Merge branch 'master' into podman

.azure-devops/build/steps/windows/before.yml

@@ -46,9 +46,17 @@ steps:
   # install cygwin and build dependencies
   - powershell: |
       $ProgressPreference = 'SilentlyContinue';
-      Invoke-WebRequest -UseBasicParsing 'https://cygwin.com/setup-x86_64.exe' -OutFile '${{ parameters.dependenciesDir }}\cygwin.exe';
-      Start-Process -Wait -FilePath '${{ parameters.dependenciesDir }}\cygwin.exe' -ArgumentList '--packages wget,bsdtar,rsync,gnupg,git,autoconf,make,gcc-core,mingw64-x86_64-gcc-core,unzip,zip,cpio,curl,grep,perl --quiet-mode --download --local-install --delete-orphans --site https://mirrors.kernel.org/sourceware/cygwin/ --local-package-dir $(Agent.BuildDirectory)\cygwin_packages --root $(Agent.BuildDirectory)\cygwin64';
-    displayName: "[Windows Before] download and install Cygwin"
+      $DownloadedFile = "${{ parameters.dependenciesDir }}\cygwin.exe";
+      $DownloadUrl = 'https://cygwin.com/setup-x86_64.exe';
+      $ExpectedChecksum = 'e7815d360ab098fdd1f03f10f43f363c73a632e8866e304c72573cf1e6a0dec8';
+      Invoke-WebRequest -UseBasicParsing -Uri $DownloadUrl -OutFile $DownloadedFile;
+
+      # Calculate SHA256 checksum of the downloaded file
+      $DownloadedChecksum = (Get-FileHash -Path $DownloadedFile -Algorithm SHA256).Hash;
+
+      # Compare calculated checksum with the expected checksum
+      if ($DownloadedChecksum -eq $ExpectedChecksum) {
+        Start-Process -Wait -FilePath $DownloadedFile -ArgumentList '--packages wget,bsdtar,rsync,gnupg,git,autoconf,make,gcc-core,mingw64-x86_64-gcc-core,unzip,zip,cpio,curl,grep,perl --quiet-mode --download --local-install --delete-orphans --site
 
   # add cygwin bin to PATH
   - script: |

.github/workflows/build-autotriage.yml

@@ -22,6 +22,9 @@ on:
 env:
   TRIAGE_SCRIPT: "tooling/build_autotriage/build_autotriage.sh"
 
+permissions:
+  contents: read
+
 jobs:
   autotriage:
     permissions:

.github/workflows/build.yml

@@ -134,7 +134,7 @@ jobs:
         os: [macOS]
         version: [
           { name: jdk8u, distro: macos-11 },
-          { name: jdk11u, distro: macos-13 },
+          { name: jdk11u, distro: macos-14 },
           { name: jdk17u, distro: macos-14 }
         ]
         variant: [temurin]
@@ -162,7 +162,7 @@ jobs:
           rm /usr/local/bin/python3-config || true
           rm /usr/local/bin/python3.11-config || true
           rm /usr/local/bin/python3.12-config || true
-            
+
     - name: Install Dependencies
       run: |
         brew install automake bash binutils freetype gnu-sed nasm
@@ -173,7 +173,7 @@ jobs:
         java-version: 7
         distribution: 'zulu'
       if: matrix.version.name == 'jdk8u'
-      
+
     - name: Select correct Xcode (JDK8)
       if: matrix.version.name == 'jdk8u'
       run: |
@@ -184,7 +184,7 @@ jobs:
       if: matrix.version.name != 'jdk8u'
       run: |
         rm -rf /Applications/Xcode.app
-        ln -s /Applications/Xcode_15.0.1.app /Applications/Xcode.app
+        ln -s /Applications/Xcode_15.2.app /Applications/Xcode.app
 
     - name: Build macOS
       run: |
@@ -206,7 +206,7 @@ jobs:
         TARGET_OS: mac
         FILENAME: OpenJDK.tar.gz
         JDK7_BOOT_DIR: ${{ steps.setup-java.outputs.path }}
-      
+
     - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
       name: Collect and Archive Artifacts
       with:
@@ -328,6 +328,19 @@ jobs:
          curl -L "$env:VS2017_URL" -o "$HOME/vs2017.exe"
        if: steps.vs2017.outputs.cache-hit != 'true' && matrix.version == 'jdk8u'
 
