Merge remote-tracking branch 'origin/update-from-template' into develop

AB-xdev · AB-xdev · commit fa2a85e3e55e · 2025-09-02T09:02:52.000+02:00
diff --git a/.config/pmd/java/ruleset.xml b/.config/pmd/java/ruleset.xml
@@ -196,9 +196,9 @@
 	<rule ref="category/java/security.xml"/>
 
 	<rule name="AvoidSystemSetterCall"
-		  language="java"
-		  message="Setters of java.lang.System should not be called unless really needed"
-		  class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+		language="java"
+		message="Setters of java.lang.System should not be called unless really needed"
+		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
 		<description>
 			Calling setters of java.lang.System usually indicates bad design and likely causes unexpected behavior.
 			For example, it may break when multiple Threads are setting the value.
@@ -219,9 +219,9 @@
 	</rule>
 
 	<rule name="JavaObjectSerializationIsUnsafe"
-		  language="java"
-		  message="Using Java Object (De-)Serialization is unsafe and has led to too many security vulnerabilities"
-		  class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+		language="java"
+		message="Using Java Object (De-)Serialization is unsafe and has led to too many security vulnerabilities"
+		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
 		<description>
 			Nearly every known usage of (Java) Object Deserialization has resulted in [a security vulnerability](https://cloud.google.com/blog/topics/threat-intelligence/hunting-deserialization-exploits?hl=en).
 			Vulnerabilities are so common that there are [dedicated projects for exploit payload generation](https://github.com/frohoff/ysoserial).
diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml
@@ -19,7 +19,7 @@ jobs:
 
       - name: Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@5c4ee84814c983aa7164eaee476f014e53ff3963 # v2
+        uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2
         with:
           fail: false # Don't fail on broken links, create an issue instead
 
@@ -29,7 +29,7 @@ jobs:
           echo "number=$(gh issue list -l 'bug' -l 'automated' -L 1 -S 'in:title \"Link Checker Report\"' -s 'open' --json 'number' --jq '.[].number')" >> $GITHUB_OUTPUT
         env:
           GH_TOKEN: ${{ github.token }}
-          
+
       - name: Close issue if everything is fine
         if: steps.lychee.outputs.exit_code == 0 && steps.find-issue.outputs.number != ''
         run: gh issue close -r 'not planned' ${{ steps.find-issue.outputs.number }}
diff --git a/.github/workflows/check-build.yml b/.github/workflows/check-build.yml
@@ -25,27 +25,32 @@ env:
 jobs:
   build:
     timeout-minutes: 30
-
     strategy:
       matrix:
         java: [17, 21]
         distribution: [temurin]
         os: [ubuntu-latest, windows-latest] # Windows is needed for recursive NTFS junctions
-    
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/checkout@v5
-      
+
     - name: Set up JDK
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         distribution: ${{ matrix.distribution }}
         java-version: ${{ matrix.java }}
-        cache: 'maven'
-      
+
+    - name: Cache Maven
+      uses: actions/cache@v4
+      with:
+        path: ~/.m2/repository
+        key: ${{ runner.os }}-mvn-build-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-mvn-build-
+
     - name: Build with Maven
       run: ./mvnw -B clean package -P run-integration-tests -T2C
-      
+
     - name: Check for uncommited changes
       shell: bash
       run: |
@@ -69,21 +74,34 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event_name != 'pull_request' || !startsWith(github.head_ref, 'renovate/') }}
     timeout-minutes: 15
-
     strategy:
       matrix:
         java: [17]
         distribution: [temurin]
-
     steps:
     - uses: actions/checkout@v5
-      
+
     - name: Set up JDK
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         distribution: ${{ matrix.distribution }}
         java-version: ${{ matrix.java }}
-        cache: 'maven'
+
+    - name: Cache Maven
+      uses: actions/cache@v4
+      with:
+        path: ~/.m2/repository
+        key: ${{ runner.os }}-mvn-checkstyle-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-mvn-checkstyle-
+
+    - name: CheckStyle Cache
+      uses: actions/cache@v4
+      with:
+        path: '**/target/checkstyle-cachefile'
+        key: ${{ runner.os }}-checkstyle-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-checkstyle-
 
