Merge branch 'jetty:jetty-10.0.x' into jetty-10.0.x

mwgmnn · Jan 13, 2025 · 3b53231 · 3b53231
2 parents f44f09b + 5028a23
commit 3b53231
Show file tree

Hide file tree

Showing 4,358 changed files with 56,007 additions and 52,005 deletions.
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,5 +1,5 @@
 blank_issues_enabled: true
 contact_links:
   - name: Jetty Security Reports
-    url: https://www.eclipse.org/jetty/security_reports.php
+    url: https://eclipse.dev/jetty/security_reports.php
     about: Please raise security issues here.
diff --git a/.github/ISSUE_TEMPLATE/enhancement-template.md b/.github/ISSUE_TEMPLATE/enhancement-template.md
@@ -7,7 +7,8 @@ labels: Enhancement
 
 ---
 
-**Target Jetty version(s)**
+**Jetty version(s)**
+_[Jetty 9.x is now at End of Community Support](https://github.com/jetty/jetty.project/issues/7958)_
 
 **Enhancement Description**
 
diff --git a/.github/ISSUE_TEMPLATE/issue-template.md b/.github/ISSUE_TEMPLATE/issue-template.md
@@ -8,13 +8,17 @@ labels: Bug
 ---
 
 **Jetty version(s)**
+<!--[Jetty 9.x is now at End of Community Support](https://github.com/jetty/jetty.project/issues/7958) -->
+
+**Jetty Environment**
+<!-- Applicable for jetty-12 only, choose: core, ee8, ee9, ee10 -->
 
 **Java version/vendor** `(use: java -version)`
 
 **OS type/version**
 
 **Description**
-_Do not report security issues here! See [Jetty Security Reports](https://www.eclipse.org/jetty/security_reports.php)._
+<!-- Do not report security issues here! See [Jetty Security Reports](https://eclipse.dev/jetty/security_reports.php) -->
 
 **How to reproduce?**
 

diff --git a/.github/ISSUE_TEMPLATE/question-template.md b/.github/ISSUE_TEMPLATE/question-template.md
@@ -7,9 +7,12 @@ assignees: ''
 
 ---
 
-**Jetty version**
+**Jetty Version**
 
-**Java version**
+**Jetty Environment**
+<!-- Applicable only for jetty-12, choose: core, ee8, ee9, ee10 -->
+
+**Java Version**
 
