diff --git a/.config/topo/upstream.yml b/.config/topo/upstream.yml
new file mode 100644
index 0000000..6e0fe07
--- /dev/null
+++ b/.config/topo/upstream.yml
@@ -0,0 +1,2 @@
+- url: https://github.com/xdev-software/openapi-client-maven-template.git
+ branch: master
diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml
index 2675c8b..5b50d06 100644
--- a/.github/workflows/broken-links.yml
+++ b/.github/workflows/broken-links.yml
@@ -19,7 +19,7 @@ jobs:
- name: Link Checker
id: lychee
- uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2
+ uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2
with:
fail: false # Don't fail on broken links, create an issue instead
diff --git a/.github/workflows/check-build.yml b/.github/workflows/check-build.yml
index b1a6d66..daae7b2 100644
--- a/.github/workflows/check-build.yml
+++ b/.github/workflows/check-build.yml
@@ -69,7 +69,7 @@ jobs:
fi
- name: Upload demo files
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@v7
with:
name: demo-files-java-${{ matrix.java }}
path: ${{ env.DEMO_MAVEN_MODULE }}/target/${{ env.DEMO_MAVEN_MODULE }}.jar
@@ -151,8 +151,8 @@ jobs:
run: ./mvnw -B pmd:aggregate-cpd pmd:cpd-check -P pmd -DskipTests -T2C
- name: Upload report
- if: always()
- uses: actions/upload-artifact@v6
+ if: ${{ !cancelled() }}
+ uses: actions/upload-artifact@v7
with:
name: pmd-report
if-no-files-found: ignore
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3f55399..2b7941b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -91,7 +91,7 @@ jobs:
- name: Create Release
id: create-release
- uses: shogo82148/actions-create-release@559c27ce7eb834825e2b55927c64f6d1bd1db716 # v1
+ uses: shogo82148/actions-create-release@6a396031bc74c57403da1018fec74d24c6aa03cd # v1
with:
tag_name: v${{ steps.version.outputs.release }}
release_name: v${{ steps.version.outputs.release }}
diff --git a/.github/workflows/report-gha-workflow-security-problems.yml b/.github/workflows/report-gha-workflow-security-problems.yml
new file mode 100644
index 0000000..b17aa53
--- /dev/null
+++ b/.github/workflows/report-gha-workflow-security-problems.yml
@@ -0,0 +1,61 @@
+name: Report workflow security problems
+
+on:
+ workflow_dispatch:
+ push:
+ branches: [ develop ]
+ paths:
+ - '.github/workflows/**'
+
+permissions:
+ issues: write
+
+jobs:
+ prt:
+ runs-on: ubuntu-latest
+ timeout-minutes: 15
+ # Only run this in our repos (Prevent notification spam by forks)
+ if: ${{ github.repository_owner == 'xdev-software' }}
+ steps:
+ - uses: actions/checkout@v6
+
+ - name: Check
+ id: check
+ run: |
+ grep -l 'pull_request_target:' --exclude report-gha-workflow-security-problems.yml *.yml > reported.txt && exit 1 || exit 0
+ working-directory: .github/workflows
+
+ - name: Find already existing issue
+ id: find-issue
+ if: ${{ !cancelled() }}
+ run: |
+ echo "number=$(gh issue list -l 'bug' -l 'automated' -L 1 -S 'in:title "Incorrectly configure GHA workflow (prt)"' -s 'open' --json 'number' --jq '.[].number')" >> $GITHUB_OUTPUT
+ env:
+ GH_TOKEN: ${{ github.token }}
+
+ - name: Close issue if everything is fine
+ if: ${{ success() && steps.find-issue.outputs.number != '' }}
+ run: gh issue close -r 'not planned' ${{ steps.find-issue.outputs.number }}
+ env:
+ GH_TOKEN: ${{ github.token }}
+
+ - name: Create report
+ if: ${{ failure() && steps.check.conclusion == 'failure' }}
+ run: |
+ echo 'Detected usage of `pull_request_target`. This event is dangerous and MUST NOT BE USED AT ALL COST!' > reported.md
+ echo '' >> reported.md
+ echo '/cc @xdev-software/gha-workflow-security' >> reported.md
+ echo '' >> reported.md
+ echo '```' >> reported.md
+ cat .github/workflows/reported.txt >> reported.md
+ echo '```' >> reported.md
+ cat reported.md
+
+ - name: Create Issue From File
+ if: ${{ failure() && steps.check.conclusion == 'failure' }}
+ uses: peter-evans/create-issue-from-file@fca9117c27cdc29c6c4db3b86c48e4115a786710 # v6
+ with:
+ issue-number: ${{ steps.find-issue.outputs.number }}
