Release: 1.0.6 (#112)

* chore: release `1.0.6`

- chore: version bump → `1.0.6`

Signed-off-by: Sam Gammon <[email protected]>

* build(deps): bump com.google.errorprone from `9d99ee7` to `23547ac`

Bumps [com.google.errorprone](https://github.com/google/error-prone) from `9d99ee7` to `23547ac`.
- [Release notes](https://github.com/google/error-prone/releases)
- [Commits](google/error-prone@9d99ee7...23547ac)

---
updated-dependencies:
- dependency-name: com.google.errorprone
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* chore: updates to `errorprone` and `protobuf`

Signed-off-by: Sam Gammon <[email protected]>

* fixup! rollback protobuf update

Signed-off-by: Sam Gammon <[email protected]>

* fixup! disable submodule updates from dependabot

Signed-off-by: Sam Gammon <[email protected]>

* build(deps): bump tests/integration/bazel from `7a08108` to `1115e52`

Bumps [tests/integration/bazel](https://github.com/bazelbuild/bazel) from `7a08108` to `1115e52`.
- [Release notes](https://github.com/bazelbuild/bazel/releases)
- [Commits](bazelbuild/bazel@7a08108...1115e52)

---
updated-dependencies:
- dependency-name: tests/integration/bazel
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Sam Gammon <[email protected]>

* chore: update `guava`

Signed-off-by: Sam Gammon <[email protected]>

* chore: guava version bump → `33.1.0-jre-jpms`

* chore: update `guava` to distinct embedded branch

Signed-off-by: Sam Gammon <[email protected]>

* fixup! stop publishing to sigstore on release

Signed-off-by: Sam Gammon <[email protected]>

* chore: restore scorecards workflow

Signed-off-by: Sam Gammon <[email protected]>

* chore: remove `errorprone` / `j2objc` from build (graduated)

Signed-off-by: Sam Gammon <[email protected]>

* fixup! guava sigstore

Signed-off-by: Sam Gammon <[email protected]>

* fix: disable remote exec

Signed-off-by: Sam Gammon <[email protected]>

* fixup! drop outdated cp commands from makefile

Signed-off-by: Sam Gammon <[email protected]>

* chore: sync at version `1.0.6`

Signed-off-by: Sam Gammon <[email protected]>

* fixup! don't build tools by default

Signed-off-by: Sam Gammon <[email protected]>

---------

Signed-off-by: Sam Gammon <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.gitattributes

@@ -2,6 +2,5 @@
 *.xml linguist-detectable linguist-language=XML
 *.module linguist-detectable linguist-language=JSON
 *.kts linguist-detectable linguist-language=Kotlin
-*.jar linguist-detectable linguist-language=Java
 *.yaml linguist-detectable linguist-language=YAML
 *.md linguist-detectable linguist-language=Markdown

.github/dependabot.yml

@@ -19,10 +19,10 @@ updates:
       interval: daily
 
   ## Git submodules for embedded libraries.
-  - package-ecosystem: gitsubmodule
-    directory: /
-    schedule:
-      interval: daily
+  #- package-ecosystem: gitsubmodule
+  #  directory: /
+  #  schedule:
+  #    interval: daily
 
   ## Jekyll dependencies.
   - package-ecosystem: bundler

.github/workflows/scorecards.yml

@@ -0,0 +1,73 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '35 8 * * 6'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          sarif_file: results.sarif

.version

@@ -1 +1 @@
-1.0.5
+1.0.6

CONTRIBUTING.md

@@ -37,6 +37,7 @@ geantyref                      Build Geantyref reflection library.
 guava                          Build Guava and all requisite dependencies.
 help                           Show this help text ('make help').
 index                          Rebuild JSON indexes for the repository.
+indexer                        Run the indexer tool.
 j2objc                         Build the J2ObjC annotations.
 kotlinx-collections            Build KotlinX Immutable Collections.
 maven-resolver                 Build the Error Prone Compiler.