 **Question**
 

diff --git a/.github/ISSUE_TEMPLATE/release-template.md b/.github/ISSUE_TEMPLATE/release-template.md
@@ -16,26 +16,33 @@ This release process will produce releases:
 - [x] Create the release(s) issue.
 - [ ] Update the target Jetty version(s) in the issue.  
 - [ ] Update the target release date in the issue.
-- [ ] Link this issue to the target [GitHub Project(s)](https://github.com/eclipse/jetty.project/projects).
+- [ ] Link this issue to the target [GitHub Project(s)](https://github.com/jetty/jetty.project/projects).
 - [ ] Assign this issue to a "release manager".
-- [ ] Review [draft security advisories](https://github.com/eclipse/jetty.project/security/advisories). Ensure that issues are created and assigned to GitHub Projects to capture any advisories that will be announced.
-- [ ] Create the [GitHub Project(s)](https://github.com/eclipse/jetty.project/projects) for the next releases.
-- [ ] Review the issues/PRs assigned to the target [GitHub Project(s)](https://github.com/eclipse/jetty.project/projects).  Any PRs that are moved to next releases should be commented on so their authors are informed.
-- [ ] Freeze the target [GitHub Project(s)](https://github.com/eclipse/jetty.project/projects) by editing their names to "Jetty X.Y.Z FROZEN"
+- [ ] Review [draft security advisories](https://github.com/jetty/jetty.project/security/advisories). Ensure that issues are created and assigned to GitHub Projects to capture any advisories that will be announced.
+- [ ] Update [GitHub Project(s)](https://github.com/jetty/jetty.project/projects)
+  + [ ] Create new project for the next releases (not this release).
+  + [ ] Ensure new project is public (not private)
+  + [ ] Freeze the target [GitHub Project(s)](https://github.com/jetty/jetty.project/projects) by editing their names to "Jetty X.Y.Z FROZEN"
+  + [ ] Review the issues/PRs assigned to the target [GitHub Project(s)](https://github.com/jetty/jetty.project/projects).  Any tasks that are not-yet-started are moved to next releases.
+- [ ] Review dependabot status. [Manually](https://github.com/jetty/jetty.project/network/updates) run dependabot if needed and review resulting PRs for inclusion.
+      Such updates should only be included in the week before a release if there is a compelling security or stability reason to do so.
 - [ ] Wait 24 hours from last change to the issues/PRs included in FROZEN GitHub Project(s).
-- [ ] Verify target [project(s)](https://github.com/eclipse/jetty.project/projects) are complete.
+- [ ] Verify target [project(s)](https://github.com/jetty/jetty.project/projects) are complete.
 - [ ] Verify that branch `jetty-10.0.x` is merged to branch `jetty-11.0.x`.
 - [ ] Assign issue to "build manager", who will stage the releases.
+  + [ ] Create and use branches `release/<ver>` to perform version specific release work from.
   + [ ] Ensure `VERSION.txt` additions for each release will be meaningful, descriptive, correct text.
   + [ ] Stage 9.4 release with Java 11.
-  + [ ] Stage 10 release with Java 17.
-  + [ ] Stage 11 release with Java 17.
-  + [ ] Edit a draft release (for each Jetty release) in GitHub (https://github.com/eclipse/jetty.project/releases). Content is generated with the "changelog tool".
+  + [ ] Stage 10 release with Java 21.
+  + [ ] Stage 11 release with Java 21.
+  + [ ] Push release branches `release/<ver>` to to https://github.com/jetty/jetty.project
+  + [ ] Push release tags `jetty-<ver>` to https://github.com/jetty/jetty.project
+  + [ ] Edit a draft release (for each Jetty release) in GitHub (https://github.com/jetty/jetty.project/releases). Content is generated with the "changelog tool".
 - [ ] Assign issue to "test manager", who will oversee the testing of the staged releases.
   + [ ] Test [CometD](https://github.com/cometd/cometd).
   + [ ] Test [Reactive HttpClient](https://github.com/jetty-project/jetty-reactive-httpclient).
   + [ ] Test [Load Generator](https://github.com/jetty-project/jetty-load-generator).
-  + [ ] Test [Jetty Docker images](https://github.com/eclipse/jetty.docker).
+  + [ ] Test [Jetty Docker images](https://github.com/jetty/jetty.docker).
   + [ ] Test other [Jetty OSS integrations](https://jenkins.webtide.net/job/external_oss).
   + [ ] Check [TCK CI](https://jenkins.webtide.net/job/tck).
   + [ ] Test sponsored integrations.
@@ -46,12 +53,12 @@ This release process will produce releases:
 - [ ] Promote staged releases.
 - [ ] Merge release branches back to main branches and delete release branches.
 - [ ] Verify release existence in Maven Central by triggering the Jenkins builds of CometD.
-- [ ] Update Jetty versions on the web sites.
-  + [ ] Update (or check) [Download](https://www.eclipse.org/jetty/download.php) page is updated.
+- [ ] Update Jetty versions on the website (follow instructions in [jetty.website](https://github.com/jetty/jetty.website/blob/master/README.md) ).
+  + [ ] Update (or check) [Download](https://jetty.org/download.html) page is updated.
   + [ ] Update (or check) documentation page(s) are updated.
 - [ ] Publish GitHub Releases.
 - [ ] Prepare release announcement for mailing lists.
-- [ ] Publish any [security advisories](https://github.com/eclipse/jetty.project/security/advisories).
+- [ ] Publish any [security advisories](https://github.com/jetty/jetty.project/security/advisories).
   + [ ] Edit `VERSION.txt` to include any actual CVE number next to correspondent issue.
   + [ ] Edit any issues for CVEs in github with their CVE number
 - [ ] Notify downstream maintainers.

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -2,40 +2,19 @@ version: 2
 updates:
   - package-ecosystem: "maven"
     directory: "/"
-    open-pull-requests-limit: 20
-    target-branch: "jetty-9.4.x"
-    schedule:
-      interval: "daily"
-    # Associate with milestone 9.4.x
-    milestone: 3
-    ignore:
-      # Restrict updates in this branch to jetty in the 9.4.x space
-      - dependency-name: "javax.servlet:*"
-        versions: [ ">=4.0.0" ]
-      - dependency-name: "javax.activation:*"
-        versions: [ ">=1.3.0" ]
-      - dependency-name: "javax.annotation:*"
-        versions: [ ">=2.0.0" ]
-      - dependency-name: "javax.el:*"
-        versions: [ ">=4.0.0" ]
-      - dependency-name: "javax.inject:*"
-        versions: [ ">=2.0.0" ]
-      - dependency-name: "javax.websocket:*"
-        versions: [ ">=1.1.0" ]
-      - dependency-name: "org.infinispan:*"
-        versions: [ ">=12" ]
-      - dependency-name: "org.jboss.weld.servlet:*"
-        versions: [ ">=4.0.0" ]
-
-  - package-ecosystem: "maven"
-    directory: "/"
-    open-pull-requests-limit: 20
+    open-pull-requests-limit: 50
     target-branch: "jetty-10.0.x"
     schedule:
-      interval: "daily"
+      interval: "monthly"
+      day: "saturday"
+      time: "10:00"
+      timezone: "Australia/Brisbane"
     # Associate with milestone 10.0.x
     milestone: 6
     ignore:
+      # Do not upgrade major versions of dependencies
+      - dependency-name: "*"
+        update-types: [ "version-update:semver-major" ]
       # Restrict updates in this branch to jetty in the 10.x.x space
       - dependency-name: "jakarta.servlet:*"
         versions: [ ">=5.0.0" ]
@@ -51,6 +30,8 @@ updates:
         versions: [ ">=2.0.0" ]
       - dependency-name: "jakarta.websocket:*"
         versions: [ ">=2.0.0" ]
+      - dependency-name: "jakarta.servlet.jsp:*"
+        versions: [ ">=2.4.0" ]
       - dependency-name: "jakarta.servlet.jsp.jstl:*"
         versions: [ ">=2.0.0" ]
       - dependency-name: "org.jboss.weld.servlet:*"
@@ -65,16 +46,28 @@ updates:
         versions: [ ">=12" ]
       - dependency-name: "jakarta.xml.bind:*"
         versions: [ ">=3.0.0" ]
+      - dependency-name: "org.glassfish.jaxb:*"
+        versions: [ ">=3.0.0"]
+      - dependency-name: "ch.qos.logback:*"
+        versions: [ ">=1.4.0"]
+      - dependency-name: "com.hazelcast:*"
+        versions: [ ">=5.4.0"]
 
