Merge remote-tracking branch 'origin/update-from-template' into develop

Author: AB-xdev

.config/checkstyle/checkstyle.xml

@@ -74,6 +74,16 @@
 			<!-- https://docs.pmd-code.org/pmd-doc-7.11.0/pmd_rules_java_errorprone.html#avoidcatchingthrowable -->
 			<property name="illegalClassNames" value="Error,Throwable,NullPointerException,java.lang.Error,java.lang.Throwable,java.lang.NullPointerException"/>
 		</module>
+		<!-- Do not allow params and vars to end with collection type names -->
+		<module name="IllegalIdentifierName">
+			<property name="format" value="^(?!(.*(Map|List|Set))$).+$"/>
+			<property name="tokens" value="PARAMETER_DEF, VARIABLE_DEF, PATTERN_VARIABLE_DEF, RECORD_COMPONENT_DEF, LAMBDA"/>
+		</module>
+		<!-- Name classes correctly and don't use generic name for everything -->
+		<module name="IllegalIdentifierName">
+			<property name="format" value="^(?!(.*(Helper|Util))$).+$"/>
+			<property name="tokens" value=" CLASS_DEF"/>
+		</module>
 		<module name="IllegalImport"/>
 		<module name="InterfaceIsType"/>
 		<module name="JavadocStyle">
@@ -91,7 +101,7 @@
 			<property name="ignoreFieldDeclaration" value="true"/>
 			<property name="ignoreHashCodeMethod" value="true"/>
 			<!-- Defaults + other common constant values (e.g. time) -->
-			<property name="ignoreNumbers" value="-1, 0, 1, 2, 3, 4, 5, 10, 12, 24, 31, 60, 100, 1000"/>
+			<property name="ignoreNumbers" value="-1, 0, 1, 2, 3, 4, 5, 8, 10, 12, 16, 24, 25, 31, 32, 50, 60, 64, 100, 128, 200, 256, 500, 512, 1000, 1024, 2000, 2048, 4000, 4096, 8000, 8192"/>
 		</module>
 		<module name="MemberName"/>
 		<module name="MethodLength"/>
@@ -123,7 +133,8 @@
 		<module name="StringLiteralEquality"/>
 		<module name="SuppressWarningsHolder"/>
 		<module name="TodoComment">
-			<property name="severity" value="info"/>
+			<!-- Default is "TODO:" -->
+			<property name="format" value="(?i)(TODO)"/>
 		</module>
 		<module name="TypecastParenPad"/>
 		<module name="TypeName"/>

.config/pmd/java/ruleset.xml

@@ -0,0 +1,2 @@
+- url: https://github.com/xdev-software/standard-maven-template.git
+  branch: master

.config/topo/upstream.yml

@@ -13,13 +13,13 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - run: mv .github/.lycheeignore .lycheeignore
 
       - name: Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2
+        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2
         with:
           fail: false # Don't fail on broken links, create an issue instead
 

.github/workflows/broken-links.yml

@@ -28,7 +28,7 @@ jobs:
         java: [17, 21, 25]
         distribution: [temurin]
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Set up JDK
       uses: actions/setup-java@v5
@@ -37,7 +37,7 @@ jobs:
         java-version: ${{ matrix.java }}
 
     - name: Cache Maven
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ~/.m2/repository
         key: ${{ runner.os }}-mvn-build-${{ hashFiles('**/pom.xml') }}
@@ -71,10 +71,10 @@ jobs:
     timeout-minutes: 15
     strategy:
       matrix:
-        java: [17]
+        java: [21]
         distribution: [temurin]
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Set up JDK
       uses: actions/setup-java@v5
@@ -83,15 +83,15 @@ jobs:
         java-version: ${{ matrix.java }}
 
     - name: Cache Maven
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ~/.m2/repository
         key: ${{ runner.os }}-mvn-checkstyle-${{ hashFiles('**/pom.xml') }}
         restore-keys: |
           ${{ runner.os }}-mvn-checkstyle-
 
     - name: CheckStyle Cache
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: '**/target/checkstyle-cachefile'
         key: ${{ runner.os }}-checkstyle-${{ hashFiles('**/pom.xml') }}
@@ -110,7 +110,7 @@ jobs:
         java: [17]
         distribution: [temurin]
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Set up JDK
       uses: actions/setup-java@v5
@@ -119,15 +119,15 @@ jobs:
         java-version: ${{ matrix.java }}
 
     - name: Cache Maven
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ~/.m2/repository
         key: ${{ runner.os }}-mvn-pmd-${{ hashFiles('**/pom.xml') }}
         restore-keys: |
           ${{ runner.os }}-mvn-pmd-
 