     - name: Run Checkstyle
       run: ./mvnw -B checkstyle:check -P checkstyle -T2C
@@ -92,21 +110,34 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event_name != 'pull_request' || !startsWith(github.head_ref, 'renovate/') }}
     timeout-minutes: 15
-
     strategy:
       matrix:
         java: [17]
         distribution: [temurin]
-
     steps:
     - uses: actions/checkout@v5
 
     - name: Set up JDK
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         distribution: ${{ matrix.distribution }}
         java-version: ${{ matrix.java }}
-        cache: 'maven'
+
+    - name: Cache Maven
+      uses: actions/cache@v4
+      with:
+        path: ~/.m2/repository
+        key: ${{ runner.os }}-mvn-pmd-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-mvn-pmd-
+
+    - name: PMD Cache
+      uses: actions/cache@v4
+      with:
+        path: '**/target/pmd/pmd.cache'
+        key: ${{ runner.os }}-pmd-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-pmd-
 
     - name: Run PMD
       run: ./mvnw -B test pmd:aggregate-pmd-no-fork pmd:check -P pmd -DskipTests -T2C
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,20 +11,30 @@ permissions:
   contents: write
   pull-requests: write
 
+# DO NOT RESTORE CACHE for critical release steps to prevent a (extremely unlikely) scenario 
+# where a supply chain attack could be achieved due to poisoned cache
 jobs:
   check-code:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
     - uses: actions/checkout@v5
-      
+
     - name: Set up JDK
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         java-version: '17'
         distribution: 'temurin'
-        cache: 'maven'
-      
+
+    # Try to reuse existing cache from check-build
+    - name: Try restore Maven Cache
+      uses: actions/cache/restore@v4
+      with:
+        path: ~/.m2/repository
+        key: ${{ runner.os }}-mvn-build-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-mvn-build-
+
     - name: Build with Maven
       run: ./mvnw -B clean package -T2C
       
@@ -54,31 +64,31 @@ jobs:
       upload_url: ${{ steps.create-release.outputs.upload_url }}
     steps:
     - uses: actions/checkout@v5
-      
+
     - name: Configure Git
       run: |
         git config --global user.email "actions@github.com"
         git config --global user.name "GitHub Actions"
-  
+
     - name: Un-SNAP 
       run: ./mvnw -B versions:set -DremoveSnapshot -DprocessAllModules -DgenerateBackupPoms=false
-  
+
     - name: Get version
       id: version
       run: |
         version=$(../mvnw help:evaluate -Dexpression=project.version -q -DforceStdout)
         echo "release=$version" >> $GITHUB_OUTPUT
         echo "releasenumber=${version//[!0-9]/}" >> $GITHUB_OUTPUT
       working-directory: ${{ env.PRIMARY_MAVEN_MODULE }}
-  
+
     - name: Commit and Push
       run: |
         git add -A
         git commit -m "Release ${{ steps.version.outputs.release }}"
         git push origin
         git tag v${{ steps.version.outputs.release }}
         git push origin --tags
-    
+
     - name: Create Release
       id: create-release
       uses: shogo82148/actions-create-release@4661dc54f7b4b564074e9fbf73884d960de569a3 # v1
@@ -106,23 +116,23 @@ jobs:
     timeout-minutes: 60
     steps:
     - uses: actions/checkout@v5
-    
+
     - name: Init Git and pull
       run: |
         git config --global user.email "actions@github.com"
         git config --global user.name "GitHub Actions"
         git pull
 
     - name: Set up JDK
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with: # running setup-java overwrites the settings.xml
         distribution: 'temurin'
         java-version: '17'
         server-id: github-central
         server-password: PACKAGES_CENTRAL_TOKEN
         gpg-passphrase: MAVEN_GPG_PASSPHRASE
         gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Only import once
-    
+
     - name: Publish to GitHub Packages Central
       run: ../mvnw -B deploy -P publish -DskipTests -DaltDeploymentRepository=github-central::https://maven.pkg.github.com/xdev-software/central
       working-directory: ${{ env.PRIMARY_MAVEN_MODULE }}
@@ -131,7 +141,7 @@ jobs:
         MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
 
