Merge remote-tracking branch 'origin/update-from-template' into develop

Author: AB-xdev

.config/checkstyle/checkstyle.xml

@@ -79,6 +79,11 @@
 			<property name="format" value="^(?!(.*(Map|List|Set))$).+$"/>
 			<property name="tokens" value="PARAMETER_DEF, VARIABLE_DEF, PATTERN_VARIABLE_DEF, RECORD_COMPONENT_DEF, LAMBDA"/>
 		</module>
+		<!-- Name classes correctly and don't use generic name for everything -->
+		<module name="IllegalIdentifierName">
+			<property name="format" value="^(?!(.*(Helper|Util))$).+$"/>
+			<property name="tokens" value=" CLASS_DEF"/>
+		</module>
 		<module name="IllegalImport"/>
 		<module name="InterfaceIsType"/>
 		<module name="JavadocStyle">

.config/pmd/java/ruleset.xml

@@ -146,7 +146,6 @@
 	<rule ref="category/java/errorprone.xml/CollectionTypeMismatch"/>
 	<rule ref="category/java/errorprone.xml/ComparisonWithNaN"/>
 	<rule ref="category/java/errorprone.xml/DoNotCallGarbageCollectionExplicitly"/>
-	<rule ref="category/java/errorprone.xml/DontImportSun"/>
 	<rule ref="category/java/errorprone.xml/DontUseFloatTypeForLoopIndices"/>
 	<rule ref="category/java/errorprone.xml/EqualsNull"/>
 	<rule ref="category/java/errorprone.xml/IdempotentOperations"/>
@@ -164,6 +163,7 @@
 	<rule ref="category/java/errorprone.xml/SingletonClassReturningNewInstance"/>
 	<rule ref="category/java/errorprone.xml/UnconditionalIfStatement"/>
 	<rule ref="category/java/errorprone.xml/UnnecessaryCaseChange"/>
+	<rule ref="category/java/errorprone.xml/UnsupportedJdkApiUsage"/>
 	<rule ref="category/java/errorprone.xml/UselessPureMethodCall"/>
 
 
@@ -208,6 +208,36 @@
 	<rule ref="category/java/security.xml"/>
 
 
+	<rule name="AvoidOptionalGet"
+		language="java"
+		message="Avoid using Optional#get"
+		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
+		externalInfoUrl="https://stackoverflow.com/a/49159955">
+		<description>
+`Optional#get` can be interpreted as a getter by developers, however this is not the case as it throws an exception when empty.
+
+It should be replaced by
+* doing a mapping directly using `.map` or `.ifPresent`
+* using the preferred `.orElseThrow`, `.orElse` or `.or` methods
+
+Java Developer Brian Goetz also writes regarding this topic:
+
+> Java 8 was a huge improvement to the platform, but one of the few mistakes we made was the naming of `Optional.get()`, because the name just invites people to call it without calling `isPresent()`, undermining the whole point of using `Optional` in the first place.
+>
+> During the Java 9 time frame, we proposed to deprecate `Optional.get()`, but the public response to that was ... let's say cold. As a smaller step, we introduced `orElseThrow()` in 10 (see [JDK-8140281](https://bugs.openjdk.java.net/browse/JDK-8140281)) as a more transparently named synonym for the current pernicious behavior of `get()`. IDEs warn on unconditional use of `get()`, but not on `orElseThrow()`, which is a step forward in teaching people to code better. The question is, in a sense, a "glass half empty" view of the current situation; `get()` is still problematic.
+		</description>
+		<priority>3</priority>
+		<properties>
+			<property name="xpath">
+				<value>
+<![CDATA[
+//MethodCall[pmd-java:matchesSig('java.util.Optional#get()')]
+]]>
+				</value>
+			</property>
+		</properties>
+	</rule>
+
 	<rule name="AvoidStringBuilderOrBuffer"
 		language="java"
 		message="StringBuilder/StringBuffer should not be used"

