diff --git a/.github/workflows/ci.build.yml b/.github/workflows/ci.build.yml
new file mode 100644
index 000000000000..86c378599e2e
--- /dev/null
+++ b/.github/workflows/ci.build.yml
@@ -0,0 +1,214 @@
+# Guava GitHub CI
+# ---------------------------------------------------------------------------------------------------------------------
+# This is the main CI build on GitHub for the Google Guava project. This workflow is not invoked directly; instead, the
+# `on.pr.yml` and `on.push.yml` workflows kick in on PR and push events, respectively, and call this workflow as a
+# Reusable Workflow.
+#
+# This workflow can be tested independently of the entrypoint flow through the `workflow_dispatch` hook, which adds a
+# button within the UI of the GitHub repository. You can trigger the workflow from here:
+#
+# https://github.com/google/guava/actions/workflows/ci.build.yml
+#
+# ## Inputs
+#
+# See the set of input parameters underneath the `workflow_call` and `workflow_dispatch` hooks for ways this workflow
+# can be controlled when called.
+#
+# ## SLSA Provenance
+#
+# After building Guava in both JRE and Android variants, this workflow will (if enabled) generate provenance material
+# and upload it to an associated release. Learn more about SLSA here: https://slsa.dev.
+
+name: Build
+
+on:
+ workflow_call:
+ inputs:
+ provenance:
+ type: boolean
+ description: "Provenance"
+ default: false
+ provenance_publish:
+ type: boolean
+ description: "Publish: Provenance"
+ default: true
+ snapshot:
+ type: boolean
+ description: "Publish: Snapshot"
+ default: false
+ repository:
+ type: string
+ description: "Publish Repository"
+ default: "sonatype-nexus-snapshots"
+
+ workflow_dispatch:
+ inputs:
+ provenance:
+ type: boolean
+ description: "Provenance"
+ default: false
+ provenance_publish:
+ type: boolean
+ description: "Publish: Provenance"
+ default: false
+ snapshot:
+ type: boolean
+ description: "Publish: Snapshot"
+ default: true
+ repository:
+ type: string
+ description: "Publish Repository"
+ default: "sonatype-nexus-snapshots"
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+ strategy:
+ fail-fast: false
+ matrix:
+ mode: ["JRE", "Android"]
+ name: "Build Guava (${{ matrix.mode }})"
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ outputs:
+ hashes: ${{ steps.hash.outputs.hashes }}
+ env:
+ ROOT_POM: ${{ matrix.mode == 'Android' && 'android/pom.xml' || 'pom.xml' }}
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ with:
+ disable-sudo: true
+ egress-policy: block
+ allowed-endpoints: >
+ api.azul.com:443
+ api.github.com:443
+ cdn.azul.com:443
+ dl.google.com:443
+ docs.oracle.com:443
+ errorprone.info:443
+ github.com:443
+ objects.githubusercontent.com:443
+ oss.sonatype.org:443
+ repo.maven.apache.org:443
+ services.gradle.org:443
+ - name: 'Check out repository'
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ with:
+ persist-credentials: false
+ - name: 'Set up JDK 21'
+ uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
+ with:
+ java-version: 21
+ distribution: 'zulu'
+ cache: 'maven'
+ - name: 'Install'
+ shell: bash
+ run: |
+ ./mvnw \
+ --strict-checksums \
+ -B \
+ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
+ install \
+ -U \
+ -DskipTests=true \
+ -Dmaven.javadoc.skip=false \
+ -Dgpg.skip \
+ -f $ROOT_POM
+ - name: Generate hashes
+ shell: bash
+ id: hash
+ if: matrix.mode == 'JRE'
+ run: |
+ echo "Building SLSA provenance material..."
