Merge branch 'adoptium:master' into master

mahdipub · Mar 12, 2024 · 945a171 · 945a171
2 parents cd9e4c3 + 9cc52b8
commit 945a171
Show file tree

Hide file tree

Showing 40 changed files with 415 additions and 139 deletions.
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -9,20 +9,22 @@
 
 # label_name:
 #   - path/to/file_or_folder
+
 ghActions:
-    - .github/workflows/**/*
+- changed-files:
+  - any-glob-to-any-file: [.github/*]
 doc:
-    - docs/*
-    - '**/*.md'
+- changed-files:
+    - any-glob-to-any-file: [docs/*, '**/*.md']
 Vagrant:
-    - ansible/pbTestScripts/**/*
-    - ansible/vagrant/Vagrantfile*
+- changed-files:
+    - any-glob-to-any-file: [ansible/pbTestScripts/**/*, ansible/vagrant/Vagrantfile*]
 pbTests:
-    - ansible/pbTestScripts/**/*
+- changed-files:
+    - any-glob-to-any-file: [ansible/pbTestScripts/**/*]
 docker:
-    - ansible/docker/Dockerfile*
+- changed-files:
+    - any-glob-to-any-file: [ansible/docker/Dockerfile*]
 ansible:
-    - ansible/playbooks/**/*
-    - ansible/plugins/**/*
-    - ansible/inventory.yml
-    - ansible/ansible.cfg
+- changed-files:
+    - any-glob-to-any-file: [ansible/playbooks/**/*, ansible/plugins/**/*, ansible/inventory.yml, ansible/ansible.cfg]
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -25,10 +25,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Set up Docker Buildx to use cache feature
-      uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0
 
     - name: Login to Docker Hub
       uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
@@ -39,7 +39,7 @@ jobs:
 
 
     - name: Docker Build CentOS6 Image Test
-      uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2.10.0
+      uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # v5.2.0
       with:
         file: ./ansible/docker/Dockerfile.CentOS6
         build-args: git_sha=${{ github.sha }}
@@ -50,7 +50,7 @@ jobs:
       if: github.ref != 'refs/heads/master'
 
     - name: Docker Build & Push Centos6 Image to Docker Hub On Merge
-      uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2.10.0
+      uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # v5.2.0
       with:
         file: ./ansible/docker/Dockerfile.CentOS6
         build-args: git_sha=${{ github.sha }}
@@ -65,13 +65,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Set up Docker Buildx to use cache feature
-      uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0
 
     - name: Docker Build Alpine3 Image
-      uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2.10.0
+      uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # v5.2.0
       with:
         file: ./ansible/docker/Dockerfile.Alpine3
         build-args: git_sha=${{ github.sha }}

diff --git a/.github/workflows/build_mac.yml b/.github/workflows/build_mac.yml
@@ -19,10 +19,10 @@ jobs:
       matrix:
         include:
           - os: [macos-11]
-          - os: [macos-13]
+          - os: [macos-14]
     steps:
 
-    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Install dependencies
       run: brew install ansible

diff --git a/.github/workflows/build_qemu.yml b/.github/workflows/build_qemu.yml
@@ -36,7 +36,7 @@ jobs:
           #   distro: jessie
 
     steps:
-      - uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # v2.1.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Run on architecture
         uses: uraimo/run-on-arch-action@517085f0367c8256bcfa753e3e13e1550af09954 # v2.7.1

diff --git a/.github/workflows/build_vagrant.yml b/.github/workflows/build_vagrant.yml
@@ -19,39 +19,53 @@ permissions:
 jobs:
   build-solaris:
     name: Solaris
-    runs-on: macos-12
+    runs-on: ubuntu-latest
     steps:
 
-    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-    - name: Install dependencies
-      run: |
-        brew install ansible
+    - name: Install Ansible
+      run: sudo apt-get install ansible
+
+    - name: Install VirtualBox
+      run: sudo apt-get install virtualbox
+
+    - name: Install Vagrant
+      run: sudo apt-get install vagrant
+
+    - name: Cache Solaris10.box
+      id: solaris-10-cache
+      uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
+      with:
+        path: Solaris10.box
+        key: sol10boxcache
 