   - package-ecosystem: "maven"
     directory: "/"
-    open-pull-requests-limit: 20
+    open-pull-requests-limit: 30
     target-branch: "jetty-11.0.x"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
+      day: "saturday"
+      time: "10:00"
+      timezone: "Australia/Brisbane"
     # Associate with milestone 11.0.x
     milestone: 7
     ignore:
+      # Do not upgrade major versions of dependencies
+      - dependency-name: "*"
+        update-types: [ "version-update:semver-major" ]
       # Restrict updates in this branch to jetty in the 11.x.x space
       - dependency-name: "jakarta.activation:*"
         versions: [ ">=2.1.0" ]
@@ -106,6 +99,8 @@ updates:
         versions: [ ">=4.0.0" ]
       - dependency-name: "jakarta.xml.bind:*"
         versions: [ ">=4.0.0" ]
+      - dependency-name: "org.glassfish.jaxb:*"
+        versions: [ ">=4.0.0"]
       - dependency-name: "jakarta.xml.ws:*"
         versions: [ ">=4.0.0" ]
       - dependency-name: "com.sun.xml.ws:jaxws*"
@@ -114,3 +109,22 @@ updates:
         versions: [ ">=5.0.0" ]
       - dependency-name: "org.infinispan:*"
         versions: [ ">=12" ]
+      - dependency-name: "com.hazelcast:*"
+        versions: [ ">=5.4.0"]
+      - dependency-name: "org.jboss.threads:jboss-threads"
+        versions: [ ">=3.7.0"]
+
+
+  - package-ecosystem: "maven"
+    directory: "/"
+    open-pull-requests-limit: 30
+    target-branch: "jetty-9.4.x"
+    schedule:
+      interval: "monthly"
+      day: "saturday"
+      time: "10:00"
+      timezone: "Australia/Brisbane"
+    ignore:
+      # Restrict updates in this branch to jetty in the 9.4.x space
+      - dependency-name: "org.infinispan:*"
+        versions: [ ">=12" ]
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,91 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ 'jetty-10.[1-9]?[0-9].x', 'jetty-11.[1-9]?[0-9].x', 'jetty-12.[1-9]?[0-9].x' ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ 'jetty-10.[1-9]?[0-9].x', 'jetty-11.[1-9]?[0-9].x', 'jetty-12.[1-9]?[0-9].x' ]
+  schedule:
+    - cron: '22 1 * * 2'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        languages:
+          - java
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Install and setup JDK 11
+      - name: Setup JDK 11
+        uses: actions/setup-java@v3
+        if: ${{
+          startsWith(github.ref, 'refs/heads/jetty-10.') ||
+          startsWith(github.ref, 'refs/heads/jetty-11.') ||
+          startsWith(github.base_ref, 'jetty-10.') ||
+          startsWith(github.base_ref, 'jetty-11.')
+          }}
+        with:
+          distribution: temurin
+          java-version: 11
+          cache: maven
+
+      # Install and setup JDK 17
+      - name: Setup JDK 17
+        uses: actions/setup-java@v3
+        if: ${{
+          startsWith(github.ref, 'refs/heads/jetty-12.') ||
+          startsWith(github.base_ref, 'jetty-12.')
+          }}
+        with:
+          distribution: temurin
+          java-version: 17
+          cache: maven
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.languages }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      - name: Set up Maven
+        run: mvn --errors --batch-mode --show-version wrapper:wrapper "-Dmaven=3.9.6"
+
+      - name: Clean install dependencies and build
+        run: ./mvnw clean install -DskipTests -B
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
diff --git a/.github/workflows/stale-action.yml b/.github/workflows/stale-action.yml
@@ -3,8 +3,14 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v4