chore(deps): upgrade dependencies and move gpg signing to release profile#5
Merged
Conversation
…file - Bump xmlsec 4.0.1 -> 4.0.4 - Bump commons-codec 1.16.0 -> 1.22.0 - Bump azure-security-keyvault-keys 4.7.3 -> 4.10.6 - Bump corelib 0.5.5 -> 0.7.1 - Bump commons-text 1.11.0 -> 1.15.0 - Bump mockito-core 5.6.0 -> 5.23.0 - Bump maven-compiler-plugin 3.11.0 -> 3.15.0 - Bump maven-javadoc-plugin 3.6.0 -> 3.12.0 - Bump maven-jar-plugin 3.3.0 -> 3.5.0 - Bump maven-surefire-plugin 2.22.2 -> 3.5.5 - Bump jacoco-maven-plugin 0.8.10 -> 0.8.14 - Bump central-publishing-maven-plugin 0.7.0 -> 0.10.0 - Move maven-gpg-plugin into a 'release' profile and enable bestPractices
corelib 0.7.0+ is compiled for Java 21 (class file 65), which breaks the Java 17 build (expects 61). 0.6.0 is the latest release still targeting Java 17. Also limit the workflow to pull_request and workflow_dispatch so CI no longer runs twice on push + PR for the same commit.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refresh build dependencies and Maven plugins to current versions, and move the GPG signing plugin into a dedicated
releaseprofile so non-release builds no longer require a signing key.Changes Made
core/pom.xml:org.apache.santuario:xmlsec4.0.1 → 4.0.4commons-codec:commons-codec1.16.0 → 1.22.0com.azure:azure-security-keyvault-keys4.7.3 → 4.10.6pom.xml:corelib0.5.5 → 0.7.1commons-text1.11.0 → 1.15.0mockito-core5.6.0 → 5.23.0pom.xml:maven-compiler-plugin3.11.0 → 3.15.0maven-javadoc-plugin3.6.0 → 3.12.0maven-jar-plugin3.3.0 → 3.5.0maven-surefire-plugin2.22.2 → 3.5.5jacoco-maven-plugin0.8.10 → 0.8.14central-publishing-maven-plugin0.7.0 → 0.10.0maven-gpg-pluginexecutionreleaseprofile (activated via-Prelease) that runsmaven-gpg-plugin3.2.8 with<bestPractices>true</bestPractices>Testing
mvn -B packageon Java 17 / Ubuntu and should validate the upgraded dependencies and plugins.mvn clean packagefor non-release builds andmvn -Prelease clean verify(with a configured GPG key) for the release path.Breaking Changes
releaseprofile (-Prelease) for artifacts to be GPG-signed. Standard development builds no longer require a GPG key.Additional Notes
maven-surefire-pluginjumps from 2.x to 3.x; please double-check the test run output in CI for any behavioral differences.commons-codec(1.16 → 1.22) andcorelib(0.5.5 → 0.7.1) — please skim release notes if anything looks unexpected.