Makefile

@@ -17,10 +17,10 @@ export SNAPSHOT ?= yes
 else
 export TESTS ?= yes
 export SIGNING ?= yes
-export SIGSTORE ?= yes
+export SIGSTORE ?= no
 export SLSA ?= yes
 export SBOM ?= yes
-export JAVADOC ?= yes
+export JAVADOC ?= no
 export SNAPSHOT ?= no
 endif
 
@@ -41,10 +41,10 @@ export KOTLINX_COLLECTIONS_POSTFIX ?= SNAPSHOT
 export MAVEN_RESOLVER_VERSION ?= 2.0.0-SNAPSHOT
 else
 export CHECKER_FRAMEWORK_VERSION ?= 3.43.0-SNAPSHOT
-export GUAVA_VERSION ?= 33.0.0-jre-jpms
+export GUAVA_VERSION ?= 33.1.0-jre-jpms
 export GUAVA_FAILUREACCESS_VERSION ?= 1.0.3-jpms
 export REACTIVE_STREAMS_VERSION ?= 1.0.5-jpms
-export PROTOBUF_VERSION ?= 4.26.0-jpms
+export PROTOBUF_VERSION ?= 4.26.1-jpms
 export GEANTYREF_VERSION ?= 1.3.15-jpms
 export KOTLINX_COLLECTIONS_VERSION ?= 0.4.1
 export KOTLINX_COLLECTIONS_POSTFIX ?= jpms
@@ -57,7 +57,7 @@ export DEV_BIN ?= $(DEV_ROOT)/bin
 export LIBS ?= $(PROJECT)/libs
 export PROJECT_PATH ?= $(DEV_BIN):$(shell echo $$PATH)
 
-DEPS ?= com.google.guava com.google.errorprone com.google.j2objc org.checkerframework org.reactivestreams com.google.protobuf io.leangen.geantyref kotlinx.collections.immutable
+DEPS ?= com.google.guava org.checkerframework org.reactivestreams com.google.protobuf io.leangen.geantyref kotlinx.collections.immutable
 POSIX_FLAGS ?=
 
 ifeq ($(VERBOSE),yes)
@@ -72,7 +72,7 @@ DEV_LOCAL = $(DEV_ROOT) $(DEV_BIN) $(DEV_BIN)/protoc
 BUILD_DEPS ?= $(DEV_LOCAL)
 
 
-all: setup $(BUILD_DEPS) packages repository samples test  ## Build all targets and setup the repository.
+all: setup $(BUILD_DEPS) packages repository samples test indexer  ## Build all targets and setup the repository.
 
 update-modules:  ## Update all sub-modules.
 	$(info Updating Attic submodules...)
@@ -354,7 +354,7 @@ org.checkerframework/checker-qual/build/libs:
 # Library: Guava ---------------------------------------------------------------------------
 
 guava: com.google.guava  ## Build Guava and all requisite dependencies.
-com.google.guava: org.checkerframework com.google.j2objc com.google.errorprone com.google.guava/guava/target
+com.google.guava: org.checkerframework com.google.guava/guava/target
 com.google.guava/guava/target: com.google.guava/guava/futures/failureaccess/target
 	$(info Building Guava...)
 	$(RULE)cd com.google.guava \
@@ -695,6 +695,10 @@ tools:  ## Build ancillary libraries.
 	$(info Building ancillary libraries...)
 	$(RULE)$(MAKE) -C tools PROJECT=$(PROJECT) RELEASE=$(RELEASE_VERSION) LIBS=$(LIBS) REPOSITORY=$(REPOSITORY)
 
+indexer:  ## Run the indexer tool.
+	$(info Rebuilding)
+	$(RULE)$(PNPM) run indexer
+
 help:  ## Show this help text ('make help').
 	$(info JPMS Attic:)
 	@grep -E '^[a-z1-9A-Z_-]+:.*?## .*$$' Makefile | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
@@ -725,8 +729,6 @@ $(LIBS):
 	@echo "Packaging libraries..."
 	$(RULE)$(MKDIR) $(LIBS)
 	$(RULE)$(CP) \
-		com.google.errorprone/annotations/target/*.jar \
-		com.google.j2objc/annotations/target/*.jar \
 		com.google.guava/guava/target/*.jar \
 		com.google.protobuf/bazel-bin/java/*/amended_*_mvn-project.jar \
 		io.leangen.geantyref/target/*.jar \
@@ -806,4 +808,4 @@ forceclean: reset  ## DANGEROUS: Wipe all untracked files and other changes; com
 	$(info Sanitizing codebase...)
 	$(RULE)$(GIT) clean -xdf
 
