diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9aca467a3b..e5bd38a414 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,7 +2,7 @@ name: Build and verify
on:
pull_request:
push:
- branches: [ master ]
+ branches:
permissions:
contents: read
jobs:
@@ -33,7 +33,9 @@ jobs:
allowed-endpoints: >
api.adoptium.net:443
github.com:443
+ github-registry-files.githubusercontent.com:443
jitpack.io:443
+ maven.pkg.github.com:443
objects.githubusercontent.com:443
repo.maven.apache.org:443
# We run the build twice for each supported JDK: once against the
@@ -50,9 +52,9 @@ jobs:
- name: Display build environment details
run: mvn --version
- name: Build project against vanilla Error Prone, compile Javadoc
- run: mvn -T1C install javadoc:jar
- - name: Build project with self-check against Error Prone fork
- run: mvn -T1C clean verify -Perror-prone-fork -Pnon-maven-central -Pself-check -s settings.xml
+ run: mvn -T1C install javadoc:jar -P non-maven-central -s settings.xml
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Remove installed project artifacts
run: mvn dependency:purge-local-repository -DmanualInclude='${project.groupId}' -DresolutionFuzziness=groupId
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
deleted file mode 100644
index aff9cd0bb8..0000000000
--- a/.github/workflows/codeql.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-# Analyzes the code using GitHub's default CodeQL query database.
-# Identified issues are registered with GitHub's code scanning dashboard. When
-# a pull request is analyzed, any offending lines are annotated. See
-# https://codeql.github.com for details.
-name: CodeQL analysis
-on:
- pull_request:
- push:
- branches: [ master ]
- schedule:
- - cron: '0 4 * * 1'
-permissions:
- contents: read
-jobs:
- analyze:
- strategy:
- matrix:
- language: [ java, ruby ]
- permissions:
- contents: read
- security-events: write
- runs-on: ubuntu-24.04
- steps:
- - name: Install Harden-Runner
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
- with:
- disable-sudo: true
- egress-policy: block
- allowed-endpoints: >
- api.adoptium.net:443
- api.github.com:443
- github.com:443
- objects.githubusercontent.com:443
- repo.maven.apache.org:443
- uploads.github.com:443
- - name: Check out code and set up JDK and Maven
- uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 # v1.18.0
- with:
- java-version: 17.0.13
- java-distribution: temurin
- maven-version: 3.9.9
- - name: Initialize CodeQL
- uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
- with:
- languages: ${{ matrix.language }}
- - name: Perform minimal build
- if: matrix.language == 'java'
- run: mvn -T1C clean package -DskipTests -Dverification.skip
- - name: Perform CodeQL analysis
- uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
- with:
- category: /language:${{ matrix.language }}
diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml
deleted file mode 100644
index 42bdfc2942..0000000000
--- a/.github/workflows/deploy-website.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-name: Update `error-prone.picnic.tech` website content
-on:
- pull_request:
- push:
- branches: [ master, website ]
-permissions:
- contents: read
-concurrency:
- group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
- build:
- runs-on: ubuntu-24.04
- steps:
- - name: Install Harden-Runner
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
- with:
- disable-sudo: true
- egress-policy: block
- allowed-endpoints: >
- api.adoptium.net:443
- api.github.com:443
- bestpractices.coreinfrastructure.org:443
- blog.picnic.nl:443
- errorprone.info:443
- github.com:443
- img.shields.io:443
- index.rubygems.org:443
- jitpack.io:443
- maven.apache.org:443
- objects.githubusercontent.com:443
- pitest.org:443
- repo.maven.apache.org:443
- rubygems.org:443
- search.maven.org:443
- securityscorecards.dev:443
- sonarcloud.io:443
- www.baeldung.com:443
- www.bestpractices.dev:443
- www.youtube.com:443
- youtrack.jetbrains.com:443
- - name: Check out code
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- with:
- persist-credentials: false
- - uses: ruby/setup-ruby@bfefad842bb982ff05b233bcbc1571d97a87e69f # v1.206.0
- with:
- working-directory: ./website
- bundler-cache: true
- - name: Configure Github Pages
- uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
- - name: Generate documentation
- run: ./generate-docs.sh
- - name: Build website with Jekyll
- working-directory: ./website
- run: bundle exec jekyll build
- - name: Validate HTML output
- working-directory: ./website
- # XXX: Drop `--disable_external true` once we fully adopted the
- # "Refaster rules" terminology on our website and in the code.