+ ls guava/target/*.jar guava-gwt/target/*.jar guava-testlib/target/*.jar
+ echo "hashes=$(sha256sum guava/target/*.jar guava-gwt/target/*.jar guava-testlib/target/*.jar | base64 -w0)" >> ./provenance-hashes.txt
+ cat ./provenance-hashes.txt >> "$GITHUB_OUTPUT"
+ echo "Gathered provenance hashes:"
+ cat ./provenance-hashes.txt
+ - name: 'Upload artifacts'
+ uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+ if: matrix.mode == 'JRE'
+ with:
+ name: guava-artifacts-${{ matrix.mode == 'Android' && 'android' || 'jre' }}-${{ github.sha }}
+ path: |
+ guava/target/*.jar
+ guava-gwt/target/*.jar
+ guava-testlib/target/*.jar
+ ./provenance-hashes.txt
+ if-no-files-found: warn
+ retention-days: 7
+
+ # Generate SLSA provenance
+ provenance:
+ needs: [build]
+ if: inputs.provenance
+ name: "SLSA Provenance"
+ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+ permissions:
+ actions: read
+ id-token: write
+ contents: write
+ with:
+ base64-subjects: "${{ needs.build.outputs.hashes }}"
+ upload-assets: ${{ inputs.provenance_publish }}
+
+ # Publish snapshot JAR
+ publish_snapshot:
+ name: 'Publish Snapshot'
+ needs: [build, provenance]
+ if: inputs.snapshot
+ runs-on: ubuntu-latest
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ with:
+ egress-policy: audit
+ - name: 'Check out repository'
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ - name: 'Set up JDK 21'
+ uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
+ with:
+ java-version: 21
+ distribution: 'zulu'
+ server-id: ${{ inputs.repository }}
+ server-username: CI_DEPLOY_USERNAME
+ server-password: CI_DEPLOY_PASSWORD
+ cache: 'maven'
+ - name: "Download artifacts"
+ uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+ with:
+ name: guava-artifacts-jre-${{ github.sha }}
+ - name: 'Publish'
+ env:
+ CI_DEPLOY_USERNAME: ${{ secrets.CI_DEPLOY_USERNAME }}
+ CI_DEPLOY_PASSWORD: ${{ secrets.CI_DEPLOY_PASSWORD }}
+ run: ./util/deploy_snapshot.sh
+
+ generate_docs:
+ permissions:
+ contents: write
+ name: 'Generate Docs'
+ needs: build
+ if: github.event_name == 'push' && github.repository == 'google/guava'
+ runs-on: ubuntu-latest
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ with:
+ egress-policy: audit
+ - name: 'Check out repository'
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ - name: 'Set up JDK 21'
+ uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
+ with:
+ java-version: 21
+ distribution: 'zulu'
+ cache: 'maven'
+ - name: 'Generate latest docs'
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ run: ./util/update_snapshot_docs.sh
diff --git a/.github/workflows/ci.test.yml b/.github/workflows/ci.test.yml
new file mode 100644
index 000000000000..b642288a455c
--- /dev/null
+++ b/.github/workflows/ci.test.yml
@@ -0,0 +1,114 @@
+# Guava GitHub CI
+# ---------------------------------------------------------------------------------------------------------------------
+# This is the main CI testsuite on GitHub for the Google Guava project. This workflow is not invoked directly; instead,
+# the `on.pr.yml` and `on.push.yml` workflows kick in on PR and push events, respectively, and call this workflow as a
+# Reusable Workflow.
+#
+# This workflow can be tested independently of the entrypoint flow through the `workflow_dispatch` hook, which adds a
+# button within the UI of the GitHub repository. You can trigger the workflow from here:
+#
+# https://github.com/google/guava/actions/workflows/ci.test.yml
+#
+# ## Inputs
+#
+# See the set of input parameters underneath the `workflow_call` and `workflow_dispatch` hooks for ways this workflow
+# can be controlled when called.
+#
+# ## Multi-OS and Multi-JVM Testing
+#
+# Guava is tested against each LTS release at JDK 8 through JDK 21, on Linux and on Windows (starting at JDK 17), and
+# in Android and JRE flavors.
