From 11b37d1b906c50bf62fc209afb44bc48e7068f7f Mon Sep 17 00:00:00 2001 From: Carmine DiMascio Date: Sun, 1 Sep 2024 00:43:42 -0400 Subject: [PATCH 1/6] Delete .github/workflows/codeql.yml --- .github/workflows/codeql.yml | 78 ------------------------------------ 1 file changed, 78 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index d16c4d4..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,78 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: ["master"] - pull_request: - # The branches below must be a subset of the branches above - branches: ["master"] - schedule: - - cron: "0 0 * * 1" - -permissions: - contents: read - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ["java"] - # CodeQL supports [ $supported-codeql-languages ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - egress-policy: audit - - - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # # If this step fails, then you should remove it and run the build manually (see below) - # - name: Autobuild - # uses: github/codeql-action/autobuild@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - - run: | - echo "Run, Build Application using script" - mvn clean test jacoco:report package - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 - with: - category: "/language:${{matrix.language}}" From d71f7d42961e1a0afed614d178ff87de7b8fff5d Mon Sep 17 00:00:00 2001 From: carmine Date: Sun, 1 Sep 2024 08:21:30 -0400 Subject: [PATCH 2/6] remove codeql workflow - its configured through settings --- .github/workflows/codeql.yml | 78 ------------------------------------ 1 file changed, 78 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 976ea2d..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,78 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: ["master"] - pull_request: - # The branches below must be a subset of the branches above - branches: ["master"] - schedule: - - cron: "0 0 * * 1" - -permissions: - contents: read - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ["java"] - # CodeQL supports [ $supported-codeql-languages ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - egress-policy: audit - - - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # # If this step fails, then you should remove it and run the build manually (see below) - # - name: Autobuild - # uses: github/codeql-action/autobuild@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - - run: | - echo "Run, Build Application using script" - mvn clean test jacoco:report package - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 - with: - category: "/language:${{matrix.language}}" From e83255d787fe964a2d64bb7d495c553dd43ffd0d Mon Sep 17 00:00:00 2001 From: carmine Date: Sun, 1 Sep 2024 09:04:00 -0400 Subject: [PATCH 3/6] fix javadoc --- pom.xml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 3a08f1a..ae21e3f 100644 --- a/pom.xml +++ b/pom.xml @@ -219,7 +219,7 @@ maven-javadoc-plugin ${maven.javadoc.plugin} - ${compile.javadoc.source} + @@ -237,6 +237,11 @@ org.jacoco jacoco-maven-plugin ${maven.jacoco.plugin} + + + sun/util/resources/cldr/provider/CLDRLocaleDataMetaInfo + + prepare-agent From 5a12f46bd1756e3c92015d5e975c189f587babde Mon Sep 17 00:00:00 2001 From: carmine Date: Sun, 1 Sep 2024 08:21:30 -0400 Subject: [PATCH 4/6] remove codeql workflow - its configured through settings --- .github/workflows/codeql.yml | 78 ------------------------------------ 1 file changed, 78 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 976ea2d..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,78 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: ["master"] - pull_request: - # The branches below must be a subset of the branches above - branches: ["master"] - schedule: - - cron: "0 0 * * 1" - -permissions: - contents: read - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ["java"] - # CodeQL supports [ $supported-codeql-languages ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - egress-policy: audit - - - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # # If this step fails, then you should remove it and run the build manually (see below) - # - name: Autobuild - # uses: github/codeql-action/autobuild@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - - run: | - echo "Run, Build Application