Merge branch 'main' into feature/code-coverage

Author: mkleene

.github/dco.yml

@@ -0,0 +1,2 @@
+require:
+  members: false

.github/workflows/checks.yaml

@@ -27,7 +27,7 @@ jobs:
       - name: Conventional Commits Check
         if: contains(fromJSON('["pull_request", "pull_request_target"]'), github.event_name)
         id: conventional-commits
-        uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017
+        uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -58,12 +58,12 @@ jobs:
   mavenverify:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
-      - uses: bufbuild/buf-setup-action@2211e06e8cf26d628cda2eea15c95f8c42b080b3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up JDK
-        uses: actions/setup-java@5896cecc08fd8a1fbdfaf517e29b571164b031f7
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: "11"
           distribution: "adopt"
@@ -79,26 +79,26 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check out repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: bufbuild/buf-setup-action@2211e06e8cf26d628cda2eea15c95f8c42b080b3
+      - uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up JDK
-        uses: actions/setup-java@5896cecc08fd8a1fbdfaf517e29b571164b031f7
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: "17"
           distribution: "temurin"
           server-id: github
       - name: Cache SonarCloud packages
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
       - name: Cache Maven packages
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -115,12 +115,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout Java SDK
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
-      - uses: bufbuild/buf-setup-action@2211e06e8cf26d628cda2eea15c95f8c42b080b3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up JDK
-        uses: actions/setup-java@5896cecc08fd8a1fbdfaf517e29b571164b031f7
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: "11"
           distribution: "adopt"
@@ -152,21 +152,21 @@ jobs:
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
-            encrypt --kas-url=localhost:8080 --mime-type=text/plain --attr https://example.com/attr/attr1/value/value1 --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
+            encrypt --kas-url=http://localhost:8080 --mime-type=text/plain --attr https://example.com/attr/attr1/value/value1 --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
             decrypt -f test.tdf > decrypted
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
             metadata -f test.tdf > metadata
 
@@ -188,14 +188,14 @@ jobs:
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
             encryptnano --kas-url=http://localhost:8080 --attr https://example.com/attr/attr1/value/value1 -f data -m 'here is some metadata' > nano.ntdf
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
             decryptnano -f nano.ntdf > decrypted
           
@@ -215,14 +215,14 @@ jobs:
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
-            encrypt --kas-url=localhost:8080 --mime-type=text/plain --with-assertions=$ASSERTIONS --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
+            encrypt --kas-url=http://localhost:8080 --mime-type=text/plain --with-assertions=$ASSERTIONS --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
             decrypt -f test.tdf > decrypted
           
@@ -246,14 +246,14 @@ jobs:
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
-            encrypt --kas-url=localhost:8080 --mime-type=text/plain --with-assertions="$SIGNED_ASSERTIONS_HS256" --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
+            encrypt --kas-url=http://localhost:8080 --mime-type=text/plain --with-assertions="$SIGNED_ASSERTIONS_HS256" --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
             decrypt --with-assertion-verification-keys="$SIGNED_ASSERTION_VERIFICATON_HS256" -f test.tdf > decrypted
           
@@ -267,14 +267,14 @@ jobs:
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
-            encrypt --kas-url=localhost:8080 --mime-type=text/plain --with-assertions "$SIGNED_ASSERTIONS_RS256" --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
+            encrypt --kas-url=http://localhost:8080 --mime-type=text/plain --with-assertions "$SIGNED_ASSERTIONS_RS256" --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
             decrypt --with-assertion-verification-keys "$SIGNED_ASSERTION_VERIFICATON_RS256" -f test.tdf > decrypted
           
@@ -300,23 +300,23 @@ jobs:
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
-            encrypt --kas-url=localhost:8080,localhost:8282 -f data -m 'here is some metadata' > test.tdf
+            encrypt --kas-url=http://localhost:8080,http://localhost:8282 -f data -m 'here is some metadata' > test.tdf
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
-            decrypt -f test.tdf > decrypted
+            decrypt -f test.tdf --kas-allowlist http://localhost:8080,http://localhost:8282  > decrypted
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
-            metadata -f test.tdf > metadata
+            metadata -f test.tdf --kas-allowlist http://localhost:8080,http://localhost:8282 > metadata
 
           if ! diff -q data decrypted; then
             printf 'decrypted data is incorrect [%s]' "$(< decrypted)"
@@ -337,7 +337,8 @@ jobs:
     uses: opentdf/tests/.github/workflows/xtest.yml@main
     with:
       focus-sdk: java
-      java-ref: ${{ github.ref }}
+      java-ref: ${{ github.ref }} latest
+      platform-ref: main lts
 
   ci:
     needs:

.github/workflows/codeql.yaml

@@ -23,10 +23,10 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Buf setup
-      uses: bufbuild/buf-setup-action@2211e06e8cf26d628cda2eea15c95f8c42b080b3
+      uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
 
     - name: Initialize the CodeQL tools for scanning
       uses: github/codeql-action/init@v3

.github/workflows/dependency-review.yaml

@@ -0,0 +1,92 @@
+# Config documentation: https://github.com/actions/dependency-review-action?tab=readme-ov-file#configuration
+name: 'Dependency Review'
+on:
+  pull_request: {}
+  merge_group:
+  workflow_call:
+    inputs:
+      fail-on-severity:
+        description: "Minimum severity to fail job."
+        default: "low"
+        required: false
+        type: string
+      base-ref:
+        description: "Base ref for building diff."
+        default: ""
+        required: false
+        type: string
+      head-ref:
+        description: "Head ref for building diff."
+        default: ""
+        required: false
+        type: string
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: "Skipping on merge queue event"
+        if: ${{ github.event_name == 'merge_group' }}
+        run: |
+          echo "Skipping on merge queue event"
+
+      - name: Checkout
+        if: ${{ github.event_name != 'merge_group' }}
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: 'Dependency Review'
+        if: ${{ github.event_name != 'merge_group' }}
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
+        with:
+          fail-on-severity: ${{ inputs.fail-on-severity }}
+          deny-licenses: >
+            GPL-2.0,
+            AGPL-1.0,
+            AGPL-1.0-or-later,
+            AGPL-1.0-only,
+            AGPL-3.0,
+            AGPL-3.0-only,
+            AGPL-3.0-or-later,
+            GPL-1.0,
+            GPL-1.0+,
+            GPL-1.0-only,
+            GPL-1.0-or-later,
+            CNRI-Python-GPL-Compatible,
+            GPL-2.0+,
+            GPL-2.0-only,
+            GPL-2.0-or-later,
+            GPL-2.0-with-GCC-exception,
+            GPL-2.0-with-autoconf-exception,
+            GPL-2.0-with-bison-exception,
+            GPL-2.0-with-classpath-exception,
+            GPL-2.0-with-font-exception,
+            GPL-3.0,
+            GPL-3.0+,
+            GPL-3.0-only,
+            GPL-3.0-or-later,
+            GPL-3.0-with-GCC-exception,
+            GPL-3.0-with-autoconf-exception,
+            LGPL-2.0,
+            LGPL-2.0+,
+            LGPL-2.0-only,
+            LGPL-2.0-or-later,
+            LGPL-2.1,
+            LGPL-2.1+,
+            LGPL-2.1-only,
+            LGPL-2.1-or-later,
+            LGPL-3.0,
+            LGPL-3.0+,
+            LGPL-3.0-only,
+            LGPL-3.0-or-later,
+            LGPLLR,
+            NGPL
+          comment-summary-in-pr: on-failure
+          base-ref: ${{ inputs.base-ref || github.event.pull_request.base.sha || github.event.repository.default_branch }}
+          head-ref: ${{ inputs.head-ref || github.event.pull_request.head.sha || github.ref }}

.github/workflows/release.yaml

@@ -21,7 +21,7 @@ jobs:
         with:
           app-id: "${{ secrets.APP_ID }}"
           private-key: "${{ secrets.AUTOMATION_KEY }}"
-      - uses: google-github-actions/release-please-action@v4
+      - uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445 # v4.2.0
         with:
           token: "${{ steps.generate_token.outputs.token }}"
           config-file: release-please.json
@@ -30,15 +30,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Buf
-        uses: bufbuild/buf-setup-action@2211e06e8cf26d628cda2eea15c95f8c42b080b3
+        uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
       # stage maven profile
       - name: Set up JDK to publish to GitHub Packages
         if: github.ref == 'refs/heads/main'
-        uses: actions/setup-java@5896cecc08fd8a1fbdfaf517e29b571164b031f7
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: "11"
           distribution: "adopt"
@@ -60,7 +60,7 @@ jobs:
       # release maven profile
       - name: Set up JDK to publish to Maven Central
         if: startsWith(github.ref, 'refs/tags/')
-        uses: actions/setup-java@5896cecc08fd8a1fbdfaf517e29b571164b031f7
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: "11"
           distribution: "adopt"