Merge branch 'master' into stable-7.5 * master: Update Maven plugins Update org.eclipse.jdt:ecj to 3.43.0 Update plexus-compiler to 2.16.0 Update org.tukaani:xz to 1.11 chore: Add sbom generation and upload workflow Change-Id: I5fdc41bf6404c2672eb179b2ecff5d878a6c52e3
diff --git a/.github/workflows/generate-maven-sbom.yaml b/.github/workflows/generate-maven-sbom.yaml new file mode 100644 index 0000000..f717d67 --- /dev/null +++ b/.github/workflows/generate-maven-sbom.yaml
@@ -0,0 +1,72 @@ +name: Generate Maven SBOM + +on: + push: + tags: + - "v**" # Triggers when someone pushes a tag that starts with 'v' + + workflow_dispatch: + # The custom 'Version' input field allows running the workflow for older git + # refs, where this workflow file did not exist yet. This would not be + # possible with the builtin "Use workflow from" input field. + inputs: + version: + description: "Version" + default: "master" + required: true + +env: + JAVA_VERSION: '17' + JAVA_DISTRO: 'temurin' + PLUGIN_VERSION: '2.9.1' + SBOM_TYPE: 'makeAggregateBom' + PROJECT_VERSION: "${{ github.event_name == 'release' && github.event.release.tag_name || github.event.inputs.version }}" + +permissions: + contents: read + +jobs: + generate-sbom: + runs-on: ubuntu-latest + outputs: + # Make env var available in re-usuable workflow (see actions/runner#2372) + project-version: ${{ env.PROJECT_VERSION }} + steps: + - name: Checkout repository at '${{ env.PROJECT_VERSION }}' + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + ref: ${{ env.PROJECT_VERSION }} + persist-credentials: false + + - name: Setup Java SDK + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0 + with: + java-version: ${{ env.JAVA_VERSION }} + distribution: ${{ env.JAVA_DISTRO }} + + - name: Generate + run: | + mvn org.cyclonedx:cyclonedx-maven-plugin:${PLUGIN_VERSION}:${SBOM_TYPE} \ + -DoutputFormat=json \ + -DoutputDirectory=target \ + -DoutputName=cyclonedx + + + - name: Upload + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: sbom + path: target/cyclonedx.json + + # Store SBOM and metadata in a predefined format for otterdog to pick up + store-sbom-data: + needs: ['generate-sbom'] + uses: eclipse-csi/workflows/.github/workflows/store-sbom-data.yml@main + with: + projectName: 'JGit' + projectVersion: ${{ needs.generate-sbom.outputs.project-version }} + bomArtifact: 'sbom' + bomFilename: 'cyclonedx.json' + parentProject: '6638fa7e-8518-4528-9419-e24f629b7e9f' +
diff --git a/WORKSPACE b/WORKSPACE index 6a36598..a4fcf1d 100644 --- a/WORKSPACE +++ b/WORKSPACE
@@ -182,8 +182,8 @@ maven_jar( name = "tukaani-xz", - artifact = "org.tukaani:xz:1.10", - sha1 = "1be8166f89e035a56c6bfc67dbc423996fe577e2", + artifact = "org.tukaani:xz:1.11", + sha1 = "bdfd1774efb216f506f4f3c5b08c205b308c50aa", ) maven_jar(
diff --git a/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.34.target b/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.34.target index a66c416..b75d6f7 100644 --- a/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.34.target +++ b/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.34.target
@@ -1,7 +1,7 @@ <?xml version="1.0" encoding="UTF-8" standalone="no"?> <?pde?> <!-- generated with https://github.com/eclipse-cbi/targetplatform-dsl --> -<target name="jgit-4.34" sequenceNumber="1763480041"> +<target name="jgit-4.34" sequenceNumber="1763654302"> <locations> <location includeMode="slicer" includeAllPlatforms="false" includeSource="true" includeConfigurePhase="true" type="InstallableUnit"> <unit id="com.jcraft.jsch" version="0.1.55.v20230916-1400"/> @@ -39,7 +39,7 @@ <dependency> <groupId>org.tukaani</groupId> <artifactId>xz</artifactId> - <version>1.10</version> + <version>1.11</version> <type>jar</type> </dependency> </dependencies>