using script" - mvn clean test jacoco:report package - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 - with: - category: "/language:${{matrix.language}}" From a4da71c8aed8b3c9d832c40d86b5407ffa62e896 Mon Sep 17 00:00:00 2001 From: carmine Date: Sun, 1 Sep 2024 09:04:00 -0400 Subject: [PATCH 5/6] fix javadoc --- pom.xml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 3a08f1a..ae21e3f 100644 --- a/pom.xml +++ b/pom.xml @@ -219,7 +219,7 @@ maven-javadoc-plugin ${maven.javadoc.plugin} - ${compile.javadoc.source} + @@ -237,6 +237,11 @@ org.jacoco jacoco-maven-plugin ${maven.jacoco.plugin} + + + sun/util/resources/cldr/provider/CLDRLocaleDataMetaInfo + + prepare-agent From 6871219abe8b2c812651c74e2c046800ebbb7e58 Mon Sep 17 00:00:00 2001 From: carmine Date: Sun, 1 Sep 2024 09:07:52 -0400 Subject: [PATCH 6/6] update CONTRIBUTING.md --- CONTRIBUTING.md | 80 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 63 insertions(+), 17 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 653d3b4..8144235 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -41,32 +41,42 @@ Run the following to ensure the package step succeeds. mvn clean test jacoco:report package ``` -### Publish to MavenCentral - -Contributors are not responsible for deploying to mavencentral. +## Release Process -**Maven Central** - -- Publish with Maven - https://central.sonatype.org/publish/publish-maven/ -- GPG Setup - https://central.sonatype.org/publish/requirements/gpg/ -- https://oss.sonatype.org/#profile;User%20Token - - get oss.sonatype token - -To publish a gpg key: +### Build +Build sources and javadoc ```shell -gpg --send-keys 5BE1414D5EAF81B48F2E77E1999F818C080AF9C1 -```` +mvn clean test jacoco:report package +``` -where `5BE1414D5EAF81B48F2E77E1999F818C080AF9C1` is the public key +Generate signed artifacts locally +```shell +mvn verify -P release-sign-artifacts -DperformRelease=true +``` +### Publish to Maven Central +Deploy ```shell mvn clean test jacoco:report package deploy -DperformRelease=true ``` +When first publishing to staging repos, you most close and release from OSS Sonatype. To do this +- navigate to https://oss.sonatype.org/#stagingRepositories +- select repository +- press the `close` button +- press the `release` button + +#### Artifacts upload +- Upload change log + ```shell + gh release create v3.0.1 -F CHANGELOG.md + ``` -Navigate to https://oss.sonatype.org/#stagingRepositories, select repository, then press the `close` button, then `release` - +- Attach 'signed' artifacts (needed for OpenSSF Security Score) + ```shell + gh release upload target/*.jar.asc --clobber + ``` ### Publish to Github Packages _Note: This step can only be run by maintainers._ @@ -88,13 +98,49 @@ Add `distributionManagement` to `pom.xml` mvn deploy -Dregistry=https://maven.pkg.github.com/cdimascio -Dtoken=XXXX # or mvn clean test jacoco:report package deploy -Dregistry=https://maven.pkg.github.com/cdimascio -Dtoken=XXXX +``` + +## Notes + + +### Publish to MavenCentral +Contributors are not responsible for deploying to mavencentral. + +**Maven Central** + +- Publish with Maven - https://central.sonatype.org/publish/publish-maven/ +- GPG Setup - https://central.sonatype.org/publish/requirements/gpg/ +- https://oss.sonatype.org/#profile;User%20Token + - get oss.sonatype token + +To publish a gpg key: + +```shell +gpg --send-keys 5BE1414D5EAF81B48F2E77E1999F818C080AF9C1 +```` + +where `5BE1414D5EAF81B48F2E77E1999F818C080AF9C1` is the public key + + +```shell +mvn clean test jacoco:report package deploy -DperformRelease=true +``` + +Generate signed artifacts locally without deploying + +```shell +mvn verify -P release-sign-artifacts -DperformRelease=true ``` +Navigate to https://oss.sonatype.org/#stagingRepositories, select repository, then press the `close` button, then `release` + + https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-apache-maven-for-use-with-github-packages -OpenSSF Security Scorecard +### OpenSSF Security Scorecard - Get Analysis Result: https://api.securityscorecards.dev/#/results/getResult - Step Security - Secure Your Repo Analysis + auto PR - https://app.stepsecurity.io/securerepo - Step Security - For Repo - https://app.stepsecurity.io/github/cdimascio/actions/dashboard +