.github/workflows/broken-links.yml

@@ -19,7 +19,7 @@ jobs:
 
       - name: Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2
+        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2
         with:
           fail: false # Don't fail on broken links, create an issue instead
 

.github/workflows/check-build.yml

@@ -42,15 +42,15 @@ jobs:
         path: |
           ~/.gradle/caches
           ~/.gradle/wrapper
-        key: ${{ runner.os }}-gradle-build-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+        key: ${{ runner.os }}-gradle-build-${{ hashFiles('**/*.gradle*', '**/gradle.properties', '**/gradle-wrapper.properties') }}
         restore-keys: |
           ${{ runner.os }}-gradle-build-
 
     - name: Build
       run: ./gradlew build buildPlugin --info --stacktrace
 
     - name: Try upload test reports when failure occurs
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       if: failure()
       with:
         name: test-reports-${{ matrix.java }}
@@ -75,7 +75,7 @@ jobs:
         fi
 
     - name: Upload plugin files
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       with:
         name: plugin-files-java-${{ matrix.java }}
         path: build/distributions/*.zip
@@ -104,7 +104,7 @@ jobs:
         path: |
           ~/.gradle/caches
           ~/.gradle/wrapper
-        key: ${{ runner.os }}-gradle-checkstyle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+        key: ${{ runner.os }}-gradle-checkstyle-${{ hashFiles('**/*.gradle*', '**/gradle.properties', '**/gradle-wrapper.properties') }}
         restore-keys: |
           ${{ runner.os }}-gradle-checkstyle-
 
@@ -137,13 +137,13 @@ jobs:
         path: |
           ~/.gradle/caches
           ~/.gradle/wrapper
-        key: ${{ runner.os }}-gradle-pmd-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+        key: ${{ runner.os }}-gradle-pmd-${{ hashFiles('**/*.gradle*', '**/gradle.properties', '**/gradle-wrapper.properties') }}
         restore-keys: |
           ${{ runner.os }}-gradle-pmd-
 
     - name: Upload report
       if: always()
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       with:
         name: pmd-report
         if-no-files-found: ignore

.github/workflows/check-ide-compatibility.yml

@@ -55,7 +55,7 @@ jobs:
         path: |
           ~/.gradle/caches
           ~/.gradle/wrapper
-        key: ${{ runner.os }}-gradle-ide-compatibility-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+        key: ${{ runner.os }}-gradle-ide-compatibility-${{ hashFiles('**/*.gradle*', '**/gradle.properties', '**/gradle-wrapper.properties') }}
         restore-keys: |
           ${{ runner.os }}-gradle-ide-compatibility-
 
@@ -64,7 +64,7 @@ jobs:
       run: ./gradlew verifyPlugin --info --stacktrace
 
     - name: Upload report
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       if: ${{ always() }}
       with:
         name: plugin-verifier-reports

.github/workflows/release.yml

@@ -27,7 +27,7 @@ jobs:
         path: |
           ~/.gradle/caches
           ~/.gradle/wrapper
-        key: ${{ runner.os }}-gradle-build-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+        key: ${{ runner.os }}-gradle-build-${{ hashFiles('**/*.gradle*', '**/gradle.properties', '**/gradle-wrapper.properties') }}
         restore-keys: |
           ${{ runner.os }}-gradle-build-
       
@@ -91,7 +91,7 @@ jobs:
 
     - name: Create Release
       id: create_release
-      uses: shogo82148/actions-create-release@559c27ce7eb834825e2b55927c64f6d1bd1db716 # v1
+      uses: shogo82148/actions-create-release@6a396031bc74c57403da1018fec74d24c6aa03cd # v1
       with:
         tag_name: v${{ steps.version.outputs.release }}
         release_name: v${{ steps.version.outputs.release }}
@@ -135,7 +135,7 @@ jobs:
       run: ./gradlew publishPlugin --info --stacktrace
 
