[WIP] feat: managed jvm21 toolchain

.github/workflows/checks.apicheck.yml

@@ -0,0 +1,76 @@
+name: "API Check"
+
+"on":
+  workflow_dispatch: {}
+  workflow_call:
+    inputs:
+      ignore_failures:
+        description: "Ignore failures"
+        required: false
+        type: boolean
+        default: false
+
+    secrets:
+      GRADLE_CONFIGURATION_KEY:
+        description: "Gradle cache key"
+        required: false
+      BUILDLESS_APIKEY:
+        description: "Buildless key"
+        required: false
+
+permissions:
+  contents: "read"
+
+jobs:
+  api-check:
+    name: "API Check"
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: "Setup: Cache Restore (Build)"
+        id: cache-restore-build
+        uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        with:
+          key: pkl-v1-build-${{ hashFiles('gradle/libs.versions.toml') }}
+          restore-keys: |
+            pkl-v1-build-${{ hashFiles('gradle/libs.versions.toml') }}
+            pkl-v1-build-
+            pkl-v1-
+            pkl-
+          path: |
+            .gradle/
+            build/
+            .codebase/
+            .kotlin/
+            ./*/build/bin
+            ./*/build/classes
+            ./*/build/kotlin
+            ./*/build/klib
+            ./*/build/generated
+            ./*/build/generated-sources
+      - name: "Setup: Java 21"
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
+        with:
+          distribution: 'adopt'
+          java-version: '21'
+      - name: "Analysis: API Check"
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
+        continue-on-error: ${{ inputs.ignore_failures }}
+        env:
+          CI: true
+        with:
+          cache-read-only: true
+          cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
+          arguments: |
+            apiCheck
+            -x test
+            -PenableAnalysis=true

.github/workflows/checks.codeql.yml

@@ -0,0 +1,95 @@
+name: "CodeQL"
+
+"on":
+  workflow_dispatch: {}
+  workflow_call:
+    inputs: {}
+    secrets:
+      GRADLE_CONFIGURATION_KEY:
+        description: "Gradle cache key"
+        required: false
+      BUILDLESS_APIKEY:
+        description: "Buildless key"
+        required: false
+
+  schedule:
+    - cron: "0 0-23/2 * * *"
+
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["java-kotlin"]
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+      - name: "Setup: Cache Restore (Build)"
+        id: cache-restore-build
+        uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        with:
+          key: pkl-v1-build-${{ hashFiles('gradle/libs.versions.toml') }}
+          restore-keys: |
+            pkl-v1-build-${{ hashFiles('gradle/libs.versions.toml') }}
+            pkl-v1-build-
+            pkl-v1-
+            pkl-
+          path: |
+            .gradle/
+            build/
+            .codebase/
+            .kotlin/
+            ./*/build/bin
+            ./*/build/classes
+            ./*/build/kotlin
+            ./*/build/klib
+            ./*/build/generated
+            ./*/build/generated-sources
+      - name: "Setup: Java 21"
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
+        with:
+          distribution: 'adopt'
+          java-version: '21'
+      - name: "Setup: Initialize CodeQL"
+        uses: github/codeql-action/init@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+        with:
+          config-file: ./.github/codeql/codeql-config.yml
+          languages: ${{ matrix.language }}
+      - name: "Analysis: Build"
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
+        continue-on-error: true
+        env:
+          CI: true
+          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
+        with:
+          cache-read-only: true
+          cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
+          arguments: |
+            compileKotlin
+            compileJava
+            assemble
+            -x test
+            -x check
+      - name: "Analysis: CodeQL"
+        uses: github/codeql-action/analyze@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+        continue-on-error: true

.github/workflows/checks.dependency-review.yml

@@ -0,0 +1,33 @@
+name: "Dependencies"
+
+"on":
+  workflow_dispatch: {}
+  workflow_call: {}
+
+permissions:
+  contents: read
+
+jobs:
+  dep-review:
+    name: "Dependency Review"
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: "Check: Dependency Review"
+        uses: actions/dependency-review-action@80f10bf419f34980065523f5efca7ebed17576aa # v4.1.0
+        continue-on-error: true
+        if: github.event_name == 'pull_request'
+        with:
+          config-file: "./.github/dependency-review-config.yml"
+          license-check: true
+          vulnerability-check: true
+          fail-on-severity: "low"
+          base-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref || 'main' }}