+     - name: Verify Download Of Visual Studio 2017
+       shell: powershell
+       run: |
+         $expected_checksum="7ED8FA27575648163E07548FF5667B55B95663A2323E2B2A5F87B16284E481E6"
+         $actual_checksum=(Get-FileHash -Algorithm SHA256 -Path $HOME/vs2017.exe | Select-Object -ExpandProperty Hash)
+         echo "Expect : $expected_checksum"
+         echo "Actual : $actual_checksum"
+         if ($expected_checksum -ne $actual_checksum) {
+           Write-Output "Error - Checksum Verification Failed - Exiting"
+           exit 1
+         }
+       if: steps.vs2017.outputs.cache-hit != 'true' && matrix.version == 'jdk8u'
+
      - name: Install Visual Studio 2017
        if: matrix.version == 'jdk8u'
        run: >
@@ -343,6 +356,19 @@ jobs:
          curl -L "$env:VS2019_URL" -o "$HOME/vs2019.exe"
        if: steps.vs2019.outputs.cache-hit != 'true' && (matrix.version == 'jdk11u' || matrix.version == 'jdk17u')
 
+     - name: Verify Download Of Visual Studio 2019
+       shell: powershell
+       run: |
+         $expected_checksum="F29399A618BD3A8D1DCC96D349453F686B6176590D904308402A6402543E310B"
+         $actual_checksum=(Get-FileHash -Algorithm SHA256 -Path $HOME/vs2019.exe | Select-Object -ExpandProperty Hash)
+         echo "Expect : $expected_checksum"
+         echo "Actual : $actual_checksum"
+         if ($expected_checksum -ne $actual_checksum) {
+           Write-Output "Error - Checksum Verification Failed - Exiting"
+           exit 1
+         }
+       if: steps.vs2019.outputs.cache-hit != 'true' && (matrix.version == 'jdk11u' || matrix.version == 'jdk17u')
+
      - name: Install Visual Studio 2019
        if: matrix.version == 'jdk11u' || matrix.version == 'jdk17u'
        run: >
@@ -409,7 +435,7 @@ jobs:
          path: workspace/target/*
 
      - name: Restore build artifacts
-       uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+       uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
        with:
          name: ${{matrix.version}}-${{matrix.os}}-${{matrix.variant}}
          path: ~/${{matrix.version}}-${{matrix.os}}-${{matrix.variant}}

.github/workflows/ca-cert-updater.yml

@@ -35,7 +35,7 @@ jobs:
         working-directory: ./security
         run: "./mk-ca-bundle.pl"
 
-      - uses: gr2m/create-or-update-pull-request-action@dc1726cbf4dd3ce766af4ec29cfb660e0125e8ee # v1
+      - uses: gr2m/create-or-update-pull-request-action@86ec1766034c8173518f61d2075cc2a173fb8c97 # v1.9.4
         env:
           GITHUB_TOKEN: ${{ secrets.ADOPTIUM_TEMURIN_BOT_TOKEN }}
         with:

.github/workflows/code-freeze.yml

@@ -1,5 +1,5 @@
 # ********************************************************************************
-# Copyright (c) 2023 Contributors to the Eclipse Foundation
+# Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) with this work for additional
 # information regarding copyright ownership.
@@ -16,7 +16,8 @@ name: Code Freeze Bot
 # Controls when the workflow will run
 on:
   pull_request_target:
-    branches: [ "v[0-9]+.[0-9]+.[0-9]+" ]
+    branches:
+      - '*'
   issue_comment:
     types: [created]
 
@@ -25,6 +26,15 @@ permissions:
   pull-requests: write
 
 jobs:
-  codefreeze:
+  # Check if the pull request target branch matches the required branch-regex?
+  codefreeze_branch_check:
+    uses: adoptium/.github/.github/workflows/code-freeze-regex-branch.yml@main
+    with:
+      branch-regex: "^v[0-9]+.[0-9]+.[0-9]+$"
+
+  # Code freeze if branch-regex matches
+  codefreeze_if_branch_match:
+    needs: codefreeze_branch_check
     uses: adoptium/.github/.github/workflows/code-freeze.yml@main
+    if: (github.event_name == 'pull_request_target' || (github.event_name == 'issue_comment' && github.event.issue.pull_request)) && needs.codefreeze_branch_check.outputs.regex-matches == 'true'
     secrets: inherit