+ title: 'Incorrectly configure GHA workflow (prt)'
+ content-filepath: ./reported.md
+ labels: bug, automated
diff --git a/.github/workflows/update-from-template.yml b/.github/workflows/update-from-template.yml
deleted file mode 100644
index a2462d6..0000000
--- a/.github/workflows/update-from-template.yml
+++ /dev/null
@@ -1,320 +0,0 @@
-name: Update from Template
-
-# This workflow keeps the repo up to date with changes from the template repo (REMOTE_URL)
-# It duplicates the REMOTE_BRANCH (into UPDATE_BRANCH) and tries to merge it into
-# this repos default branch (which is checked out here)
-# Note that this requires a PAT (Personal Access Token) - at best from a servicing account
-# PAT permissions: read:discussion, read:org, repo, workflow
-# Also note that you should have at least once merged the template repo into the current repo manually
-# otherwise a "refusing to merge unrelated histories" error might occur.
-
-on:
- schedule:
- - cron: '55 2 * * 1'
- workflow_dispatch:
- inputs:
- no_automatic_merge:
- type: boolean
- description: 'No automatic merge'
- default: false
-
-env:
- UPDATE_BRANCH: update-from-template
- UPDATE_BRANCH_MERGED: update-from-template-merged
- REMOTE_URL: https://github.com/xdev-software/openapi-client-maven-template.git
- REMOTE_BRANCH: master
-
-permissions:
- contents: write
- pull-requests: write
-
-jobs:
- update:
- runs-on: ubuntu-latest
- timeout-minutes: 60
- outputs:
- update_branch_merged_commit: ${{ steps.manage-branches.outputs.update_branch_merged_commit }}
- create_update_branch_merged_pr: ${{ steps.manage-branches.outputs.create_update_branch_merged_pr }}
- steps:
- - uses: actions/checkout@v6
- with:
- # Required because otherwise there are always changes detected when executing diff/rev-list
- fetch-depth: 0
- # If no PAT is used the following error occurs on a push:
- # refusing to allow a GitHub App to create or update workflow `.github/workflows/xxx.yml` without `workflows` permission
- token: ${{ secrets.UPDATE_FROM_TEMPLATE_PAT }}
-
- - name: Init Git
- run: |
- git config --global user.email "111048771+xdev-gh-bot@users.noreply.github.com"
- git config --global user.name "XDEV Bot"
-
- - name: Manage branches
- id: manage-branches
- run: |
- echo "Adding remote template-repo"
- git remote add template ${{ env.REMOTE_URL }}
-
- echo "Fetching remote template repo"
- git fetch template
-
- echo "Deleting local branches that will contain the updates - if present"
- git branch -D ${{ env.UPDATE_BRANCH }} || true
- git branch -D ${{ env.UPDATE_BRANCH_MERGED }} || true
-
- echo "Checking if the remote template repo has new commits"
- git rev-list ..template/${{ env.REMOTE_BRANCH }}
-
- if [ $(git rev-list --count ..template/${{ env.REMOTE_BRANCH }}) -eq 0 ]; then
- echo "There are no commits new commits on the template repo"
-
- echo "Deleting origin branch(es) that contain the updates - if present"
- git push -f origin --delete ${{ env.UPDATE_BRANCH }} || true
- git push -f origin --delete ${{ env.UPDATE_BRANCH_MERGED }} || true
-
- echo "create_update_branch_pr=0" >> $GITHUB_OUTPUT
- echo "create_update_branch_merged_pr=0" >> $GITHUB_OUTPUT
- exit 0
- fi
-
- echo "Found new commits on the template repo"
-
- echo "Creating update branch"
- git branch ${{ env.UPDATE_BRANCH }} template/${{ env.REMOTE_BRANCH }}
- git branch --unset-upstream ${{ env.UPDATE_BRANCH }}
-
- echo "Pushing update branch"
- git push -f -u origin ${{ env.UPDATE_BRANCH }}
-
- echo "Getting base branch"
- base_branch=$(git branch --show-current)
- echo "Base branch is $base_branch"
- echo "base_branch=$base_branch" >> $GITHUB_OUTPUT
-
- echo "Trying to create auto-merged branch ${{ env.UPDATE_BRANCH_MERGED }}"
- git branch ${{ env.UPDATE_BRANCH_MERGED }} ${{ env.UPDATE_BRANCH }}
- git checkout ${{ env.UPDATE_BRANCH_MERGED }}
-
- echo "Merging branch $base_branch into ${{ env.UPDATE_BRANCH_MERGED }}"
- git merge $base_branch && merge_exit_code=$? || merge_exit_code=$?