-.PHONY: all repository packages samples test tools $(DEPS) com.google.protobuf/bazel-bin/java/core/amended_core_mvn-project.jar
+.PHONY: all repository packages samples test tools indexer $(DEPS) com.google.protobuf/bazel-bin/java/core/amended_core_mvn-project.jar

README.md

@@ -22,7 +22,7 @@
 
 # JPMS Attic Repository
 
-> Latest Release: `1.0.5`
+> Latest Release: `1.0.6`
 
 - [GitHub Repo](https://github.com/javamodules/attic)
 - [Docs](https://javamodules.dev)
@@ -78,8 +78,8 @@ becomes obsolete.
 
 Add this domain as a repository within any JVM build tool: [Maven][7], [Gradle][8], [Bazel][9], [sbt][10]. For example:
 
-> [!NOTE] > **Filing issues:** Please file issues for this repo on
-> [`elide-dev/jpms`](https://github.com/elide-dev/jpms/issues).
+> [!NOTE]
+> **Filing issues:** Please file issues for this repo on [`elide-dev/jpms`](https://github.com/elide-dev/jpms/issues).
 
 #### Maven
 
@@ -232,7 +232,7 @@ dependencyResolutionManagement {
 
   versionCatalogs {
     create("attic") {
-      from("dev.javamodules:jpms-catalog:1.0.0")
+      from("dev.javamodules:jpms-catalog:1.0.6")
     }
   }
 }
@@ -252,7 +252,7 @@ To use the Gradle Platform to constrain your versions, map the repository as usu
 
 ```kotlin
 dependencies {
-  api(platform("dev.javamodules:jpms-platform:1.0.0"))
+  api(platform("dev.javamodules:jpms-platform:1.0.6"))
 }
 ```
 

repository/com/google/errorprone/error_prone_annotations/2.26.1/error_prone_annotations-2.26.1.jar.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEoWasYvbejGNzIndzHVkDr0WCvPQFAmYcsDgACgkQHVkDr0WC
+vPQHYw//dG0Zk/gwKENlIAP5xl+sgK+pc7C+QPBx3xai9bekp4gdzMs27GlAEEEB
+GQyM/d+jOpX9caAilQQIOkkBMWVXou9i+Qbdt3Rs+oOqp2XNERQENADCs9cMqoWB
+KBcKXw3BjDIDwosueC5KVD8AsW391YqXllm6+JvBzzgJXCgmpBGG9b0eNKQ9J75P
+fF5fTThAlipTeMg1iD5LJIK3lQw9FnDc08ey55k3+qdX+MWeozvTy3B0GjSJWROs
+SocWAV1k5laZ4QmOHskxyuhIcJgXKSvzo41YFN9+QSx8Nf7Gkia9Xhnfizo9QXEd
+8BWChg3G21ZiBWUE9MyjLmDSx8SFPotm65dho3C9Xg2eRGAUA8se1V9W/XI5Xz3o
+GzmWGWLRscTeUjQUFO+COMfnF8MuEZmWTmu745VbqQlk0hXrEYeUkmNBaNoTXXpf
+jya96CND1EumXtBxw5NGplk3Acb3NqMg8tpBjUkxGRr6JK11Ssiz0Ph1lWnx46CK
+QQEOo4SV3i95NaIo/swkkY31l4n33NHnSsEiQOjdRrcIbP+p388oIF6qYsu4cSeC
+MGtCySTMURMgeq40YM+Gitw0EjRw4etMSawSZrTAiNWFYm+VYCpjB0WJE6K3+giV
+N1izG+w0Fq57bK87W2Pb2JzKtopIV6dUwWC+2xpbrwzH7rkdvIE=
+=atL6
+-----END PGP SIGNATURE-----

repository/com/google/errorprone/error_prone_annotations/2.26.1/error_prone_annotations-2.26.1.jar.md5