     - name: Upload plugin files
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       with:
         name: plugin-files
         path: build/distributions/*

.github/workflows/report-gha-workflow-security-problems.yml

@@ -0,0 +1,61 @@
+name: Report workflow security problems
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ develop ]
+    paths:
+      - '.github/workflows/**'
+
+permissions:
+  issues: write
+
+jobs:
+  prt:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    # Only run this in our repos (Prevent notification spam by forks)
+    if: ${{ github.repository_owner == 'xdev-software' }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Check
+        id: check
+        run: |
+          grep -l 'pull_request_target:' --exclude report-gha-workflow-security-problems.yml *.yml > reported.txt && exit 1 || exit 0
+        working-directory: .github/workflows
+
+      - name: Find already existing issue
+        id: find-issue
+        if: ${{ !cancelled() }}
+        run: |
+          echo "number=$(gh issue list -l 'bug' -l 'automated' -L 1 -S 'in:title "Incorrectly configure GHA workflow (prt)"' -s 'open' --json 'number' --jq '.[].number')" >> $GITHUB_OUTPUT
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Close issue if everything is fine
+        if: ${{ success() && steps.find-issue.outputs.number != '' }}
+        run: gh issue close -r 'not planned' ${{ steps.find-issue.outputs.number }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Create report
+        if: ${{ failure() && steps.check.conclusion == 'failure' }}
+        run: |
+          echo 'Detected usage of `pull_request_target`. This event is dangerous and MUST NOT BE USED AT ALL COST!' > reported.md
+          echo '' >> reported.md
+          echo '/cc @xdev-software/gha-workflow-security' >> reported.md
+          echo '' >> reported.md
+          echo '```' >> reported.md
+          cat .github/workflows/reported.txt >> reported.md
+          echo '```' >> reported.md
+          cat reported.md
+
+      - name: Create Issue From File
+        if: ${{ failure() && steps.check.conclusion == 'failure' }}
+        uses: peter-evans/create-issue-from-file@fca9117c27cdc29c6c4db3b86c48e4115a786710 # v6
+        with:
+          issue-number: ${{ steps.find-issue.outputs.number }}
+          title: 'Incorrectly configure GHA workflow (prt)'
+          content-filepath: ./reported.md
+          labels: bug, automated

.github/workflows/test-deploy.yml

@@ -35,7 +35,7 @@ jobs:
         run: ./gradlew publishPlugin --info --stacktrace
 
       - name: Upload plugin files
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: plugin-files-java-${{ matrix.java }}
           path: build/distributions/*

.idea/externalDependencies.xml

@@ -3,13 +3,13 @@ plugins {
     id 'idea'
     id 'checkstyle'
     id 'pmd'
-    id 'org.jetbrains.intellij.platform' version '2.11.0'
+    id 'org.jetbrains.intellij.platform' version '2.13.1'
 }
 
 ext {
-    checkstyleVersion = '13.0.0'
+    checkstyleVersion = '13.3.0'
 
-    pmdVersion = '7.20.0'
+    pmdVersion = '7.22.0'
 }
 
 def properties(String key) {
@@ -55,13 +55,12 @@ dependencies {
         plugins(properties("platformPlugins").map { it.split(",").collect { it.trim() }.findAll { !it.empty } })
         pluginVerifier()
         zipSigner()
-        instrumentationTools()
         testFramework TestFrameworkType.Platform.INSTANCE
     }
     checkstyle "com.puppycrawl.tools:checkstyle:${checkstyleVersion}"
     pmd "net.sourceforge.pmd:pmd-ant:${pmdVersion}",
             "net.sourceforge.pmd:pmd-java:${pmdVersion}"
-    testImplementation platform('org.junit:junit-bom:6.0.2'),
+    testImplementation platform('org.junit:junit-bom:6.0.3'),
             'org.junit.jupiter:junit-jupiter',
             'org.junit.jupiter:junit-jupiter-engine',
             'org.assertj:assertj-core:3.27.7'