Update from template (auto-merged)

.github/workflows/broken-links.yml

@@ -19,7 +19,7 @@ jobs:
 
       - name: Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2
+        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2
         with:
           fail: false # Don't fail on broken links, create an issue instead
 

.github/workflows/check-build.yml

@@ -69,7 +69,7 @@ jobs:
         fi
 
     - name: Upload demo files
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       with:
         name: demo-files-java-${{ matrix.java }}
         path: ${{ env.DEMO_MAVEN_MODULE }}/target/${{ env.DEMO_MAVEN_MODULE }}.jar
@@ -151,8 +151,8 @@ jobs:
       run: ./mvnw -B pmd:aggregate-cpd pmd:cpd-check -P pmd -DskipTests -T2C
 
     - name: Upload report
-      if: always()
-      uses: actions/upload-artifact@v6
+      if: ${{ !cancelled() }}
+      uses: actions/upload-artifact@v7
       with:
         name: pmd-report
         if-no-files-found: ignore

.github/workflows/report-gha-workflow-security-problems.yml

@@ -0,0 +1,61 @@
+name: Report workflow security problems
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ develop ]
+    paths:
+      - '.github/workflows/**'
+
+permissions:
+  issues: write
+
+jobs:
+  prt:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    # Only run this in our repos (Prevent notification spam by forks)
+    if: ${{ github.repository_owner == 'xdev-software' }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Check
+        id: check
+        run: |
+          grep -l 'pull_request_target:' --exclude report-gha-workflow-security-problems.yml *.yml > reported.txt && exit 1 || exit 0
+        working-directory: .github/workflows
+
+      - name: Find already existing issue
+        id: find-issue
+        if: ${{ !cancelled() }}
+        run: |
+          echo "number=$(gh issue list -l 'bug' -l 'automated' -L 1 -S 'in:title "Incorrectly configure GHA workflow (prt)"' -s 'open' --json 'number' --jq '.[].number')" >> $GITHUB_OUTPUT
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Close issue if everything is fine
+        if: ${{ success() && steps.find-issue.outputs.number != '' }}
+        run: gh issue close -r 'not planned' ${{ steps.find-issue.outputs.number }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Create report
+        if: ${{ failure() && steps.check.conclusion == 'failure' }}
+        run: |
+          echo 'Detected usage of `pull_request_target`. This event is dangerous and MUST NOT BE USED AT ALL COST!' > reported.md
+          echo '' >> reported.md
+          echo '/cc @xdev-software/gha-workflow-security' >> reported.md
+          echo '' >> reported.md
+          echo '```' >> reported.md
+          cat .github/workflows/reported.txt >> reported.md
+          echo '```' >> reported.md
+          cat reported.md
+
+      - name: Create Issue From File
+        if: ${{ failure() && steps.check.conclusion == 'failure' }}
+        uses: peter-evans/create-issue-from-file@fca9117c27cdc29c6c4db3b86c48e4115a786710 # v6
+        with:
+          issue-number: ${{ steps.find-issue.outputs.number }}
+          title: 'Incorrectly configure GHA workflow (prt)'
+          content-filepath: ./reported.md
+          labels: bug, automated

pom.xml

@@ -45,7 +45,7 @@
 							<dependency>
 								<groupId>com.puppycrawl.tools</groupId>
 								<artifactId>checkstyle</artifactId>
-								<version>13.2.0</version>
+								<version>13.3.0</version>
 							</dependency>
 						</dependencies>
 						<configuration>
@@ -83,12 +83,12 @@
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-core</artifactId>
-								<version>7.21.0</version>
+								<version>7.22.0</version>
 							</dependency>
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-java</artifactId>
-								<version>7.21.0</version>
+								<version>7.22.0</version>
 							</dependency>
 						</dependencies>
 					</plugin>

sessionize-java-client/pom.xml

@@ -56,7 +56,7 @@
 			<dependency>
 				<groupId>com.fasterxml.jackson</groupId>
 				<artifactId>jackson-bom</artifactId>
-				<version>2.21.0</version>
+				<version>2.21.1</version>
 				<type>pom</type>
 				<scope>import</scope>
 			</dependency>
@@ -91,7 +91,7 @@
 		<dependency>
 			<groupId>org.openapitools</groupId>
 			<artifactId>jackson-databind-nullable</artifactId>
-			<version>0.2.8</version>
+			<version>0.2.9</version>
 		</dependency>
 
 		<dependency>
@@ -319,7 +319,7 @@
 					<plugin>
 						<groupId>org.openapitools</groupId>
 						<artifactId>openapi-generator-maven-plugin</artifactId>
-						<version>7.18.0</version>
+						<version>7.20.0</version>
 						<executions>
 							<execution>
 								<goals>
@@ -377,7 +377,7 @@
 					<plugin>
 						<groupId>software.xdev</groupId>
 						<artifactId>find-and-replace-maven-plugin</artifactId>
-						<version>1.0.4</version>
+						<version>1.0.5</version>
 						<executions>
 							<execution>
 								<!-- Remove so that we don't need additional dependency -->
@@ -444,7 +444,7 @@
 							<dependency>
 								<groupId>com.puppycrawl.tools</groupId>
 								<artifactId>checkstyle</artifactId>
-								<version>13.2.0</version>
+								<version>13.3.0</version>
 							</dependency>
 						</dependencies>
 						<configuration>
@@ -486,12 +486,12 @@
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-core</artifactId>
-								<version>7.21.0</version>
+								<version>7.22.0</version>
 							</dependency>
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-java</artifactId>
-								<version>7.21.0</version>
+								<version>7.22.0</version>
 							</dependency>
 						</dependencies>
 					</plugin>