Bump org.apache.groovy:groovy-all from 4.0.21 to 4.0.22 (#73)

Bumps [org.apache.groovy:groovy-all](https://github.com/apache/groovy) from 4.0.21 to 4.0.22. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/apache/groovy/commits">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.groovy:groovy-all&package-manager=gradle&previous-version=4.0.21&new-version=4.0.22)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: fabasoad <[email protected]>
fabasoad · Jul 2, 2024 · 31f3bee · 31f3bee
1 parent 2a3785c
commit 31f3bee
Show file tree

Hide file tree

Showing 10 changed files with 56 additions and 236 deletions.
diff --git a/.github/labels.yml b/.github/labels.yml
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -12,4 +12,4 @@ jobs:
     name: Pre-commit
     uses: fabasoad/reusable-workflows/.github/workflows/wf-pre-commit.yml@main
     with:
-      skip-hooks: "build, snyk-test, test"
+      skip-hooks: "build, test"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,32 +1,14 @@
 ---
 name: Release
 
-on:
+on: # yamllint disable-line rule:truthy
   push:
     tags:
-      - 'v*.*.*'
+      - "v*.*.*"
 
 jobs:
-  create-release:
-    name: Create release
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout ${{ github.repository }}
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Get changelog
-        id: changelog
-        uses: simbo/changes-since-last-release-action@v1
-      - name: Create release
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ github.ref }}
-          name: ${{ github.ref_name }}
-          token: ${{ secrets.GITHUB_TOKEN }}
-          body: |
-            # Changelog
-
-            ${{ steps.changelog.outputs.log }}
-          draft: false
-          prerelease: false
+  github:
+    name: GitHub
+    uses: fabasoad/reusable-workflows/.github/workflows/wf-github-release.yml@main
+    with:
+      bump-tags: false
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -2,68 +2,19 @@
 name: Security
 
 on: # yamllint disable-line rule:truthy
+  pull_request: {}
   push:
     branches:
-      - 'main'
-  pull_request:
-
-defaults:
-  run:
-    shell: sh
+      - main
 
 jobs:
-  code-scanning:
-    name: Code scanning
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout ${{ github.repository }}
-        uses: actions/checkout@v4
-      - name: Get versions
-        id: versions
-        run: |
-          java_version=$(grep -Eo 'java [a-z0-9.-]+' .tool-versions | cut -d'-' -f2)
-          echo "java=${java_version}" >> $GITHUB_OUTPUT
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          java-version: ${{ steps.versions.outputs.java }}
-          distribution: temurin
-      - name: Setup gradle
-        uses: gradle/actions/setup-gradle@v3
-        with:
-          gradle-version: "8.8"
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: "java"
-      - name: Build
-        env:
-          SKIP_FINALIZE: true
-        run: ./gradlew build
-      - name: Perform CodeQL Analysis
-        id: codeql-analysis
-        uses: github/codeql-action/analyze@v3
-      - name: Upload to GHAS
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          category: "code-scanning"
-          sarif_file: "${{ steps.codeql-analysis.outputs.sarif-output }}"
-  directory-scanning:
-    name: Directory scanning
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout ${{ github.repository }}
-        uses: actions/checkout@v4
-      - name: Scan current project
-        id: scan-directory
-        uses: anchore/scan-action@v3
-        with:
-          by-cve: "true"
-          path: "."
-      - name: Upload to GHAS
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          category: "directory-scanning"
-          sarif_file: "${{ steps.scan-directory.outputs.sarif }}"
+  sast:
+    name: SAST
+    permissions:
+      contents: read
+      security-events: write
+    uses: fabasoad/reusable-workflows/.github/workflows/wf-security-sast.yml@feat/java-ut
+    with:
+      code-scanning-languages: "java"
+      code-scanning-build-mode: "manual"
+      code-scanning-build-command: "./gradlew build"
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
@@ -1,22 +1,13 @@
 ---
-name: Sync labels
+name: Labels
 
 on: # yamllint disable-line rule:truthy
   push:
     branches:
       - main
-    paths:
-      - .github/labels.yml
-  workflow_dispatch:
+  workflow_dispatch: {}
 
 jobs:
-  sync-labels:
-    name: Sync labels
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout ${{ github.repository }}
-        uses: actions/checkout@v4
-      - name: Run Label Syncer
-        uses: micnncim/action-label-syncer@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  maintenance:
+    name: Maintenance
+    uses: fabasoad/reusable-workflows/.github/workflows/wf-sync-labels.yml@main
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
@@ -1,37 +1,21 @@
 ---
 name: Unit Tests
 