diff --git a/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.35.target b/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.35.target index 4a95a31..0a7d6e2 100644 --- a/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.35.target +++ b/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.35.target
@@ -1,7 +1,7 @@ <?xml version="1.0" encoding="UTF-8" standalone="no"?> <?pde?> <!-- generated with https://github.com/eclipse-cbi/targetplatform-dsl --> -<target name="jgit-4.35" sequenceNumber="1763480041"> +<target name="jgit-4.35" sequenceNumber="1763654302"> <locations> <location includeMode="slicer" includeAllPlatforms="false" includeSource="true" includeConfigurePhase="true" type="InstallableUnit"> <unit id="com.jcraft.jsch" version="0.1.55.v20230916-1400"/> @@ -39,7 +39,7 @@ <dependency> <groupId>org.tukaani</groupId> <artifactId>xz</artifactId> - <version>1.10</version> + <version>1.11</version> <type>jar</type> </dependency> </dependencies>
diff --git a/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.36.target b/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.36.target index 26c08eb..5500a78 100644 --- a/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.36.target +++ b/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.36.target
@@ -1,7 +1,7 @@ <?xml version="1.0" encoding="UTF-8" standalone="no"?> <?pde?> <!-- generated with https://github.com/eclipse-cbi/targetplatform-dsl --> -<target name="jgit-4.36" sequenceNumber="1763480041"> +<target name="jgit-4.36" sequenceNumber="1763654302"> <locations> <location includeMode="slicer" includeAllPlatforms="false" includeSource="true" includeConfigurePhase="true" type="InstallableUnit"> <unit id="com.jcraft.jsch" version="0.1.55.v20230916-1400"/> @@ -39,7 +39,7 @@ <dependency> <groupId>org.tukaani</groupId> <artifactId>xz</artifactId> - <version>1.10</version> + <version>1.11</version> <type>jar</type> </dependency> </dependencies>
diff --git a/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.37.target b/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.37.target index 26b591b..1900eda 100644 --- a/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.37.target +++ b/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.37.target
@@ -1,7 +1,7 @@ <?xml version="1.0" encoding="UTF-8" standalone="no"?> <?pde?> <!-- generated with https://github.com/eclipse-cbi/targetplatform-dsl --> -<target name="jgit-4.37" sequenceNumber="1763480041"> +<target name="jgit-4.37" sequenceNumber="1763654303"> <locations> <location includeMode="slicer" includeAllPlatforms="false" includeSource="true" includeConfigurePhase="true" type="InstallableUnit"> <unit id="com.jcraft.jsch" version="0.1.55.v20230916-1400"/> @@ -39,7 +39,7 @@ <dependency> <groupId>org.tukaani</groupId> <artifactId>xz</artifactId> - <version>1.10</version> + <version>1.11</version> <type>jar</type> </dependency> </dependencies>
diff --git a/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.38.target b/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.38.target index 3d52110..2571b91 100644 --- a/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.38.target +++ b/org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.38.target