.github/workflows/codeql.yml

@@ -0,0 +1,86 @@
+# ********************************************************************************
+# Copyright (c) 2021 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made
+# available under the terms of the Apache Software License 2.0
+# which is available at https://www.apache.org/licenses/LICENSE-2.0.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ********************************************************************************
+
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["master"]
+  schedule:
+    - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["java"]
+        # CodeQL supports [ $supported-codeql-languages ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/comment-bot.yml

@@ -17,6 +17,9 @@ on:
   pull_request_target:
     types: [ opened ]
 
+permissions:
+  contents: read
+
 jobs:
   comment:
     permissions:

.github/workflows/labeler.yml

@@ -19,6 +19,9 @@ on:
   issues:
   issue_comment:
 
+permissions:
+  contents: read
+
 jobs:
   label:
     permissions:

.github/workflows/ossf-scorecard.yml

@@ -46,6 +46,6 @@ jobs:
         name: SARIF file
         path: results.sarif
         retention-days: 5
-    - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+    - uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v2.13.4
       with:
         sarif_file: results.sarif

.github/workflows/semgrep_diff.yml

@@ -0,0 +1,21 @@
+# ********************************************************************************
+# Copyright (c) 2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made
+# available under the terms of the Apache Software License 2.0
+# which is available at https://www.apache.org/licenses/LICENSE-2.0.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ********************************************************************************
+
+---
+name: Semgrep Differential Scan
+on:
+  pull_request:
+
+jobs:
+  semgrep-diff:
+    uses: adoptium/.github/.github/workflows/semgrep_diff.yml@main

.github/workflows/signsbom.yml

@@ -26,6 +26,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
+permissions:
+  contents: read
+
 jobs:
   test_sbom_sign:
     name: sign_sbom

.github/workflows/testsbom.yml

@@ -26,6 +26,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
+permissions:
+  contents: read
+
 jobs:
   test_sbom_gen:
     name: gen_sbom

.licenserc.yaml

@@ -28,7 +28,7 @@ header:
       
       SPDX-License-Identifier: Apache-2.0
       ********************************************************************************
-    pattern: Copyright (c) \d{4} Contributors to the Eclipse Foundation
+    pattern: Copyright (c) ((\d{4})(, \d{4})*) Contributors to the Eclipse Foundation
 
   comment: on-failure
 
@@ -39,11 +39,14 @@ header:
     - '**/*.asc'
     - '.gitignore'
     - '.dockerignore'
+    - '.semgrepignore'
     - 'docker/.gitignore'
     - 'security/.gitignore'
     - 'security/mk-ca-bundle.pl'
     - 'security/certdata.txt'
     - 'sbin/*.template'
     - '.github/linters/*'
     - 'cyclonedx-lib/getDependencies'
+    - 'cyclonedx-lib/dependency_data/**'
     - 'makejdk-any-platform.1'
+    - 'serverTimestamp.properties'

.semgrepignore

@@ -0,0 +1 @@
+

RELEASING.md

@@ -54,7 +54,7 @@ Create release branch in the format `vYYYY.MM.NN` on each of the following repos
 - ci-jenkins-pipelines <https://github.com/adoptium/ci-jenkins-pipelines>
 - jenkins-helper <https://github.com/adoptium/jenkins-helper>
 
-These branches should be named according to the following format (vYYYY.MM+NN) ,e.g v2023.03+01 , whereby the final element is an incremental counter appended to the year and month of the release.
+These branches should be named according to the following format (vYYYY.MM.NN) ,e.g v2023.03.01 , whereby the final element is an incremental counter appended to the year and month of the release.
 
 If anything needs to be merged into the new branch, it should typically be merged into master, then a `git cherry-pick` operation should be done to create a new PR against the release branch. This can typically be merged without further approval.