Merge pull request #644 from spotbugs/spotbugs

Merge 'spotbugs' back to 'master'

.gitattributes

@@ -10,13 +10,13 @@
 *.dbproj merge=union
 
 # Standard to msysgit
-*.doc	 diff=astextplain
-*.DOC	 diff=astextplain
-*.docx diff=astextplain
-*.DOCX diff=astextplain
-*.dot  diff=astextplain
-*.DOT  diff=astextplain
-*.pdf  diff=astextplain
-*.PDF	 diff=astextplain
-*.rtf	 diff=astextplain
-*.RTF	 diff=astextplain
+*.doc    diff=astextplain
+*.DOC    diff=astextplain
+*.docx   diff=astextplain
+*.DOCX   diff=astextplain
+*.dot    diff=astextplain
+*.DOT    diff=astextplain
+*.pdf    diff=astextplain
+*.PDF    diff=astextplain
+*.rtf    diff=astextplain
+*.RTF    diff=astextplain

.github/workflows/ci.yaml

@@ -0,0 +1,24 @@
+name: Java CI
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macOS-latest, windows-latest]
+        java: [11, 17, 21]
+      fail-fast: false
+      max-parallel: 4
+    name: Test JDK ${{ matrix.java }}, ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: ${{ matrix.java }}
+          distribution: 'zulu'
+      - name: Test with Maven
+        run: ./mvnw test -B -V --no-transfer-progress -D"license.skip=true"

.github/workflows/codeql-analysis.yaml

@@ -0,0 +1,71 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ spotbugs ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ spotbugs ]
+  schedule:
+    - cron: '27 0 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2

.github/workflows/coveralls.yaml

@@ -0,0 +1,26 @@
+name: Coveralls
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    if: github.repository_owner == 'spotbugs-OFF'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: 17
+          distribution: zulu
+      - name: Report Coverage to Coveralls for Pull Requests
+        if: github.event_name == 'pull_request'
+        run: ./mvnw -B -V test jacoco:report coveralls:report -q -Dlicense.skip=true -DrepoToken=$GITHUB_TOKEN -DserviceName=github -DpullRequest=$PR_NUMBER --no-transfer-progress
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.number }}
+      - name: Report Coverage to Coveralls for General Push
+        if: github.event_name == 'push'
+        run: ./mvnw -B -V test jacoco:report coveralls:report -q -Dlicense.skip=true -DrepoToken=$GITHUB_TOKEN -DserviceName=github
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/coverity.yaml

@@ -0,0 +1,33 @@
+name: Coverity
+
+on:
+  push:
+    branches:
+      - coverity_scan
+
+jobs:
+  build:
+    if: github.repository_owner == 'spotbugs'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: 21
+          distribution: 'zulu'
+      - name: Analyze with Coverity
+        run: |
+          wget -q https://scan.coverity.com/download/linux64 --post-data "token=$COVERITY_TOKEN&project=spotbugs%2Fspotbugs-maven-plugin" -O coverity_tool.tgz
+          tar -xf coverity_tool.tgz
+          ./cov-analysis-linux64-*/bin/cov-build --dir cov-int ./mvnw -B -V -DskipTests=true -Dlicense.skip=true verify --no-transfer-progress
+          tar czvf spotbugs-maven-plugin.tgz cov-int
+          curl --form token=$COVERITY_TOKEN \
+            --form email=$EMAIL \
+            --form [email protected] \
+            --form version="spotbugs-maven-plugin/coverity_scan" \
+            --form description="Spotbugs Maven Plugin Coverity Scan" \
+            https://scan.coverity.com/builds?project=spotbugs%2Fspotbugs-maven-plugin
+        env:
+          COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }}
+          EMAIL: ${{ secrets.EMAIL }}

.github/workflows/it-maven-3.3.9.yaml

@@ -0,0 +1,22 @@
+name: Java Integration Tests Maven 3.3.9
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Integration Tests Maven 3.3.9
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: 21
+          distribution: zulu
+      - name: Load Maven 3.3.9
+        run: ./mvnw -B -V org.apache.maven.plugins:maven-wrapper-plugin:3.2.0:wrapper -Dmaven=3.3.9 --no-transfer-progress
+      - name: Build Setup
+        run: ./mvnw -B -V clean install -Dlicense.skip=true -Dmaven.min-version=3.3.9
+      - name: Integration Test with Maven
+        run: ./mvnw -B -V -DtestSrc=remote -Prun-its clean install -Dinvoker.parallelThreads=4 -Dlicense.skip=true -Dmaven.min-version=3.3.9