     - name: Set up JDK
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with: # running setup-java again overwrites the settings.xml
         distribution: 'temurin'
         java-version: '17'
@@ -154,19 +164,27 @@ jobs:
     timeout-minutes: 15
     steps:
     - uses: actions/checkout@v5
-      
+
     - name: Init Git and pull
       run: |
         git config --global user.email "actions@github.com"
         git config --global user.name "GitHub Actions"
         git pull
 
     - name: Setup - Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         java-version: '17'
         distribution: 'temurin'
-        cache: 'maven'
+
+    # Try to reuse existing cache from check-build
+    - name: Try restore Maven Cache
+      uses: actions/cache/restore@v4
+      with:
+        path: ~/.m2/repository
+        key: ${{ runner.os }}-mvn-build-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-mvn-build-
 
     - name: Build site
       run: ../mvnw -B compile site -DskipTests -T2C
@@ -185,7 +203,7 @@ jobs:
     timeout-minutes: 10
     steps:
     - uses: actions/checkout@v5
-      
+
     - name: Init Git and pull
       run: |
         git config --global user.email "actions@github.com"
@@ -200,7 +218,7 @@ jobs:
         git add -A
         git commit -m "Preparing for next development iteration"
         git push origin
-    
+
     - name: pull-request
       env:
         GH_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/test-deploy.yml b/.github/workflows/test-deploy.yml
@@ -14,24 +14,24 @@ jobs:
     - uses: actions/checkout@v5
 
     - name: Set up JDK
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with: # running setup-java overwrites the settings.xml
         distribution: 'temurin'
         java-version: '17'
         server-id: github-central
         server-password: PACKAGES_CENTRAL_TOKEN
         gpg-passphrase: MAVEN_GPG_PASSPHRASE
         gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Only import once
-    
+
     - name: Publish to GitHub Packages Central
       run: ../mvnw -B deploy -P publish -DskipTests -DaltDeploymentRepository=github-central::https://maven.pkg.github.com/xdev-software/central
       working-directory: ${{ env.PRIMARY_MAVEN_MODULE }}
       env:
         PACKAGES_CENTRAL_TOKEN: ${{ secrets.PACKAGES_CENTRAL_TOKEN }}
         MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
-    
+
     - name: Set up JDK
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with: # running setup-java again overwrites the settings.xml
         distribution: 'temurin'
         java-version: '17'
diff --git a/.github/workflows/update-from-template.yml b/.github/workflows/update-from-template.yml
@@ -43,7 +43,7 @@ jobs:
           # If no PAT is used the following error occurs on a push:
           # refusing to allow a GitHub App to create or update workflow `.github/workflows/xxx.yml` without `workflows` permission
           token: ${{ secrets.UPDATE_FROM_TEMPLATE_PAT }}
-      
+
       - name: Init Git
         run: |
           git config --global user.email "111048771+xdev-gh-bot@users.noreply.github.com"
@@ -190,7 +190,7 @@ jobs:
           # If no PAT is used the following error occurs on a push:
           # refusing to allow a GitHub App to create or update workflow `.github/workflows/xxx.yml` without `workflows` permission
           token: ${{ secrets.UPDATE_FROM_TEMPLATE_PAT }}
-      
+
       - name: Init Git
         run: |
           git config --global user.email "111048771+xdev-gh-bot@users.noreply.github.com"
diff --git a/.idea/checkstyle-idea.xml b/.idea/checkstyle-idea.xml
diff --git a/pom.xml b/pom.xml
@@ -73,6 +73,7 @@
 						<artifactId>maven-pmd-plugin</artifactId>
 						<version>3.27.0</version>
 						<configuration>
+							<analysisCache>true</analysisCache>
 							<includeTests>true</includeTests>
 							<printFailingErrors>true</printFailingErrors>
 							<rulesets>
diff --git a/testcontainers-advanced-imagebuilder/pom.xml b/testcontainers-advanced-imagebuilder/pom.xml