- run: bundle exec htmlproofer --disable_external true --check-external-hash false ./_site
- - name: Upload website as artifact
- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
- with:
- path: ./website/_site
- deploy:
- if: github.ref == 'refs/heads/website'
- needs: build
- permissions:
- id-token: write
- pages: write
- runs-on: ubuntu-24.04
- environment:
- name: github-pages
- url: ${{ steps.deployment.outputs.page_url }}
- steps:
- - name: Install Harden-Runner
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
- with:
- disable-sudo: true
- egress-policy: block
- allowed-endpoints: >
- api.github.com:443
- - name: Deploy to GitHub Pages
- id: deployment
- uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
deleted file mode 100644
index 0dea645746..0000000000
--- a/.github/workflows/openssf-scorecard.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-# Analyzes the code base and GitHub project configuration for adherence to
-# security best practices for open source software. Identified issues are
-# registered with GitHub's code scanning dashboard. When a pull request is
-# analyzed, any offending lines are annotated. See
-# https://securityscorecards.dev for details.
-name: OpenSSF Scorecard update
-on:
- pull_request:
- push:
- branches: [ master ]
- schedule:
- - cron: '0 4 * * 1'
-permissions:
- contents: read
-jobs:
- analyze:
- permissions:
- contents: read
- security-events: write
- id-token: write
- runs-on: ubuntu-24.04
- steps:
- - name: Install Harden-Runner
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
- with:
- disable-sudo: true
- egress-policy: block
- allowed-endpoints: >
- api.deps.dev:443
- api.github.com:443
- api.osv.dev:443
- api.scorecard.dev:443
- api.securityscorecards.dev:443
- github.com:443
- index.docker.io:443
- oss-fuzz-build-logs.storage.googleapis.com:443
- repo.maven.apache.org:443
- *.sigstore.dev:443
- www.bestpractices.dev:443
- - name: Check out code
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- with:
- persist-credentials: false
- - name: Run OpenSSF Scorecard analysis
- uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
- with:
- results_file: results.sarif
- results_format: sarif
- publish_results: ${{ github.ref == 'refs/heads/master' }}
- - name: Update GitHub's code scanning dashboard
- uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
- with:
- sarif_file: results.sarif
diff --git a/.github/workflows/pitest-analyze-pr.yml b/.github/workflows/pitest-analyze-pr.yml
deleted file mode 100644
index ded194c679..0000000000
--- a/.github/workflows/pitest-analyze-pr.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-# Performs mutation testing analysis on the files changed by a pull request and
-# uploads the results. The associated PR is subsequently updated by the
-# `pitest-update-pr.yml` workflow. See https://blog.pitest.org/oss-pitest-pr/
-# for details.
-name: "Mutation testing"
-on:
- pull_request:
-permissions:
- contents: read
-jobs:
- analyze-pr:
- runs-on: ubuntu-24.04
- steps:
- - name: Install Harden-Runner
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
- with:
- disable-sudo: true
- egress-policy: block
- allowed-endpoints: >
- api.adoptium.net:443
- github.com:443
- objects.githubusercontent.com:443
- repo.maven.apache.org:443
- - name: Check out code and set up JDK and Maven
- uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 # v1.18.0
- with:
- checkout-fetch-depth: 2
- java-version: 17.0.13
- java-distribution: temurin
- maven-version: 3.9.9
- - name: Run Pitest
- # By running with features `+GIT(from[HEAD~1]), +gitci`, Pitest only
- # analyzes lines changed in the associated pull request, as GitHub
- # exposes the changes unique to the PR as a single commit on top of the
- # target branch. See https://blog.pitest.org/pitest-pr-setup for
- # details.