-on:
+on: # yamllint disable-line rule:truthy
+  pull_request:
+    paths:
+      - gradle/**
+      - tasks/Makefile.java.mk
+      - Makefile
+      - src/**
+      - build.gradle
+      - ./gradlew
+      - ./gradlew.bat
   push:
     branches:
-      - 'main'
-  pull_request:
+      - main
 
 jobs:
-  unit-tests:
-    name: Test
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout ${{ github.repository }}
-        uses: actions/checkout@v4
-      - name: Get versions
-        id: versions
-        run: |
-          java_version=$(grep -Eo 'java [a-z0-9.-]+' .tool-versions | cut -d'-' -f2)
-          echo "java=$java_version" >> $GITHUB_OUTPUT
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          java-version: ${{ steps.versions.outputs.java }}
-          distribution: temurin
-      - name: Setup gradle
-        uses: gradle/actions/setup-gradle@v3
-        with:
-          gradle-version: "8.8"
-      - name: Build
-        env:
-          SKIP_FINALIZE: true
-        run: ./gradlew build
-      - name: Unit tests
-        run: ./gradlew test
+  gradle:
+    name: Gradle
+    uses: fabasoad/reusable-workflows/.github/workflows/wf-java-unit-tests.yml@feat/java-ut
diff --git a/.github/workflows/update-license.yml b/.github/workflows/update-license.yml
@@ -1,30 +1,11 @@
 ---
-name: Update license
+name: License
 
-on:
+on: # yamllint disable-line rule:truthy
   schedule:
-    - cron: '0 5 1 1 *'
+    - cron: "0 5 1 1 *"
 
 jobs:
-  run:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout ${{ github.repository }}
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Update LICENSE file
-        uses: FantasticFiasco/action-update-license-year@v3
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          assignees: ${{ github.repository_owner }}
-          labels: enhancement
-          prTitle: Update license copyright year to {{currentYear}}
-          prBody: |
-            ## Changelog
-
-            - Update license copyright year to {{currentYear}}
-
-            ---
-
-            Powered by [FantasticFiasco/action-update-license-year](https://github.com/FantasticFiasco/action-update-license-year)
+  maintenance:
+    name: Maintenance
+    uses: fabasoad/reusable-workflows/.github/workflows/wf-update-license.yml@main
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -26,7 +26,7 @@ repos:
       - id: detect-secrets
         stages: ["commit", "push"]
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.18.3
+    rev: v8.18.4
     hooks:
       - id: gitleaks
         stages: ["commit", "push"]
@@ -35,6 +35,14 @@ repos:
     hooks:
       - id: snyk-test
         stages: ["push"]
+  - repo: https://github.com/fabasoad/pre-commit-grype
+    rev: v0.3.1
+    hooks:
+      - id: grype-dir
+        args:
+          - --grype-args=--by-cve --fail-on=low
+          - --hook-args=--log-level debug
+        stages: ["push"]
   # Java
   - repo: https://github.com/dustinsand/pre-commit-jvm
     rev: v0.11.0

diff --git a/.tool-versions b/.tool-versions
@@ -1,2 +1,3 @@
+gradle 8.8
 java openjdk-22
 coursier 2.1.9
diff --git a/build.gradle b/build.gradle
@@ -14,7 +14,7 @@ repositories {
 
 dependencies {
     implementation 'com.google.guava:guava:33.2.1-jre'
-    implementation 'org.apache.groovy:groovy-all:4.0.21'
+    implementation 'org.apache.groovy:groovy-all:4.0.22'
     testImplementation 'org.spockframework:spock-core:2.4-M4-groovy-4.0'
 }