     - name: PMD Cache
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: '**/target/pmd/pmd.cache'
         key: ${{ runner.os }}-pmd-${{ hashFiles('**/pom.xml') }}
@@ -141,8 +141,8 @@ jobs:
       run: ./mvnw -B pmd:aggregate-cpd pmd:cpd-check -P pmd -DskipTests -T2C
 
     - name: Upload report
-      if: always()
-      uses: actions/upload-artifact@v4
+      if: ${{ !cancelled() }}
+      uses: actions/upload-artifact@v7
       with:
         name: pmd-report
         if-no-files-found: ignore

.github/workflows/check-build.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Set up JDK
       uses: actions/setup-java@v5
@@ -28,7 +28,7 @@ jobs:
 
     # Try to reuse existing cache from check-build
     - name: Try restore Maven Cache
-      uses: actions/cache/restore@v4
+      uses: actions/cache/restore@v5
       with:
         path: ~/.m2/repository
         key: ${{ runner.os }}-mvn-build-${{ hashFiles('**/pom.xml') }}
@@ -63,7 +63,7 @@ jobs:
     outputs:
       upload_url: ${{ steps.create-release.outputs.upload_url }}
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Configure Git
       run: |
@@ -91,7 +91,7 @@ jobs:
 
     - name: Create Release
       id: create-release
-      uses: shogo82148/actions-create-release@28d99e2a5b407558d17c15d0384fc0d7fb625b4c # v1
+      uses: shogo82148/actions-create-release@6a396031bc74c57403da1018fec74d24c6aa03cd # v1
       with:
         tag_name: v${{ steps.version.outputs.release }}
         release_name: v${{ steps.version.outputs.release }}
@@ -113,7 +113,7 @@ jobs:
     needs: [prepare-release]
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Init Git and pull
       run: |
@@ -161,7 +161,7 @@ jobs:
     needs: [prepare-release]
     timeout-minutes: 15
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Init Git and pull
       run: |
@@ -177,7 +177,7 @@ jobs:
 
     # Try to reuse existing cache from check-build
     - name: Try restore Maven Cache
-      uses: actions/cache/restore@v4
+      uses: actions/cache/restore@v5
       with:
         path: ~/.m2/repository
         key: ${{ runner.os }}-mvn-build-${{ hashFiles('**/pom.xml') }}
@@ -200,7 +200,7 @@ jobs:
     needs: [publish-maven]
     timeout-minutes: 10
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Init Git and pull
       run: |

.github/workflows/release.yml

@@ -0,0 +1,61 @@
+name: Report workflow security problems
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ develop ]
+    paths:
+      - '.github/workflows/**'
+
+permissions:
+  issues: write
+
+jobs:
+  prt:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    # Only run this in our repos (Prevent notification spam by forks)
+    if: ${{ github.repository_owner == 'xdev-software' }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Check
+        id: check
+        run: |
+          grep -l 'pull_request_target:' --exclude report-gha-workflow-security-problems.yml *.yml > reported.txt && exit 1 || exit 0
+        working-directory: .github/workflows
+
+      - name: Find already existing issue
+        id: find-issue
+        if: ${{ !cancelled() }}
+        run: |
+          echo "number=$(gh issue list -l 'bug' -l 'automated' -L 1 -S 'in:title "Incorrectly configure GHA workflow (prt)"' -s 'open' --json 'number' --jq '.[].number')" >> $GITHUB_OUTPUT
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Close issue if everything is fine
+        if: ${{ success() && steps.find-issue.outputs.number != '' }}
+        run: gh issue close -r 'not planned' ${{ steps.find-issue.outputs.number }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Create report
+        if: ${{ failure() && steps.check.conclusion == 'failure' }}
+        run: |
+          echo 'Detected usage of `pull_request_target`. This event is dangerous and MUST NOT BE USED AT ALL COST!' > reported.md
+          echo '' >> reported.md
+          echo '/cc @xdev-software/gha-workflow-security' >> reported.md
+          echo '' >> reported.md
+          echo '```' >> reported.md
+          cat .github/workflows/reported.txt >> reported.md
+          echo '```' >> reported.md
+          cat reported.md
+
+      - name: Create Issue From File
+        if: ${{ failure() && steps.check.conclusion == 'failure' }}
+        uses: peter-evans/create-issue-from-file@fca9117c27cdc29c6c4db3b86c48e4115a786710 # v6
+        with:
+          issue-number: ${{ steps.find-issue.outputs.number }}
+          title: 'Incorrectly configure GHA workflow (prt)'
+          content-filepath: ./reported.md
+          labels: bug, automated

.github/workflows/report-gha-workflow-security-problems.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           sparse-checkout: .github/labels.yml
 

.github/workflows/sync-labels.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Set up JDK
       uses: actions/setup-java@v5