- run: mvn test pitest:mutationCoverage -DargLine.xmx=2048m -Dverification.skip -Dfeatures="+GIT(from[HEAD~1]), +gitci"
- - name: Aggregate Pitest reports
- run: mvn pitest-git:aggregate -DkilledEmoji=":tada:" -DmutantEmoji=":zombie:" -DtrailingText="Mutation testing report by [Pitest](https://pitest.org/). Review any surviving mutants by inspecting the line comments under [_Files changed_](${{ github.event.number }}/files)."
- - name: Upload Pitest reports as artifact
- uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
- with:
- name: pitest-reports
- path: ./target/pit-reports-ci
diff --git a/.github/workflows/pitest-update-pr.yml b/.github/workflows/pitest-update-pr.yml
deleted file mode 100644
index f47369a901..0000000000
--- a/.github/workflows/pitest-update-pr.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-# Updates a pull request based on the corresponding mutation testing analysis
-# performed by the `pitest-analyze-pr.yml` workflow. See
-# https://blog.pitest.org/oss-pitest-pr/ for details.
-name: "Mutation testing: post results"
-on:
- workflow_run:
- workflows: ["Mutation testing"]
- types:
- - completed
-permissions:
- actions: read
-jobs:
- update-pr:
- if: ${{ github.event.workflow_run.conclusion == 'success' }}
- permissions:
- actions: read
- checks: write
- contents: read
- pull-requests: write
- runs-on: ubuntu-24.04
- steps:
- - name: Install Harden-Runner
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
- with:
- disable-sudo: true
- egress-policy: block
- allowed-endpoints: >
- api.adoptium.net:443
- api.github.com:443
- github.com:443
- objects.githubusercontent.com:443
- repo.maven.apache.org:443
- - name: Check out code and set up JDK and Maven
- uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 # v1.18.0
- with:
- java-version: 17.0.13
- java-distribution: temurin
- maven-version: 3.9.9
- - name: Download Pitest analysis artifact
- uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4
- with:
- workflow: ${{ github.event.workflow_run.workflow_id }}
- name: pitest-reports
- path: ./target/pit-reports-ci
- - name: Update PR
- run: mvn -DrepoToken="${{ secrets.GITHUB_TOKEN }}" pitest-github:updatePR
diff --git a/.github/workflows/run-integration-tests.yml b/.github/workflows/run-integration-tests.yml
deleted file mode 100644
index d82fa7fe9e..0000000000
--- a/.github/workflows/run-integration-tests.yml
+++ /dev/null
@@ -1,63 +0,0 @@
-# If requested by means of a pull request comment, runs integration tests
-# against the project, using the code found on the pull request branch.
-# XXX: Review whether then build matrix should also vary JDK or OS versions.
-# XXX: Support `/integration-test [name...]` comment syntax to specify the
-# subset of integration tests to run.
-# See this example of a dynamic build matrix:
-# https://docs.github.com/en/actions/learn-github-actions/expressions#example-returning-a-json-object
-name: "Integration tests"
-on:
- issue_comment:
- types: [ created ]
-permissions:
- contents: read
-jobs:
- run-integration-tests:
- name: On-demand integration test
- if: |
- github.event.issue.pull_request && contains(github.event.comment.body, '/integration-test')
- runs-on: ubuntu-24.04
- strategy:
- matrix:
- integration-test: [ "checkstyle", "metrics", "prometheus-java-client" ]
- steps:
- - name: Install Harden-Runner
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
- with:
- disable-sudo: true
- egress-policy: block
- allowed-endpoints: >
- # XXX: After updating the validation build flags in
- # `integration-tests/prometheus-java-client.sh`, review whether the
- # Docker domains specified here can be dropped.