- if [ $merge_exit_code -ne 0 ]; then
- echo "Auto merge failed! Manual merge required"
- echo "::notice ::Auto merge failed - Manual merge required"
-
- echo "Cleaning up failed merge"
- git merge --abort
- git checkout $base_branch
- git branch -D ${{ env.UPDATE_BRANCH_MERGED }} || true
-
- echo "Deleting auto-merge branch - if present"
- git push -f origin --delete ${{ env.UPDATE_BRANCH_MERGED }} || true
-
- echo "create_update_branch_pr=1" >> $GITHUB_OUTPUT
- echo "create_update_branch_merged_pr=0" >> $GITHUB_OUTPUT
- exit 0
- fi
-
- echo "Post processing: Trying to automatically fill in template variables"
- find . -type f \
- -not -path "./.git/**" \
- -not -path "./.github/workflows/update-from-template.yml" -print0 \
- | xargs -0 sed -i "s/template-placeholder/${GITHUB_REPOSITORY#*/}/g"
-
- git status
- git add --all
-
- if [[ "$(git status --porcelain)" != "" ]]; then
- echo "Filled in template; Committing"
-
- git commit -m "Fill in template"
- fi
-
- echo "Pushing auto-merged branch"
- git push -f -u origin ${{ env.UPDATE_BRANCH_MERGED }}
-
- echo "update_branch_merged_commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
-
- echo "Restoring base branch $base_branch"
- git checkout $base_branch
-
- echo "create_update_branch_pr=0" >> $GITHUB_OUTPUT
- echo "create_update_branch_merged_pr=1" >> $GITHUB_OUTPUT
- echo "try_close_update_branch_pr=1" >> $GITHUB_OUTPUT
-
- - name: Create/Update PR update_branch
- if: steps.manage-branches.outputs.create_update_branch_pr == 1
- env:
- GH_TOKEN: ${{ secrets.UPDATE_FROM_TEMPLATE_PAT }}
- run: |
- gh_pr_up() {
- gh pr create -H "${{ env.UPDATE_BRANCH }}" "$@" || (git checkout "${{ env.UPDATE_BRANCH }}" && gh pr edit "$@")
- }
- gh_pr_up -B "${{ steps.manage-branches.outputs.base_branch }}" \
- --title "Update from template" \
- --body "An automated PR to sync changes from the template into this repo"
-
- # Ensure that only a single PR is open (otherwise confusion and spam)
- - name: Close PR update_branch
- if: steps.manage-branches.outputs.try_close_update_branch_pr == 1
- env:
- GH_TOKEN: ${{ secrets.UPDATE_FROM_TEMPLATE_PAT }}
- run: |
- gh pr close "${{ env.UPDATE_BRANCH }}" || true
-
- - name: Create/Update PR update_branch_merged
- if: steps.manage-branches.outputs.create_update_branch_merged_pr == 1
- env:
- GH_TOKEN: ${{ secrets.UPDATE_FROM_TEMPLATE_PAT }}
- run: |
- gh_pr_up() {
- gh pr create -H "${{ env.UPDATE_BRANCH_MERGED }}" "$@" || (git checkout "${{ env.UPDATE_BRANCH_MERGED }}" && gh pr edit "$@")
- }
- gh_pr_up -B "${{ steps.manage-branches.outputs.base_branch }}" \
- --title "Update from template (auto-merged)" \
- --body "An automated PR to sync changes from the template into this repo"
-
- # Wait a moment so that checks of PR have higher prio than following job
- sleep 3
-
- # Split into two jobs to help with executor starvation
- auto-merge:
- needs: [update]
- if: needs.update.outputs.create_update_branch_merged_pr == 1
- runs-on: ubuntu-latest
- timeout-minutes: 60
- steps:
- - uses: actions/checkout@v6
- with:
- # Required because otherwise there are always changes detected when executing diff/rev-list
- fetch-depth: 0
- # If no PAT is used the following error occurs on a push:
- # refusing to allow a GitHub App to create or update workflow `.github/workflows/xxx.yml` without `workflows` permission
- token: ${{ secrets.UPDATE_FROM_TEMPLATE_PAT }}
-
- - name: Init Git
- run: |
- git config --global user.email "111048771+xdev-gh-bot@users.noreply.github.com"
- git config --global user.name "XDEV Bot"
-
- - name: Checking if auto-merge for PR update_branch_merged can be done
- id: auto-merge-check
- env:
- GH_TOKEN: ${{ secrets.UPDATE_FROM_TEMPLATE_PAT }}
- run: |
- not_failed_conclusion="skipped|neutral|success"
- not_relevant_app_slug="dependabot|github-pages|sonarqubecloud"
-
- echo "Waiting for checks to start..."