.github/workflows/checks.detekt.yml

@@ -0,0 +1,73 @@
+name: "Detekt"
+
+"on":
+  workflow_dispatch: {}
+  workflow_call:
+    inputs: {}
+    secrets:
+      GRADLE_CONFIGURATION_KEY:
+        description: "Gradle cache key"
+        required: false
+      BUILDLESS_APIKEY:
+        description: "Buildless key"
+        required: false
+
+permissions:
+  contents: "read"
+
+jobs:
+  sonar:
+    name: "Detekt"
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: "Setup: Cache Restore (Build)"
+        id: cache-restore-build
+        uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        with:
+          key: pkl-v1-build-${{ hashFiles('gradle/libs.versions.toml') }}
+          restore-keys: |
+            pkl-v1-build-${{ hashFiles('gradle/libs.versions.toml') }}
+            pkl-v1-build-
+            pkl-v1-
+            pkl-
+          path: |
+            .gradle/
+            build/
+            .codebase/
+            .kotlin/
+            ./*/build/bin
+            ./*/build/classes
+            ./*/build/kotlin
+            ./*/build/klib
+            ./*/build/generated
+            ./*/build/generated-sources
+      - name: "Setup: Java 21"
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
+        with:
+          distribution: 'adopt'
+          java-version: '21'
+      - name: "Setup: Git History"
+        run: git fetch --unshallow || exit 0
+      - name: "Analysis: Detekt"
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
+        continue-on-error: true
+        env:
+          CI: true
+        with:
+          cache-read-only: true
+          cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
+          arguments: detekt detektMergeSarif detektMergeXml -PenableAnalysis=true -PsarifReporting=true
+      - name: "Report: SARIF Upload"
+        uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+        with:
+          sarif_file: build/reports/detekt/detekt.sarif

.github/workflows/checks.formatting.yml

@@ -0,0 +1,84 @@
+name: "Formatting"
+
+"on":
+  workflow_dispatch:
+    inputs:
+      ## Input: Ignore Failures
+      ignore_failures:
+        description: "Ignore failures"
+        required: false
+        type: boolean
+        default: false
+
+  workflow_call:
+    inputs:
+      ignore_failures:
+        description: "Ignore failures"
+        required: false
+        type: boolean
+        default: false
+
+    secrets:
+      GRADLE_CONFIGURATION_KEY:
+        description: "Gradle cache key"
+        required: false
+      BUILDLESS_APIKEY:
+        description: "Buildless key"
+        required: false
+
+permissions:
+  contents: "read"
+
+jobs:
+  fmt-check:
+    name: "Formatting"
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: "Setup: Cache Restore (Build)"
+        id: cache-restore-build
+        uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        with:
+          key: pkl-v1-build-${{ hashFiles('gradle/libs.versions.toml') }}
+          restore-keys: |
+            pkl-v1-build-${{ hashFiles('gradle/libs.versions.toml') }}
+            pkl-v1-build-
+            pkl-v1-
+            pkl-
+          path: |
+            .gradle/
+            build/
+            .codebase/
+            .kotlin/
+            ./*/build/bin
+            ./*/build/classes
+            ./*/build/kotlin
+            ./*/build/klib
+            ./*/build/generated
+            ./*/build/generated-sources
+      - name: "Setup: Java 21"
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
+        with:
+          distribution: 'adopt'
+          java-version: '21'
+      - name: "Analysis: Formatting (Spotless)"
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
+        continue-on-error: ${{ inputs.ignore_failures }}
+        env:
+          CI: true
+        with:
+          cache-read-only: true
+          cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
+          arguments: |
+            spotlessCheck
+            -PenableAnalysis=true
+            -x spotlessKotlinGradleCheck

.github/workflows/checks.gradle-wrapper.yml

@@ -0,0 +1,25 @@
+name: "Gradle Wrapper"
+
+"on":
+  workflow_dispatch: {}
+  workflow_call: {}
+
+permissions:
+  contents: read
+
+jobs:
+  validation:
+    name: "Gradle Wrapper"
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: "Check: Gradle Wrapper"
+        uses: gradle/wrapper-validation-action@699bb18358f12c5b78b37bb0111d3a0e2276e0e2 # v2.1.1