- api.adoptium.net:443
- auth.docker.io:443
- checkstyle.org:443
- example.com:80
- github.com:443
- objects.githubusercontent.com:443
- oss.sonatype.org:443
- production.cloudflare.docker.com:443
- raw.githubusercontent.com:443
- registry-1.docker.io:443
- repo.maven.apache.org:443
- repository.sonatype.org:443
- - name: Check out code and set up JDK and Maven
- uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 # v1.18.0
- with:
- checkout-ref: "refs/pull/${{ github.event.issue.number }}/head"
- java-version: 17.0.13
- java-distribution: temurin
- maven-version: 3.9.9
- - name: Install project to local Maven repository
- run: mvn -T1C install -DskipTests -Dverification.skip
- - name: Run integration test
- run: xvfb-run "./integration-tests/${{ matrix.integration-test }}.sh" "${{ runner.temp }}/artifacts"
- - name: Upload artifacts on failure
- if: ${{ failure() }}
- uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
- with:
- name: "integration-test-${{ matrix.integration-test }}"
- path: "${{ runner.temp }}/artifacts"
- - name: Remove installed project artifacts
- run: mvn dependency:purge-local-repository -DmanualInclude='${project.groupId}' -DresolutionFuzziness=groupId
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
deleted file mode 100644
index 90df58dfb9..0000000000
--- a/.github/workflows/sonarcloud.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-# Analyzes the code base using SonarCloud. See
-# https://sonarcloud.io/project/overview?id=PicnicSupermarket_error-prone-support.
-name: SonarCloud analysis
-on:
- pull_request:
- push:
- branches: [ master ]
- schedule:
- - cron: '0 4 * * 1'
-permissions:
- contents: read
-jobs:
- analyze:
- # Analysis of code in forked repositories is skipped, as such workflow runs
- # do not have access to the requisite secrets.
- if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
- permissions:
- contents: read
- runs-on: ubuntu-24.04
- steps:
- - name: Install Harden-Runner
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
- with:
- disable-sudo: true
- egress-policy: block
- allowed-endpoints: >
- analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
- api.adoptium.net:443
- api.nuget.org:443
- ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443
- github.com:443
- objects.githubusercontent.com:443
- repo.maven.apache.org:443
- sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
- *.sonarcloud.io:443
- sonarcloud.io:443
- - name: Check out code and set up JDK and Maven
- uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 # v1.18.0
- with:
- checkout-fetch-depth: 0
- java-version: 17.0.13
- java-distribution: temurin
- maven-version: 3.9.9
- - name: Create missing `test` directory
- # XXX: Drop this step in favour of actually having a test.
- run: mkdir refaster-compiler/src/test
- - name: Perform SonarCloud analysis
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- run: mvn -T1C jacoco:prepare-agent verify jacoco:report sonar:sonar -Dverification.skip -Dsonar.projectKey=PicnicSupermarket_error-prone-support
diff --git a/pom.xml b/pom.xml
index 756e30ea0b..945967a137 100644
--- a/pom.xml
+++ b/pom.xml
@@ -211,7 +211,7 @@
1.11.0
${version.error-prone-orig}
v${version.error-prone-orig}-picnic-1
- 2.36.0
+ 2.36.0-test-1
0.1.28
1.0
17
diff --git a/settings.xml b/settings.xml
index dc0a082218..d16186719f 100644
--- a/settings.xml
+++ b/settings.xml
@@ -5,13 +5,13 @@
+ Prone. This fork is hosted using GitHub Packages. See
+ https://github.com/PicnicSupermarket/error-prone/packages/. -->
error-prone-fork
- jitpack.io
- https://jitpack.io
+ error-prone-fork
+ https://maven.pkg.github.com/PicnicSupermarket/error-prone
@@ -19,8 +19,13 @@
+
non-maven-central
+
+ error-prone-fork
+ https://maven.pkg.github.com/PicnicSupermarket/error-prone
+
jitpack.io
https://jitpack.io
@@ -29,4 +34,12 @@
+
+
+ error-prone-fork
+ ${env.GITHUB_ACTOR}
+ ${env.GITHUB_TOKEN}
+
+
+