- sleep 40s
-
- for i in {1..20}; do
- echo "Checking if PR can be auto-merged. Try: $i"
-
- echo "Checking if update-branch-merged exists"
- git fetch
- if [[ $(git ls-remote --heads origin refs/heads/${{ env.UPDATE_BRANCH_MERGED }}) ]]; then
- echo "Branch still exists; Continuing..."
- else
- echo "Branch origin/${{ env.UPDATE_BRANCH_MERGED }} is missing"
- exit 0
- fi
-
- echo "Fetching checks"
- cs_response=$(curl -sL \
- --fail-with-body \
- --connect-timeout 60 \
- --max-time 120 \
- -H "Accept: application/vnd.github+json" \
- -H "Authorization: Bearer $GH_TOKEN" \
- -H "X-GitHub-Api-Version: 2022-11-28" \
- https://api.github.com/repos/${{ github.repository }}/commits/${{ needs.update.outputs.update_branch_merged_commit }}/check-suites)
-
- cs_data=$(echo $cs_response | jq '.check_suites[] | { conclusion: .conclusion, slug: .app.slug, check_runs_url: .check_runs_url }')
- echo $cs_data
-
- if [[ -z "$cs_data" ]]; then
- echo "No check suite data - Assuming that there are no checks to run"
-
- echo "perform=1" >> $GITHUB_OUTPUT
- exit 0
- fi
-
- cs_failed=$(echo $cs_data | jq --arg x "$not_failed_conclusion" 'select ((.conclusion == null or (.conclusion | test($x))) | not)')
- if [[ -z "$cs_failed" ]]; then
- echo "No check failed so far; Checking if relevant checks are still running"
-
- cs_relevant_still_running=$(echo $cs_data | jq --arg x "$not_relevant_app_slug" 'select (.conclusion == null and (.slug | test($x) | not))')
- if [[ -z $cs_relevant_still_running ]]; then
- echo "All relevant checks finished - PR can be merged"
-
- echo "perform=1" >> $GITHUB_OUTPUT
- exit 0
- else
- echo "Relevant checks are still running"
- echo $cs_relevant_still_running
- fi
- else
- echo "Detected failed check"
- echo $cs_failed
-
- echo "perform=0" >> $GITHUB_OUTPUT
- exit 0
- fi
-
- echo "Waiting before next run..."
- sleep 30s
- done
-
- echo "Timed out - Assuming executor starvation - Forcing merge"
- echo "perform=1" >> $GITHUB_OUTPUT
-
- - name: Auto-merge update_branch_merged
- if: steps.auto-merge-check.outputs.perform == 1
- run: |
- echo "Getting base branch"
- base_branch=$(git branch --show-current)
- echo "Base branch is $base_branch"
-
- echo "Fetching..."
- git fetch
- if [[ $(git rev-parse origin/${{ env.UPDATE_BRANCH_MERGED }}) ]]; then
- echo "Branch still exists; Continuing..."
