elide-dev · sgammon · Jan 22, 2025 · Jan 24, 2025 · Jan 24, 2025 · Jan 23, 2025
diff --git a/.circleci/config.pkl b/.circleci/config.pkl
@@ -105,18 +105,13 @@ local buildNativeJobs: Mapping<String, BuildNativeJob> = new {
 }
 
 local gradleCheckJobs: Mapping<String, GradleCheckJob> = new {
-  ["gradle-check-jdk17"] {
-    javaVersion = "17.0"
-    isRelease = false
-    os = "linux"
-  }
-  ["gradle-check-jdk21"] {
+  ["gradle-check"] {
     javaVersion = "21.0"
     isRelease = false
     os = "linux"
   }
-  ["gradle-check-jdk17-windows"] {
-    javaVersion = "17.0"
+  ["gradle-check-windows"] {
+    javaVersion = "21.0"
     isRelease = false
     os = "windows"
   }

diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -581,19 +581,7 @@ jobs:
     resource_class: windows.large
     machine:
       image: windows-server-2022-gui:current
-  gradle-check-jdk17:
-    steps:
-    - checkout
-    - run:
-        command: ./gradlew --info --stacktrace -DtestReportsDir=${HOME}/test-results check
-        name: gradle check
-    - store_test_results:
-        path: ~/test-results
-    environment:
-      LANG: en_US.UTF-8
-    docker:
-    - image: cimg/openjdk:17.0
-  gradle-check-jdk21:
+  gradle-check:
     steps:
     - checkout
     - run:
@@ -605,14 +593,14 @@ jobs:
       LANG: en_US.UTF-8
     docker:
     - image: cimg/openjdk:21.0
-  gradle-check-jdk17-windows:
+  gradle-check-windows:
     steps:
     - checkout
     - run:
         command: |-
           # install jdk
           curl -Lf \
-          https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.9%2B9.1/OpenJDK17U-jdk_x64_windows_hotspot_17.0.9_9.zip -o /tmp/jdk.zip
+          https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.5%2B11/OpenJDK21U-jdk_x64_windows_hotspot_21.0.5_11.zip -o /tmp/jdk.zip
 
           unzip /tmp/jdk.zip -d /tmp/jdk \
             && cd /tmp/jdk/jdk-* \
@@ -742,13 +730,10 @@ workflows:
         type: approval
     - pr-approval/authenticate:
         context: pkl-pr-approval
-    - gradle-check-jdk17:
+    - gradle-check:
         requires:
         - hold
-    - gradle-check-jdk21:
-        requires:
-        - hold
-    - gradle-check-jdk17-windows:
+    - gradle-check-windows:
         requires:
         - hold
     when:
@@ -757,9 +742,8 @@ workflows:
         pattern: ^pull/\d+(/head)?$
   main:
     jobs:
-    - gradle-check-jdk17
-    - gradle-check-jdk21
-    - gradle-check-jdk17-windows
+    - gradle-check
+    - gradle-check-windows
     - bench
     - gradle-compatibility
     - pkl-cli-macOS-amd64-snapshot
@@ -770,9 +754,8 @@ workflows:
     - pkl-cli-windows-amd64-snapshot
     - deploy-snapshot:
         requires:
-        - gradle-check-jdk17
-        - gradle-check-jdk21
-        - gradle-check-jdk17-windows
+        - gradle-check
+        - gradle-check-windows
         - bench
         - gradle-compatibility
         - pkl-cli-macOS-amd64-snapshot
@@ -793,19 +776,13 @@ workflows:
       - << pipeline.git.branch >>
   release:
     jobs:
-    - gradle-check-jdk17:
-        filters:
-          branches:
-            ignore: /.*/
-          tags:
-            only: /^v?\d+\.\d+\.\d+$/
-    - gradle-check-jdk21:
+    - gradle-check:
         filters:
           branches:
             ignore: /.*/
           tags:
             only: /^v?\d+\.\d+\.\d+$/
-    - gradle-check-jdk17-windows:
+    - gradle-check-windows:
         filters:
           branches:
             ignore: /.*/
@@ -861,9 +838,8 @@ workflows:
             only: /^v?\d+\.\d+\.\d+$/
     - github-release:
         requires:
-        - gradle-check-jdk17
-        - gradle-check-jdk21
-        - gradle-check-jdk17-windows
+        - gradle-check
+        - gradle-check-windows
         - bench
         - gradle-compatibility
         - pkl-cli-macOS-amd64-release
@@ -899,9 +875,8 @@ workflows:
             only: /^v?\d+\.\d+\.\d+$/
   release-branch:
     jobs:
-    - gradle-check-jdk17
-    - gradle-check-jdk21
-    - gradle-check-jdk17-windows
+    - gradle-check
+    - gradle-check-windows
     - bench
     - gradle-compatibility
     - pkl-cli-macOS-amd64-release