+
+name: Tests
+
+on:
+ workflow_call: {}
+ workflow_dispatch: {}
+
+permissions:
+ contents: read
+
+jobs:
+ test:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ name: "JDK ${{ matrix.java }} ${{ matrix.mode }} (${{ matrix.os }})"
+ strategy:
+ matrix:
+ os: [ ubuntu-latest ]
+ java: [ 8, 11, 17, 21 ]
+ mode: [ 'JRE', 'Android' ]
+ include:
+ - os: windows-latest
+ java: 21
+ mode: JRE
+ - os: windows-latest
+ java: 21
+ mode: Android
+ runs-on: ${{ matrix.os }}
+ outputs:
+ hashes: ${{ steps.hash.outputs.hashes }}
+ env:
+ ROOT_POM: ${{ matrix.mode == 'Android' && 'android/pom.xml' || 'pom.xml' }}
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ with:
+ disable-sudo: true
+ egress-policy: block
+ allowed-endpoints: >
+ api.azul.com:443
+ api.github.com:443
+ cdn.azul.com:443
+ dl.google.com:443
+ docs.oracle.com:443
+ errorprone.info:443
+ github.com:443
+ objects.githubusercontent.com:443
+ oss.sonatype.org:443
+ repo.maven.apache.org:443
+ services.gradle.org:443
+ - name: 'Check out repository'
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+ with:
+ persist-credentials: false
+ - name: 'Set up JDK ${{ matrix.java }}'
+ uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
+ with:
+ java-version: ${{ matrix.java }}
+ distribution: 'zulu'
+ cache: 'maven'
+ - name: 'Install'
+ shell: bash
+ run: |
+ ./mvnw \
+ --strict-checksums \
+ -B \
+ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
+ install \
+ -U \
+ -DskipTests=true \
+ -Dgpg.skip \
+ -Dmaven.javadoc.skip=true \
+ -f $ROOT_POM
+ - name: 'Test'
+ shell: bash
+ run: |
+ ./mvnw \
+ --strict-checksums \
+ -B \
+ -P!standard-with-extra-repos \
+ verify \
+ -U \
+ -Dmaven.javadoc.skip=true \
+ -f $ROOT_POM
+ - name: 'Print Surefire reports'
+ # Note: Normally a step won't run if the job has failed, but this causes it to
+ if: ${{ failure() }}
+ shell: bash
+ run: ./util/print_surefire_reports.sh
+ - name: 'Integration Test'
+ if: matrix.java == 11
+ shell: bash
+ run: util/gradle_integration_tests.sh
+
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
deleted file mode 100644
index 0fc561fbcd75..000000000000
--- a/.github/workflows/ci.yml
+++ /dev/null
@@ -1,105 +0,0 @@
-name: CI
-
-on:
- push:
- branches:
- - master
- pull_request:
- branches:
- - master
-
-permissions:
- contents: read
-
-jobs:
- test:
- permissions:
- actions: write # for styfle/cancel-workflow-action to cancel/stop running workflows
- contents: read # for actions/checkout to fetch code
- name: "${{ matrix.root-pom }} on JDK ${{ matrix.java }} on ${{ matrix.os }}"
- strategy:
- matrix:
- os: [ ubuntu-latest ]
- java: [ 8, 11, 17, 21 ]
- root-pom: [ 'pom.xml', 'android/pom.xml' ]
- include:
- - os: windows-latest
- java: 21
- root-pom: pom.xml
- runs-on: ${{ matrix.os }}
- env:
- ROOT_POM: ${{ matrix.root-pom }}
- steps:
- # Cancel any previous runs for the same branch that are still running.