.github/workflows/it-maven-4.0.0.yaml

@@ -0,0 +1,22 @@
+name: Java Integration Tests Maven 4.0.0-alpha-4
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Integration Tests Maven 4.0.0-alpha-4
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: 21
+          distribution: zulu
+      - name: Load Maven 4.0.0-alpha-4
+        run: ./mvnw -B -V org.apache.maven.plugins:maven-wrapper-plugin:3.2.0:wrapper -Dmaven=4.0.0-alpha-4 --no-transfer-progress
+      - name: Build Setup
+        run: ./mvnw -B -V clean install -Dlicense.skip=true -Dmaven.min-version=4.0.0-alpha-4 --no-transfer-progress
+      - name: Integration Test with Maven
+        run: ./mvnw -B -V -DtestSrc=remote -Prun-its clean install -Dinvoker.parallelThreads=4 -Dlicense.skip=true -Dmaven.min-version=4.0.0-alpha-4 --no-transfer-progress

.github/workflows/it.yaml

@@ -0,0 +1,20 @@
+name: Java Integration Tests
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Integration Tests
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: 21
+          distribution: zulu
+      - name: Build Setup
+        run: ./mvnw -B -V clean install -Dlicense.skip=true --no-transfer-progress
+      - name: Integration Test with Maven
+        run: ./mvnw -B -V -DtestSrc=remote -Prun-its clean install -Dinvoker.parallelThreads=4 -Dlicense.skip=true --no-transfer-progress

.github/workflows/site.yaml

@@ -0,0 +1,34 @@
+name: Site
+
+on:
+  push:
+    branches:
+      - site
+
+jobs:
+  build:
+    if: github.repository_owner == 'spotbugs' && ! contains(toJSON(github.event.head_commit.message), '[maven-release-plugin]')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: 21
+          distribution: 'zulu'
+      - uses: webfactory/ssh-agent@master
+        with:
+          ssh-private-key: ${{ secrets.DEPLOY_KEY }}
+      - name: Build site
+        run: ./mvnw site site:stage -DskipTests -Dlicense.skip=true -B -V --no-transfer-progress
+        env:
+          CI_DEPLOY_USERNAME: ${{ secrets.CI_DEPLOY_USERNAME }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Deploy Site to gh-pages
+        uses: JamesIves/[email protected]
+        with:
+          SSH: true
+          BRANCH: gh-pages
+          FOLDER: spotbugs/spotbugs-maven-plugin.git
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/sonar.yaml

@@ -0,0 +1,26 @@
+name: SonarCloud
+
+on:
+  push:
+    branches:
+      - spotbugs
+
+jobs:
+  build:
+    if: github.repository_owner == 'spotbugs'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Disabling shallow clone is recommended for improving relevancy of reporting
+          fetch-depth: 0
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: 21
+          distribution: zulu
+      - name: Analyze with SonarCloud
+        run: ./mvnw verify sonar:sonar -B -V -Dsonar.projectKey=spotbugs_spotbugs-maven-plugin -Dsonar.organization=spotbugs -Dsonar.host.url=https://sonarcloud.io -Dsonar.login=$SONAR_TOKEN -Dlicense.skip=true --no-transfer-progress
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/sonatype.yaml

@@ -0,0 +1,23 @@
+name: Sonatype
+
+on:
+  push:
+    branches:
+      - spotbugs
+
+jobs:
+  build:
+    if: github.repository_owner == 'spotbugs' && ! contains(toJSON(github.event.head_commit.message), '[maven-release-plugin]')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: 21
+          distribution: 'zulu'
+      - name: Deploy to Sonatype
+        run: ./mvnw deploy -DskipTests -B -V --no-transfer-progress --settings ./.mvn/settings.xml -Dlicense.skip=true
+        env:
+          CI_DEPLOY_USERNAME: ${{ secrets.CI_DEPLOY_USERNAME }}
+          CI_DEPLOY_PASSWORD: ${{ secrets.CI_DEPLOY_PASSWORD }}

.gitignore

@@ -1,8 +1,14 @@
 .classpath
+.github/keys
 .project
 .settings
 target/
+.idea/
 *.ipr
 *.iws
 *.iml
 *.asc
+*.releaseBackup
+release.properties
+.mvn/wrapper/maven-wrapper.jar
+.factorypath

.mvn/extensions.xml

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright 2005-2023 the original author or authors.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        https://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<extensions>
+    <extension>
+      <groupId>fr.jcgay.maven</groupId>
+      <artifactId>maven-profiler</artifactId>
+      <version>3.2</version>
+    </extension>
+</extensions>

.mvn/jvm.config

@@ -0,0 +1 @@
+-XX:+TieredCompilation -XX:TieredStopAtLevel=1 --add-opens=java.base/java.io=ALL-UNNAMED

.mvn/maven.config

@@ -0,0 +1,2 @@
+-Daether.checksums.algorithms=SHA-512,SHA-256,SHA-1,MD5
+-Daether.connector.smartChecksums=false