@@ -1 +1 @@
-ac8a8cbd39ef2783306c26f6124ce680
+514367465f1e0100d414e285d1156b6f

repository/com/google/errorprone/error_prone_annotations/2.26.1/error_prone_annotations-2.26.1.jar.sha1

@@ -1 +1 @@
-4abf288756bc6f7c01b5d53dc860be0761323453
+f5b47b9e3ef7212bd87b617130b2a5608c6a9977

repository/com/google/errorprone/error_prone_annotations/2.26.1/error_prone_annotations-2.26.1.pom.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEoWasYvbejGNzIndzHVkDr0WCvPQFAmYcsDgACgkQHVkDr0WC
+vPT5OQ/+KcNHrd3yNONO3IzdQ1wDYsZAwe/59F4BNvijbAh9mkhWtf7YQJNk9lkF
+DNNu7MaWY10ldnaF/V3D3oCRIuBkReiWerk418qAsh9dEskID+npFfjXJkeuJVGd
+ldsMW38Ps46WQmSpek+6kfVm2KlS/dRJGDzSegEA9ZCg1WZB5sHOuR6GA+jIEGNL
+1jOoDowU/WERAskJAuPn7xKh7h5b1udW/37T2OeF0snBrj35mumOMQNrgvqjaSJy
+Hdv71uMsPE2AVjqHMcIsLjypHxWIVC7LmTu0veodRPf+uN5yH05sxZ4KPcQTlzzB
+rfF61JzYXUTW9ygpMRYyKq6ZBUDBdusmyxctU+25SkNWXdu3imNHgH0pAzD4Oi7F
+rbNF7k3xR12U7Y722GEXQ1S9G3mAnf55g/8S5cIBjQJ4C1pFxM1D+lNxXF088c43
+QbquKo679r1RBKRIEKC7Cq3b+mgVNcFp+s/Uk67oYexAkoBPx4OpvMJeQAOjRJ1m
+nl4hBf62M1wdmh3MPvHGd2XG1eN09AcdNGgt8+bx8NksNyKy0U5WTIj9k1Zocqsr
+mPHIM6uOqchbHARBjh4bvybo+DCc2BBfTxp93BH4kVQg8Gq3AdJ3JwEhpsaaGpU2
+1MXc1jWFGo9hCU+go/97tZp0qFjcSry4f5+g2/W3yGug8XdZtlc=
+=mw1z
+-----END PGP SIGNATURE-----

repository/com/google/errorprone/error_prone_annotations/maven-metadata.xml

@@ -9,6 +9,6 @@
       <version>2.25.0-jpms</version>
       <version>2.26.1</version>
     </versions>
-    <lastUpdated>20240313005716</lastUpdated>
+    <lastUpdated>20240415044232</lastUpdated>
   </versioning>
 </metadata>

repository/com/google/errorprone/error_prone_annotations/maven-metadata.xml.md5

@@ -1 +1 @@
-b88a22a3c82531b1e5ca661d21f055cf
+0c22ba218f63ee0b4a13eed257e19f2c

repository/com/google/errorprone/error_prone_annotations/maven-metadata.xml.sha1

@@ -1 +1 @@
-cc84c7915c87956eef14ac038f0840c80a58ebcd
+3390b9b98a88340fe682bb6e970406f18680b7e3