- - name: 'Cancel previous runs'
- uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1
- with:
- access_token: ${{ github.token }}
- - name: 'Check out repository'
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- - name: 'Set up JDK ${{ matrix.java }}'
- uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
-
- with:
- java-version: ${{ matrix.java }}
- distribution: 'zulu'
- cache: 'maven'
- - name: 'Install'
- shell: bash
- run: ./mvnw -B -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn install -U -DskipTests=true -f $ROOT_POM
- - name: 'Test'
- shell: bash
- run: ./mvnw -B -P!standard-with-extra-repos verify -U -Dmaven.javadoc.skip=true -f $ROOT_POM
- - name: 'Print Surefire reports'
- # Note: Normally a step won't run if the job has failed, but this causes it to
- if: ${{ failure() }}
- shell: bash
- run: ./util/print_surefire_reports.sh
- - name: 'Integration Test'
- if: matrix.java == 11
- shell: bash
- run: util/gradle_integration_tests.sh
-
- publish_snapshot:
- name: 'Publish snapshot'
- needs: test
- if: github.event_name == 'push' && github.repository == 'google/guava'
- runs-on: ubuntu-latest
- steps:
- - name: 'Check out repository'
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- - name: 'Set up JDK 21'
- uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
- with:
- java-version: 21
- distribution: 'zulu'
- server-id: sonatype-nexus-snapshots
- server-username: CI_DEPLOY_USERNAME
- server-password: CI_DEPLOY_PASSWORD
- cache: 'maven'
- - name: 'Publish'
- env:
- CI_DEPLOY_USERNAME: ${{ secrets.CI_DEPLOY_USERNAME }}
- CI_DEPLOY_PASSWORD: ${{ secrets.CI_DEPLOY_PASSWORD }}
- run: ./util/deploy_snapshot.sh
-
- generate_docs:
- permissions:
- contents: write
- name: 'Generate latest docs'
- needs: test
- if: github.event_name == 'push' && github.repository == 'google/guava'
- runs-on: ubuntu-latest
- steps:
- - name: 'Check out repository'
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- - name: 'Set up JDK 21'
- uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
- with:
- java-version: 21
- distribution: 'zulu'
- cache: 'maven'
- - name: 'Generate latest docs'
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: ./util/update_snapshot_docs.sh
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 000000000000..bdc2e9cd1d09
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,85 @@
+name: "CodeQL"
+
+on:
+ workflow_call:
+ inputs:
+ publish:
+ type: boolean
+ description: "Publish SARIF"
+ default: true
+
+ workflow_dispatch: {}
+ push:
+ branches: ["master"]
+ schedule:
+ - cron: "0 0 * * 1"
+
+permissions:
+ contents: read
+
+jobs:
+ analyze:
+ name: CodeQL Analysis
+ runs-on: ubuntu-latest
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ strategy:
+ fail-fast: false
+ matrix:
+ language: ["java"]
+ # CodeQL supports [ $supported-codeql-languages ]
+ # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ with:
+ disable-sudo: true
+ egress-policy: block
+ allowed-endpoints: >
+ api.azul.com:443
+ api.github.com:443
+ cdn.azul.com:443
+ dl.google.com:443
+ docs.oracle.com:443
+ errorprone.info:443
+ github.com:443
+ objects.githubusercontent.com:443
+ oss.sonatype.org:443
+ repo.maven.apache.org:443
+ services.gradle.org:443
+ - name: Checkout repository
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ with:
+ persist-credentials: false
+ - name: 'Set up JDK 21'
+ uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
+ with:
+ java-version: 21
+ distribution: 'zulu'
+ cache: 'maven'
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
+ continue-on-error: true
+ with:
+ languages: ${{ matrix.language }}
+ - name: Build Package
+ run: |
+ ./mvnw \
+ --strict-checksums \
+ -B \
+ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
+ install \
+ -U \
+ -DskipTests=true \
+ -Dmaven.javadoc.skip=true \
+ -Dgpg.skip \
+ -f pom.xml
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
+ continue-on-error: true
+ with:
+ category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
new file mode 100644
index 000000000000..abc802dae2ac
--- /dev/null
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,59 @@
+# Guava GitHub CI
+# ---------------------------------------------------------------------------------------------------------------------
+# This workflow is called from `on.push.yml` and `on.pr.yml` to operate on Guava's dependency graph:
+#
+# - The dependency graph is calculated from pom.xml files
+# - The graph is then published to GitHub, and associated with the Guava repository
+# - When operating on a PR, Dependency Review can be invoked to check dependency changes
+#
+# ## Inputs
+#
+# See the set of input parameters underneath the `workflow_call` and `workflow_dispatch` hooks for ways this workflow
+# can be controlled when called.