- else
- echo "Branch origin/${{ env.UPDATE_BRANCH_MERGED }} is missing"
- exit 0
- fi
-
- expected_commit="${{ needs.update.outputs.update_branch_merged_commit }}"
- actual_commit=$(git rev-parse origin/${{ env.UPDATE_BRANCH_MERGED }})
- if [[ "$expected_commit" != "$actual_commit" ]]; then
- echo "Branch ${{ env.UPDATE_BRANCH_MERGED }} contains unexpected commit $actual_commit"
- echo "Expected: $expected_commit"
-
- exit 0
- fi
-
- echo "Ensuring that current branch $base_branch is up-to-date"
- git pull
-
- echo "Merging origin/${{ env.UPDATE_BRANCH_MERGED }} into $base_branch"
- git merge origin/${{ env.UPDATE_BRANCH_MERGED }} && merge_exit_code=$? || merge_exit_code=$?
- if [ $merge_exit_code -ne 0 ]; then
- echo "Unexpected merge failure $merge_exit_code - Requires manual resolution"
-
- exit 0
- fi
-
- if [[ "${{ inputs.no_automatic_merge }}" == "true" ]]; then
- echo "Exiting due no_automatic_merge"
-
- exit 0
- fi
-
- echo "Pushing"
- git push
-
- echo "Cleaning up"
- git branch -D ${{ env.UPDATE_BRANCH }} || true
- git branch -D ${{ env.UPDATE_BRANCH_MERGED }} || true
- git push -f origin --delete ${{ env.UPDATE_BRANCH }} || true
- git push -f origin --delete ${{ env.UPDATE_BRANCH_MERGED }} || true
diff --git a/.idea/externalDependencies.xml b/.idea/externalDependencies.xml
index 78be5b8..0b477b8 100644
--- a/.idea/externalDependencies.xml
+++ b/.idea/externalDependencies.xml
@@ -3,5 +3,6 @@
+
\ No newline at end of file
diff --git a/.mvn/wrapper/maven-wrapper.properties b/.mvn/wrapper/maven-wrapper.properties
index 8dea6c2..c595b00 100644
--- a/.mvn/wrapper/maven-wrapper.properties
+++ b/.mvn/wrapper/maven-wrapper.properties
@@ -1,3 +1,3 @@
wrapperVersion=3.3.4
distributionType=only-script
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.12/apache-maven-3.9.12-bin.zip
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.14/apache-maven-3.9.14-bin.zip
diff --git a/pom.xml b/pom.xml
index a219280..4fc6633 100644
--- a/pom.xml
+++ b/pom.xml
@@ -45,7 +45,7 @@
com.puppycrawl.tools
checkstyle
- 13.2.0
+ 13.4.0
@@ -83,12 +83,12 @@
net.sourceforge.pmd
pmd-core
- 7.21.0
+ 7.23.0
net.sourceforge.pmd
pmd-java
- 7.21.0
+ 7.23.0
diff --git a/template-placeholder-demo/pom.xml b/template-placeholder-demo/pom.xml
index 718e93f..0cb8acf 100644
--- a/template-placeholder-demo/pom.xml
+++ b/template-placeholder-demo/pom.xml
@@ -28,7 +28,7 @@
software.xdev.Application
- 2.25.3
+ 2.25.4
diff --git a/template-placeholder/pom.xml b/template-placeholder/pom.xml
index 1aa965a..10bf605 100644
--- a/template-placeholder/pom.xml
+++ b/template-placeholder/pom.xml
@@ -56,7 +56,7 @@
com.fasterxml.jackson
jackson-bom
- 2.21.0
+ 2.21.2
pom
import
@@ -91,7 +91,7 @@
org.openapitools
jackson-databind-nullable
- 0.2.8
+ 0.2.10
@@ -319,7 +319,7 @@
org.openapitools
openapi-generator-maven-plugin
- 7.18.0
+ 7.20.0
@@ -355,7 +355,7 @@
org.apache.maven.plugins
maven-resources-plugin
- 3.4.0
+ 3.5.0
copy-generated-resources
@@ -377,7 +377,7 @@
software.xdev
find-and-replace-maven-plugin
- 1.0.4
+ 1.0.5
@@ -444,7 +444,7 @@
com.puppycrawl.tools
checkstyle
- 13.2.0
+ 13.4.0
@@ -486,12 +486,12 @@
net.sourceforge.pmd
pmd-core
- 7.21.0
+ 7.23.0
net.sourceforge.pmd
pmd-java
- 7.21.0
+ 7.23.0