@@ -1,7 +1,7 @@ <?xml version="1.0" encoding="UTF-8" standalone="no"?> <?pde?> <!-- generated with https://github.com/eclipse-cbi/targetplatform-dsl --> -<target name="jgit-4.38" sequenceNumber="1763480041"> +<target name="jgit-4.38" sequenceNumber="1763654304"> <locations> <location includeMode="slicer" includeAllPlatforms="false" includeSource="true" includeConfigurePhase="true" type="InstallableUnit"> <unit id="com.jcraft.jsch" version="0.1.55.v20230916-1400"/> @@ -39,7 +39,7 @@ <dependency> <groupId>org.tukaani</groupId> <artifactId>xz</artifactId> - <version>1.10</version> + <version>1.11</version> <type>jar</type> </dependency> </dependencies>
diff --git a/org.eclipse.jgit.packaging/org.eclipse.jgit.target/maven/dependencies.tpd b/org.eclipse.jgit.packaging/org.eclipse.jgit.target/maven/dependencies.tpd index 085e902..bd29539 100644 --- a/org.eclipse.jgit.packaging/org.eclipse.jgit.target/maven/dependencies.tpd +++ b/org.eclipse.jgit.packaging/org.eclipse.jgit.target/maven/dependencies.tpd
@@ -274,6 +274,6 @@ dependency { groupId = "org.tukaani" artifactId = "xz" - version = "1.10" + version = "1.11" } } \ No newline at end of file
diff --git a/pom.xml b/pom.xml index b96ad8a..91bdd88 100644 --- a/pom.xml +++ b/pom.xml
@@ -131,20 +131,20 @@ <osgi-core-version>6.0.0</osgi-core-version> <servlet-api-version>6.1.0</servlet-api-version> <jetty-version>12.1.4</jetty-version> - <japicmp-version>0.24.1</japicmp-version> + <japicmp-version>0.24.2</japicmp-version> <httpclient-version>4.5.14</httpclient-version> <httpcore-version>4.4.16</httpcore-version> <slf4j-version>2.0.17</slf4j-version> <maven-javadoc-plugin-version>3.12.0</maven-javadoc-plugin-version> <gson-version>2.13.2</gson-version> <bouncycastle-version>1.82</bouncycastle-version> - <spotbugs-maven-plugin-version>4.9.6.0</spotbugs-maven-plugin-version> + <spotbugs-maven-plugin-version>4.9.8.1</spotbugs-maven-plugin-version> <maven-project-info-reports-plugin-version>3.9.0</maven-project-info-reports-plugin-version> <maven-jxr-plugin-version>3.6.0</maven-jxr-plugin-version> <maven-surefire-plugin-version>3.5.4</maven-surefire-plugin-version> <maven-surefire-report-plugin-version>${maven-surefire-plugin-version}</maven-surefire-report-plugin-version> <maven-compiler-plugin-version>3.14.1</maven-compiler-plugin-version> - <plexus-compiler-version>2.13.0</plexus-compiler-version> + <plexus-compiler-version>2.16.0</plexus-compiler-version> <hamcrest-version>3.0</hamcrest-version> <assertj-version>3.27.6</assertj-version> <jna-version>5.18.1</jna-version> @@ -300,12 +300,12 @@ <plugin> <groupId>org.eclipse.cbi.maven.plugins</groupId> <artifactId>eclipse-jarsigner-plugin</artifactId> - <version>1.5.2</version> + <version>1.5.3</version> </plugin> <plugin> <groupId>org.jacoco</groupId> <artifactId>jacoco-maven-plugin</artifactId> - <version>0.8.13</version> + <version>0.8.14</version> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> @@ -609,7 +609,7 @@ <artifactId>cyclonedx-maven-plugin</artifactId> <configuration> <projectType>library</projectType> - <schemaVersion>1.4</schemaVersion> + <schemaVersion>1.6</schemaVersion> <includeBomSerialNumber>true</includeBomSerialNumber> <includeCompileScope>true</includeCompileScope> <includeProvidedScope>true</includeProvidedScope> @@ -923,7 +923,7 @@ <dependency> <groupId>org.tukaani</groupId> <artifactId>xz</artifactId> - <version>1.10</version> + <version>1.11</version> <optional>true</optional> </dependency> @@ -1129,7 +1129,7 @@ <dependency> <groupId>org.eclipse.jdt</groupId> <artifactId>ecj</artifactId> - <version>3.40.0</version> + <version>3.43.0</version> </dependency> </dependencies> </plugin>