repository/com/google/guava/failureaccess/1.0.3-jpms/failureaccess-1.0.3-jpms.jar.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEoWasYvbejGNzIndzHVkDr0WCvPQFAmYcuecACgkQHVkDr0WC
+vPSjww/+MoFBODOHU3yabmabhnx636T2QpEUJEzrfx6kP4Y/sxTAo4UJ7f9SYZfd
+lWx72n204x839Tx2HjU7D8vT/qu+e4Awi8BEGZpLOX+/krXxAd1qudiAypbr5fuL
+gNr+vMEeZmenAjGGbKc0wtK4Cz0Hh+5OU9n1omCYQonP9GtXV9EFydgORU+CPtSS
+pNX+mdYcqLhXhPXSFPgYkwrTpZjL+x0mP9rVeh/35OB9fgT/tZpyC93HvCHEf+30
+6jCaI9c3FEfeqA3CZdJQv3v1FU48LGqV0IUe/aITIQODcLTmJjw+AfxQ7ExFSyzu
+XpeuN44aZ3jPkU1os0RK8//Klo60vWu1dU7g+W+9kKt91Yt/hEoyuUIQtW4Mn1li
+alzBr1QDiLYttclOdGlzqWe8oO/sxycqS+c3TC2XWTo+YUpALQGJ6eezcZgzVlP9
+1Yldwk1ONZCq85Tqr/B+wErzjuE7n43C0nK448OabqowbDx3WKbnEeiEdLXQx4Xe
+4unIHHv1pBX6VyNiQo5aKAQy2iMtruqSo+/xj2rIN2csYn22oVlKNHdaM0NhudGE
+8KuaDS2z7FSAR5s8YiHk36UFzoxtHkn97QYc7Z8DeLkhQX7ZsVV7XwYjafMmg7wt
+U00ceOpM0PvbKqac4InvlUWciXqUutQ1b8DQ83PhF8TPRM6CV1E=
+=i/WE
+-----END PGP SIGNATURE-----

repository/com/google/guava/failureaccess/1.0.3-jpms/failureaccess-1.0.3-jpms.pom.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEoWasYvbejGNzIndzHVkDr0WCvPQFAmYcuecACgkQHVkDr0WC
+vPSZkg//eKbpAbsGFz+yAc9/aJZD47zOjQS3cIfOXNA5or9PDNw877pNJX/m7CPw
+wTSDkD1U2Kh102F4xR+hK6s5/vUsYSR4W5j8xDjqsXOAqPaQMILCHBCXJ0SBWdyH
+e5/naSCdPV1awF29B86qKT2P5mqfSmXUnPtnahZpkoZSAlFnDqDFp35pETqvAUg4
+8XbSvGHr9hpx87RJvgTgKx0TOE0s7PNRD8qx3+DcLdG9lZP4HK9g4X23wF3tIAhZ
+0zfMgOkP4/CCocDwjw/qwWmRLuNVOpaL6KcyvZXvz5EKUjnGIJAuYNn5z1m18+ag
+ym3bz94YuQD58OVlamwPyqhF3ke6QAt8vQIwiP0pLuASvbKccTOKS7KCIqLcts9q
+eQK/s8RvMC5IV+AatbCza0SwCDJBCMDKwRSMirGI0U63XUMVB1Dk2/rxGzfVUc4E
+zMMd82m0t3rtvWXeOXCdD8Ls2lwRU0ADEZCa2OmBXbP6APvkbSCqT7sS0Ml0vgvT
+S3ID+lktTgInO3UwjD1Rgu5wZm7hGZiV9aNswPdXfyPitGAzpfH59iOCNem8RLpn
+QRuKDbWhdbiChdt+YZAMqPwi4+kFY7D4i6ZXsWcRm6zaPSdLGAeudCwZy8FFIw40
+AM0av1eTpdYrTE/dM46gcfhWL9JnhadYhl6nVI9nW/UC+KK/7g4=
+=GY5w
+-----END PGP SIGNATURE-----

repository/com/google/guava/failureaccess/maven-metadata.xml

@@ -7,6 +7,6 @@
     <versions>
       <version>1.0.3-jpms</version>
     </versions>
-    <lastUpdated>20240315181359</lastUpdated>
+    <lastUpdated>20240415052351</lastUpdated>
   </versioning>
 </metadata>

repository/com/google/guava/failureaccess/maven-metadata.xml.md5

@@ -1 +1 @@
-9d1c193968ee17cc9ab6c38ba781c55b
+553d2633c43f43eb427ee4125d6a0e5e

repository/com/google/guava/failureaccess/maven-metadata.xml.sha1

@@ -1 +1 @@
-7cfa8ba366593beeee0f246af251e6ea714f64b8
+4e5af99fff66e96a82190c45a280dd95e827c872