-    - name: Install Solaris 10 Box If Not Already Present
+    - name: Download Solaris 10 Box If Cache Misses
+      if: steps.solaris-10-cache.outputs.cache-hit != 'true'
+      run: wget https://ci.adoptium.net/userContent/vagrant/Solaris10.box.gz
+
+    - name: Verify Checksum If Cache Misses
+      if: steps.solaris-10-cache.outputs.cache-hit != 'true'
       run: |
-        if [ `vagrant box list|grep ^solaris10|wc -l` -gt 0 ]
+        CKSUM=`shasum -a 256 ./Solaris10.box.gz|cut -d" " -f1`
+        if [ "$CKSUM" = "0879215f4bf03f5e125addb139d0b5a49a4f8a258297b765cf1f22a8a7ee3309" ]
         then
-          echo "Box Exists - Do Nothing"
+          echo "Checksum OK"
         else
-          echo "No Box - Download From Jenkins And Import"
-          wget https://ci.adoptium.net/userContent/vagrant/Solaris10.box.gz
-          CKSUM=`shasum -a 256 ./Solaris10.box.gz|cut -d" " -f1`
-          if [ "$CKSUM" = "0879215f4bf03f5e125addb139d0b5a49a4f8a258297b765cf1f22a8a7ee3309" ]
-          then
-            echo "Checksum OK"
-            gunzip Solaris10.box.gz
-            vagrant box add --name="solaris10" ./Solaris10.box
-            rm Solaris10.box
-          else
-            echo "Sum Bad"
-            exit 99;
-          fi
+          echo "Sum Bad"
+          exit 99;
         fi
 
+    - name: Extract Solaris10.box.gz If Cache Misses
+      if: steps.solaris-10-cache.outputs.cache-hit != 'true'
+      run: gunzip Solaris10.box.gz
+
+    - name: Add Solaris 10 Box To Vagrant
+      run: vagrant box add --name="solaris10" ./Solaris10.box
+
     - name: Setup Vagrant VM
+      working-directory: ansible
       run: |
-        cd ansible
         ln -sf vagrant/Vagrantfile.Solaris10 Vagrantfile
         rm -f id_rsa.pub id_rsa
         # Copy the machine's ssh key for the VMs to use, after removing prior files
@@ -61,12 +75,13 @@ jobs:
         vagrantPORT=$(vagrant port | grep host | awk '{ print $4 }')
         rm -f playbooks/AdoptOpenJDK_Unix_Playbook/hosts.unx
         echo "[127.0.0.1]:${vagrantPORT}" >> playbooks/AdoptOpenJDK_Unix_Playbook/hosts.unx
+        [ ! -d $HOME/.ssh ] && mkdir $HOME/.ssh && chmod 700 $HOME/.ssh
         [ ! -r $HOME/.ssh/known_hosts ] && touch $HOME/.ssh/known_hosts && chmod 644 $HOME/.ssh/known_hosts
+        [ ! -d $HOME/.ansible ] && mkdir $HOME/.ansible
         ssh-keygen -R $(cat playbooks/AdoptOpenJDK_Unix_Playbook/hosts.unx)
         sed -i -e "s/.*hosts:.*/  hosts: all/g" playbooks/AdoptOpenJDK_Unix_Playbook/main.yml
         awk '{print}/^\[defaults\]$/{print "private_key_file = id_rsa"; print "timeout = 60"; print "remote_tmp = $HOME/.ansible/tmp"}' < ansible.cfg > ansible.cfg.tmp && mv ansible.cfg.tmp ansible.cfg
 
     - name: Run Ansible Playbook
-      run: |
-        cd ansible
-        ansible-playbook -i playbooks/AdoptOpenJDK_Unix_Playbook/hosts.unx --ssh-common-args='-o StrictHostKeyChecking=no -o HostKeyAlgorithms=ssh-rsa' -u vagrant -b --skip-tags adoptopenjdk,cups playbooks/AdoptOpenJDK_Unix_Playbook/main.yml
+      working-directory: ansible
+      run: ansible-playbook -i playbooks/AdoptOpenJDK_Unix_Playbook/hosts.unx --ssh-common-args='-o HostKeyAlgorithms=ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 -o PubKeyAcceptedKeyTypes=ssh-rsa' -u vagrant -b --skip-tags adoptopenjdk,cups playbooks/AdoptOpenJDK_Unix_Playbook/main.yml
diff --git a/.github/workflows/build_wsl.yml b/.github/workflows/build_wsl.yml
@@ -41,9 +41,9 @@ jobs:
         .\ConfigureRemotingForAnsible.ps1 -ForceNewSSLCert
         .\ConfigureRemotingForAnsible.ps1 -SkipNetworkProfileCheck
 
-    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-    - uses: Vampire/setup-wsl@c5a800f46e4525a2e9f0b4d2be3262c85dea9f57 # v2.0.2
+    - uses: Vampire/setup-wsl@d4e837996638afd047e7b468de70e28fe76cf75a # v3.0.0
 
