From ddd12106c6e5f4a780655d6433058d5dee4f00c9 Mon Sep 17 00:00:00 2001 From: Ben Manes Date: Mon, 23 Dec 2024 15:12:38 -0800 Subject: [PATCH] sign maven artifacts with sigstore --- .github/workflows/build.yml | 3 +++ .github/workflows/release.yml | 2 ++ .github/workflows/trivy.yml | 1 + gradle/libs.versions.toml | 2 ++ gradle/plugins/build.gradle.kts | 1 + .../main/kotlin/lifecycle/publish.caffeine.gradle.kts | 1 + .../cache/simulator/policy/adaptive/CartPolicy.java | 11 ++++++----- .../simulator/policy/two_queue/TwoQueuePolicy.java | 3 ++- 8 files changed, 18 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b2e7325574..3214b425df 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -335,6 +335,8 @@ jobs: github.event_name == 'push' && github.event.repository.fork == false && endsWith(github.ref, github.event.repository.default_branch) + permissions: + id-token: write steps: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 @@ -348,6 +350,7 @@ jobs: guava.dev:443 jspecify.dev:443 lightbend.github.io:443 + oauth2.sigstore.dev:443 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Publish Snapshot uses: ./.github/actions/run-gradle diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9b2fa44d7d..3b21a201c1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,6 +12,8 @@ jobs: release: runs-on: ubuntu-latest if: github.event.repository.fork == false + permissions: + id-token: write steps: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 07e446400a..86ef5303de 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -20,6 +20,7 @@ jobs: api.github.com:443 ghcr.io:443 github.com:443 + mirror.gcr.io:443 objects.githubusercontent.com:443 pkg-containers.githubusercontent.com:443 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 788db96365..02137f4e9c 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -84,6 +84,7 @@ protobuf = "4.29.2" slf4j = "2.0.16" slf4j-test = "3.0.1" snakeyaml = "2.3" +sigstore = "1.2.0" sonarqube = "6.0.1.5171" spotbugs = "4.8.6" spotbugs-contrib = "7.6.9" @@ -237,6 +238,7 @@ jmh-report = { id = "io.morethan.jmhreport", version.ref = "jmh-report" } jvm-dependency-conflict-resolution = { id = "org.gradlex.jvm-dependency-conflict-resolution", version.ref = "jvm-dependency-conflict-resolution" } nexus-publish = { id = "io.github.gradle-nexus.publish-plugin", version.ref = "nexus-publish" } nullaway = { id = "net.ltgt.nullaway", version.ref = "nullaway-plugin" } +sigstore = { id = "dev.sigstore.sign", version.ref = "sigstore" } sonarqube = { id = "org.sonarqube", version.ref = "sonarqube" } spotbugs = { id = "com.github.spotbugs", version.ref = "spotbugs-plugin" } versions = { id = "com.github.ben-manes.versions", version.ref = "versions" } diff --git a/gradle/plugins/build.gradle.kts b/gradle/plugins/build.gradle.kts index 83ef0690e1..a9a4a4096d 100644 --- a/gradle/plugins/build.gradle.kts +++ b/gradle/plugins/build.gradle.kts @@ -26,6 +26,7 @@ dependencies { implementation(plugin(libs.plugins.bnd)) implementation(plugin(libs.plugins.idea)) implementation(plugin(libs.plugins.nullaway)) + implementation(plugin(libs.plugins.sigstore)) implementation(plugin(libs.plugins.spotbugs)) implementation(plugin(libs.plugins.versions)) implementation(plugin(libs.plugins.sonarqube)) diff --git a/gradle/plugins/src/main/kotlin/lifecycle/publish.caffeine.gradle.kts b/gradle/plugins/src/main/kotlin/lifecycle/publish.caffeine.gradle.kts index 37e2c9ceac..437960f4b5 100644 --- a/gradle/plugins/src/main/kotlin/lifecycle/publish.caffeine.gradle.kts +++ b/gradle/plugins/src/main/kotlin/lifecycle/publish.caffeine.gradle.kts @@ -1,4 +1,5 @@ plugins { + id("dev.sigstore.sign") `maven-publish` `java-library` signing diff --git a/simulator/src/main/java/com/github/benmanes/caffeine/cache/simulator/policy/adaptive/CartPolicy.java b/simulator/src/main/java/com/github/benmanes/caffeine/cache/simulator/policy/adaptive/CartPolicy.java index 537adc1c82..312d154872 100644 --- a/simulator/src/main/java/com/github/benmanes/caffeine/cache/simulator/policy/adaptive/CartPolicy.java +++ b/simulator/src/main/java/com/github/benmanes/caffeine/cache/simulator/policy/adaptive/CartPolicy.java @@ -241,10 +241,11 @@ private void demote() { // nL = nL − 1 policyStats.recordEviction(); + requireNonNull(headT2.next); - while (requireNonNull(headT2.next).marked) { + while (headT2.next.marked) { policyStats.recordOperation(); - Node demoted = headT2.next; + Node demoted = requireNonNull(headT2.next); demoted.marked = false; demoted.remove(); sizeT2--; @@ -257,10 +258,10 @@ private void demote() { } } - while ((requireNonNull(headT1.next).filter == FilterType.LONG_TERM) - || requireNonNull(headT1.next).marked) { + requireNonNull(headT1.next); + while ((headT1.next.filter == FilterType.LONG_TERM) || headT1.next.marked) { policyStats.recordOperation(); - Node node = headT1.next; + Node node = requireNonNull(headT1.next); if (node.marked) { node.moveToTail(headT1); node.marked = false; diff --git a/simulator/src/main/java/com/github/benmanes/caffeine/cache/simulator/policy/two_queue/TwoQueuePolicy.java b/simulator/src/main/java/com/github/benmanes/caffeine/cache/simulator/policy/two_queue/TwoQueuePolicy.java index 2d71d514b9..d5876355f7 100644 --- a/simulator/src/main/java/com/github/benmanes/caffeine/cache/simulator/policy/two_queue/TwoQueuePolicy.java +++ b/simulator/src/main/java/com/github/benmanes/caffeine/cache/simulator/policy/two_queue/TwoQueuePolicy.java @@ -94,7 +94,8 @@ public void record(long key) { policyStats.recordOperation(); @Var Node node = data.get(key); if (node != null) { - switch (requireNonNull(node.type)) { + requireNonNull(node.type); + switch (node.type) { case MAIN: node.moveToTail(headMain); policyStats.recordHit();