+
+name: 'Dependency Graph'
+on:
+ workflow_call:
+ inputs:
+ review:
+ type: boolean
+ description: "Dependency Review"
+ default: false
+ workflow_dispatch:
+ inputs:
+ review:
+ type: boolean
+ description: "Dependency Review"
+ default: false
+
+permissions:
+ contents: read
+
+jobs:
+ dependency-review:
+ name: 'Dependency Graph'
+ runs-on: ubuntu-latest
+ permissions:
+ contents: write # needed to post a dependency graph
+ id-token: write # needed to exchange the graph publish token for an access token
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ with:
+ disable-sudo: true
+ egress-policy: block
+ allowed-endpoints: >
+ api.github.com:443
+ github.com:443
+ oss.sonatype.org:443
+ repo.maven.apache.org:443
+ - name: 'Checkout Repository'
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ - name: Maven Dependency Tree Dependency Submission
+ continue-on-error: true
+ uses: advanced-security/maven-dependency-submission-action@bfd2106013da0957cdede0b6c39fb5ca25ae375e # v4.0.2
+ - name: 'Dependency Review'
+ uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
+ continue-on-error: true
+ with:
+ retry-on-snapshot-warnings: true
diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
index d08048c14e64..e9d096538eac 100644
--- a/.github/workflows/gradle-wrapper-validation.yml
+++ b/.github/workflows/gradle-wrapper-validation.yml
@@ -1,13 +1,24 @@
name: "Validate Gradle Wrapper"
-on: [push, pull_request]
+on:
+ workflow_call: {}
+ workflow_dispatch: {}
permissions:
contents: read
jobs:
validation:
- name: "Validation"
+ name: "Gradle Wrapper Validate"
runs-on: ubuntu-latest
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ with:
+ disable-sudo: true
+ egress-policy: block
+ allowed-endpoints: >
+ github.com:443
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+ with:
+ persist-credentials: false
- uses: gradle/wrapper-validation-action@699bb18358f12c5b78b37bb0111d3a0e2276e0e2 # v2.1.1
diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml
new file mode 100644
index 000000000000..df88ff841bd9
--- /dev/null
+++ b/.github/workflows/on.pr.yml
@@ -0,0 +1,70 @@
+# Guava GitHub CI
+# ---------------------------------------------------------------------------------------------------------------------
+# This is an entrypoint workflow which operates on pull requests; this workflow doesn't do much on its own. Its job is
+# to dispatch `on.build.yml` and check workflows, which can be found in this same directory.
+#
+# PR workflows are slightly different from push workflows (for example, they do not publish snapshots). See the
+# `on.push.yml` workflow. PR and push flows are designed to be invoked separately.
+
+name: PR
+
+on:
+ pull_request:
+ branches:
+ - master
+
+concurrency:
+ group: guava-pr-${{ github.event.number }}
+ cancel-in-progress: true
+
+permissions:
+ contents: read
+
+jobs:
+ ## Build the library and provenance material, but don't publish
+ build:
+ name: "Build"
+ uses: ./.github/workflows/ci.build.yml
+ permissions:
+ actions: write
+ contents: write
+ id-token: write
+ with:
+ provenance: ${{ github.event.pull_request.head.repo.full_name == 'google/guava' }}
+ provenance_publish: false
+ snapshot: false
+
+ ## Run main CI build and tests.
+ test:
+ name: "Tests"
+ uses: ./.github/workflows/ci.test.yml
+ permissions:
+ actions: write
+ contents: write
+ id-token: write
+
+ ## Validate the Gradle Wrapper binary
+ checks-gradle-wrapper:
+ name: "Checks"
+ uses: ./.github/workflows/gradle-wrapper-validation.yml
+
+ ## Publish and check the dependency graph.
+ checks-dependency-graph:
+ name: "Checks"
+ uses: ./.github/workflows/dependency-review.yml
+ permissions:
+ contents: write
+ id-token: write
+ with:
+ review: true
+
+ ## Run CodeQL checks
+ checks-codeql:
+ name: "Checks"
+ uses: ./.github/workflows/codeql.yml
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+ with:
+ publish: ${{ github.event.pull_request.head.repo.full_name == 'google/guava' }}
diff --git a/.github/workflows/on.push.yml b/.github/workflows/on.push.yml
new file mode 100644
index 000000000000..91e567b6d569
--- /dev/null
+++ b/.github/workflows/on.push.yml
@@ -0,0 +1,47 @@
+# Guava GitHub CI
+# ---------------------------------------------------------------------------------------------------------------------
+# This is an entrypoint workflow which operates on pushed revisions to Guava; this workflow doesn't do much on its own.