     - name: Install dependencies
       run: |

diff --git a/.github/workflows/check_dockerstatic.yml b/.github/workflows/check_dockerstatic.yml
@@ -28,7 +28,7 @@ jobs:
          - os: alpine3.19
            dockerfile: "Dockerfile.alp319"
     steps:
-    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Test Dockerfile on ${{ matrix.os }}
       env:
         DOCKERFILE: ${{ matrix.dockerfile }}
@@ -45,7 +45,7 @@ jobs:
          - os: centos8
            dockerfile: "Dockerfile.cent8"
     steps:
-    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Test Dockerfile on ${{ matrix.os }}
       env:
         DOCKERFILE: ${{ matrix.dockerfile }}
@@ -62,7 +62,7 @@ jobs:
          - os: fedora39
            dockerfile: "Dockerfile.f39"
     steps:
-    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Test Dockerfile on ${{ matrix.os }}
       env:
         DOCKERFILE: ${{ matrix.dockerfile }}
@@ -83,7 +83,7 @@ jobs:
          - os: ubuntu22.04
            dockerfile: "Dockerfile.u2204"
     steps:
-    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Test Dockerfile on ${{ matrix.os }}
       env:
         DOCKERFILE: ${{ matrix.dockerfile }}

diff --git a/.github/workflows/code-freeze.yml b/.github/workflows/code-freeze.yml
@@ -7,6 +7,10 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   codefreeze:
     uses: adoptium/.github/.github/workflows/code-freeze.yml@main

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -5,17 +5,22 @@ on:
   pull_request_target:
   issues:
   issue_comment:
-
+  
 jobs:
   triage:
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
     runs-on: ubuntu-latest
+    name: Assign Labels
     steps:
-    - uses: actions/labeler@5c7539237e04b714afd8ad9b4aed733815b9fab4 # v4.0.2
+    - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
       if: ${{ github.event.pull_request }}
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
 
-    - uses: fuxingloh/multi-labeler@fb9bc28b2d65e406ffd208384c5095793c3fd59a # v1.8.0
+    - uses: fuxingloh/multi-labeler@b15a54460c38f54043fa75f7b08a0e2aa5b94b5b # v4.0.0
       with:
         github-token: "${{secrets.GITHUB_TOKEN}}"
         config-path: .github/regex_labeler.yml
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: 'Yamllint'
       uses: karancode/yamllint-github-action@fdef6bc189425ecc84cc4543b2674566c0827053 # v2.1.1
@@ -39,10 +39,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Set up Python 3.x
-      uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa # v2.3.3
+      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
         python-version: '3.x'
 

diff --git a/.github/workflows/semgrep_diff.yml b/.github/workflows/semgrep_diff.yml
@@ -0,0 +1,23 @@
+---
+name: Semgrep Differential Scan
+on:
+  pull_request:
+
+jobs:
+  semgrep-diff:
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+
+    steps:
+      # Step 1: Clone application source code
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      # Step 2: Differential scan
+      - name: Differential scan
+        run: |
+          semgrep ci \
+            --config="p/trailofbits"
diff --git a/.semgrepignore b/.semgrepignore
@@ -0,0 +1,2 @@
+# Ignore The Nagios Configuration J2 templates, as they are only examples.
+./ansible/playbooks/nagios/roles/Nagios_Config/files/templates/*.j2
diff --git a/FAQ.md b/FAQ.md
@@ -208,8 +208,10 @@ is more information on running tests yourself in the
 
 A few examples that test specific pieces of infra-related functionality so useful to be aware of.
 These are the parameters to pass into a Grinder job in jenkins. If using
-these from the command line as per the example above, the `TARGET` name
-should have an underscore `_` prepended to it.
+these from the command line instead of a Grinder job there are a couple of
+things regarding the information in this table:
+- The `TARGET` name should have an underscore `_` prepended to it (like the shell snippet above)
+- For custom targets, specify it as a JDK_CUSTOM_TARGET variable to make e.g. `make _jdk_custom JDK_CUSTOM_TARGET=java/lang/invoke/lambda/LambdaFileEncodingSerialization.java`
 
 | `BUILD_LIST` | `TARGET` | `CUSTOM_TARGET` | What does it test? |
 | --- | --- | --- | --- |

diff --git a/README.md b/README.md
@@ -118,11 +118,11 @@ to do an out-of-bound patch if a sufficientl sever issue is identified.
    to identify any potential problems. Allow jenkins to upgrade itself
 5. Redo step 1/2 so that any plugins that were unable to be updated due to
    the older jenkins level can update themselves.
-6. If necessary, and the remediation cannot be performed within the window,
-   identify potentially risky plugins that were held back and create an issue
-   to deal with them in the next cycle.
-
-(TODO: Publish and link to video of an upgrade session)
+6. If necessary, and the remediation cannot be performed within the
+   maintenance window, identify potentially risky plugins that were held
+   back and create an issue to deal with them in the next cycle.
+7. Backup the main war in /usr/share/jenkins to a name with a version suffix
+   in case of corruption to the main jar.
 
 ### Backups
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Ignore The Nagios Configuration J2 templates, as they are only examples.
		./ansible/playbooks/nagios/roles/Nagios_Config/files/templates/*.j2