diff --git a/.github/workflows/checks.apicheck.yml b/.github/workflows/checks.apicheck.yml
@@ -0,0 +1,78 @@
+name: "API Check"
+
+"on":
+  workflow_dispatch: {}
+  workflow_call:
+    inputs:
+      ignore_failures:
+        description: "Ignore failures"
+        required: false
+        type: boolean
+        default: false
+
+    secrets:
+      GRADLE_CONFIGURATION_KEY:
+        description: "Gradle cache key"
+        required: false
+      BUILDLESS_APIKEY:
+        description: "Buildless key"
+        required: false
+
+permissions:
+  contents: "read"
+
+jobs:
+  api-check:
+    name: "API Check"
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: "Setup: Cache Restore (Build)"
+        id: cache-restore-build
+        uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        with:
+          key: pkl-v1-build-${{ hashFiles('gradle/libs.versions.toml') }}
+          restore-keys: |
+            pkl-v1-build-${{ hashFiles('gradle/libs.versions.toml') }}
+            pkl-v1-build-
+            pkl-v1-
+            pkl-
+          path: |
+            .gradle/
+            build/
+            .codebase/
+            .kotlin/
+            ./*/build/bin
+            ./*/build/classes
+            ./*/build/kotlin
+            ./*/build/klib
+            ./*/build/generated
+            ./*/build/generated-sources
+      - name: "Setup: GraalVM (Java 21)"
+        uses: graalvm/setup-graalvm@4a200f28cd70d1940b5e33bd00830b7dc71a7e2b # v1.2.6
+        with:
+          distribution: "graalvm"
+          java-version: '21'
+          check-for-updates: false
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: "Analysis: API Check"
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
+        continue-on-error: ${{ inputs.ignore_failures }}
+        env:
+          CI: true
+        with:
+          cache-read-only: true
+          cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
+          arguments: |
+            apiCheck
+            -x test
+            -PenableAnalysis=true
diff --git a/.github/workflows/checks.codeql.yml b/.github/workflows/checks.codeql.yml
@@ -0,0 +1,97 @@
+name: "CodeQL"
+
+"on":
+  workflow_dispatch: {}
+  workflow_call:
+    inputs: {}
+    secrets:
+      GRADLE_CONFIGURATION_KEY:
+        description: "Gradle cache key"
+        required: false
+      BUILDLESS_APIKEY:
+        description: "Buildless key"
+        required: false
+
+  schedule:
+    - cron: "0 0-23/2 * * *"
+
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["java-kotlin"]
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+      - name: "Setup: Cache Restore (Build)"
+        id: cache-restore-build
+        uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        with:
+          key: pkl-v1-build-${{ hashFiles('gradle/libs.versions.toml') }}
+          restore-keys: |
+            pkl-v1-build-${{ hashFiles('gradle/libs.versions.toml') }}
+            pkl-v1-build-
+            pkl-v1-
+            pkl-
+          path: |
+            .gradle/
+            build/
+            .codebase/
+            .kotlin/
+            ./*/build/bin
+            ./*/build/classes
+            ./*/build/kotlin
+            ./*/build/klib
+            ./*/build/generated
+            ./*/build/generated-sources
+      - name: "Setup: GraalVM (Java 21)"
+        uses: graalvm/setup-graalvm@4a200f28cd70d1940b5e33bd00830b7dc71a7e2b # v1.2.6
+        with:
+          distribution: "graalvm"
+          java-version: '21'
+          check-for-updates: false
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: "Setup: Initialize CodeQL"
+        uses: github/codeql-action/init@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+        with:
+          config-file: ./.github/codeql/codeql-config.yml
+          languages: ${{ matrix.language }}
+      - name: "Analysis: Build"
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
+        continue-on-error: true
+        env:
+          CI: true
+          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
+        with:
+          cache-read-only: true
+          cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
+          arguments: |
+            compileKotlin
+            compileJava
+            assemble
+            -x test
+            -x check
+      - name: "Analysis: CodeQL"
+        uses: github/codeql-action/analyze@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+        continue-on-error: true
diff --git a/.github/workflows/checks.dependency-review.yml b/.github/workflows/checks.dependency-review.yml
@@ -0,0 +1,33 @@
+name: "Dependencies"
+
+"on":
+  workflow_dispatch: {}
+  workflow_call: {}
+
+permissions:
+  contents: read
+
+jobs:
+  dep-review:
+    name: "Dependency Review"
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: "Check: Dependency Review"
+        uses: actions/dependency-review-action@80f10bf419f34980065523f5efca7ebed17576aa # v4.1.0
+        continue-on-error: true
+        if: github.event_name == 'pull_request'
+        with:
+          config-file: "./.github/dependency-review-config.yml"
+          license-check: true
+          vulnerability-check: true
+          fail-on-severity: "low"
+          base-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref || 'main' }}