@@ -43,7 +43,7 @@ jobs:
# If no PAT is used the following error occurs on a push:
# refusing to allow a GitHub App to create or update workflow `.github/workflows/xxx.yml` without `workflows` permission
token: ${{ secrets.UPDATE_FROM_TEMPLATE_PAT }}
-
+
- name: Init Git
run: |
git config --global user.email "111048771+xdev-gh-bot@users.noreply.github.com"
@@ -190,7 +190,7 @@ jobs:
# If no PAT is used the following error occurs on a push:
# refusing to allow a GitHub App to create or update workflow `.github/workflows/xxx.yml` without `workflows` permission
token: ${{ secrets.UPDATE_FROM_TEMPLATE_PAT }}
-
+
- name: Init Git
run: |
git config --global user.email "111048771+xdev-gh-bot@users.noreply.github.com"
diff --git a/.idea/checkstyle-idea.xml b/.idea/checkstyle-idea.xml
index d43641c1..ec555b58 100644
--- a/.idea/checkstyle-idea.xml
+++ b/.idea/checkstyle-idea.xml
@@ -1,7 +1,7 @@
- 10.26.1
+ 11.0.0
JavaOnlyWithTests
true
true
diff --git a/bzst-dip-java-client/pom.xml b/bzst-dip-java-client/pom.xml
index 9da96f00..ce7d6a2d 100644
--- a/bzst-dip-java-client/pom.xml
+++ b/bzst-dip-java-client/pom.xml
@@ -229,7 +229,7 @@
org.apache.maven.plugins
maven-javadoc-plugin
- 3.11.2
+ 3.11.3
attach-javadocs
@@ -542,6 +542,7 @@
maven-pmd-plugin
3.27.0
+ true
true
true
diff --git a/pom.xml b/pom.xml
index bd507a0d..b5743fac 100644
--- a/pom.xml
+++ b/pom.xml
@@ -72,6 +72,7 @@
maven-pmd-plugin
3.27.0
+ true
true
true