+# Its job is to dispatch `on.build.yml` and check workflows, which can be found in this same directory.
+#
+# PR workflows are slightly different from push workflows (for example, the push workflow publishes snapshots). See the
+# `on.pr.yml` workflow. PR and push flows are designed to be invoked separately.
+
+name: Push
+
+on:
+ push:
+ branches:
+ - master
+
+concurrency:
+ group: guava-push-${{ github.sha }}
+ cancel-in-progress: true
+
+permissions:
+ contents: read
+
+jobs:
+ ## Run main CI build and tests.
+ run-ci:
+ name: "Build"
+ uses: ./.github/workflows/ci.build.yml
+ permissions:
+ actions: write
+ contents: write
+ id-token: write
+ with:
+ snapshot: github.repository == 'google/guava'
+ provenance: true
+
+ ## Publish and check the dependency graph.
+ checks-dependency-graph:
+ name: "Checks"
+ uses: ./.github/workflows/dependency-review.yml
+ permissions:
+ contents: write
+ id-token: write
+
+ ## Validate the Gradle Wrapper binary
+ checks-gradle-wrapper:
+ name: "Checks"
+ uses: ./.github/workflows/gradle-wrapper-validation.yml
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 034a76f0ae08..993b06893eae 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -31,6 +31,10 @@ jobs:
# actions: read
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ with:
+ egress-policy: audit
- name: "Checkout code"
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
diff --git a/guava/pom.xml b/guava/pom.xml
index be0bab174e16..f0e50c58bb00 100644
--- a/guava/pom.xml
+++ b/guava/pom.xml
@@ -9,7 +9,7 @@
HEAD-jre-SNAPSHOT
guava
- bundle
+ jar
Guava: Google Core Libraries for Java
https://github.com/google/guava
@@ -222,4 +222,86 @@
+
+
+ spdx
+
+ [11,
+
+
+
+
+
+ org.spdx
+ spdx-maven-plugin
+
+
+ build-spdx
+ install
+
+ createSPDX
+
+
+
+
+ true
+ true
+ Organization: Google, LLC
+ Copyright (c) 2012-2024, The Guava Authors
+ Copyright (c) 2012-2024, The Guava Authors
+ Apache-2.0
+ Organization: Google, LLC
+
+ SHA256
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-antrun-plugin
+
+
+ repack-spdx
+ install
+
+ run
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ maven-gpg-plugin
+
+
+ default-gpg
+ install
+
+ sign
+
+
+
+
+
+
+
+
diff --git a/pom.xml b/pom.xml
index f92855fb4ef8..e22e87011064 100644
--- a/pom.xml
+++ b/pom.xml
@@ -32,6 +32,8 @@
HEAD-android-SNAPSHOT
android
android
+ https://oss.sonatype.org/content/repositories/snapshots/
+ https://oss.sonatype.org/service/local/staging/deploy/maven2/
GitHub Issues
@@ -272,6 +274,20 @@
build-helper-maven-plugin
3.4.0
+
+ maven-gpg-plugin
+ 3.0.1
+
+
+ dev.sigstore
+ sigstore-maven-plugin
+ 0.4.0
+
+
+ org.spdx
+ spdx-maven-plugin
+ 0.7.3
+
@@ -279,12 +295,12 @@
sonatype-nexus-snapshots
Sonatype Nexus Snapshots
- https://oss.sonatype.org/content/repositories/snapshots/
+ ${publishing.repository.snapshots}
sonatype-nexus-staging
Nexus Release Repository
- https://oss.sonatype.org/service/local/staging/deploy/maven2/
+ ${publishing.repository.releases}
guava-site
@@ -326,9 +342,20 @@
sonatype-oss-release
+
+ dev.sigstore
+ sigstore-maven-plugin
+
+
+ sign
+
+ sign
+
+
+
+
maven-gpg-plugin
- 3.0.1
sign-artifacts