Merge branch 'bufbuild:main' into main

.github/dependabot.yml

@@ -4,24 +4,42 @@ updates:
     directory: /
     schedule:
       interval: weekly
+    groups:
+      github-actions:
+        patterns: ["*"]
   - package-ecosystem: gomod
     directory: /
     schedule:
       interval: weekly
+    groups:
+      go:
+        patterns: ["*"]
   - package-ecosystem: gomod
     directory: /tests
     schedule:
       interval: weekly
+    groups:
+      go-tests:
+        patterns: ["*"]
   - package-ecosystem: maven
     directory: /java
     schedule:
       interval: weekly
     open-pull-requests-limit: 40
+    groups:
+      java:
+        patterns: ["*"]
   - package-ecosystem: pip
     directory: /
     schedule:
       interval: weekly
+    groups:
+      python-root:
+        patterns: ["*"]
   - package-ecosystem: pip
     directory: /python
     schedule:
       interval: weekly
+    groups:
+      python:
+        patterns: ["*"]

.github/workflows/add-to-project.yaml

@@ -0,0 +1,21 @@
+name: Add issues and PRs to project
+
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+      - transferred
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+  issue_comment:
+    types:
+      - created
+
+jobs:
+  call-workflow-add-to-project:
+    name: Call workflow to add issue to project
+    uses: bufbuild/base-workflows/.github/workflows/add-to-project.yaml@main
+    secrets: inherit

.github/workflows/ci.yaml

@@ -10,9 +10,9 @@ on:
 env:
   # Keep these versions in sync with the Dockerfile
   BDR_VER: '6.0.1'
-  GO_VER: '1.19.x'
-  PGG_VER: 'v1.30.0'
-  PROTOC_VER: '22.2'
+  GO_VER: '1.21.x'
+  PGG_VER: 'v1.31.0'
+  PROTOC_VER: '24.3'
   PYTHON_VER: '3.8'
   TEST_TAG: protoc-gen-validate:${{ github.sha }}
 
@@ -21,20 +21,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: |
             ~/.cache/bazelisk
             ~/.cache/bazel
             ~/.cache/protoc
           key: ${{ runner.os }}-build-cache
       - name: Checkout
-        uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+        uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VER }}
           cache: true
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: ${{ env.PYTHON_VER }}
           cache: 'pip'

.github/workflows/goreleaser.yaml

@@ -13,24 +13,24 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - run: git fetch --force --tags
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
-          go-version: 1.19.x
+          go-version: 1.21.x
           use-latest: true
           cache: true
-      - uses: goreleaser/goreleaser-action@v4
+      - uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload assets
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: protoc-gen-validate
           path: dist/*

.github/workflows/maven-deploy.yaml

@@ -12,16 +12,18 @@ jobs:
   build:
     runs-on: ubuntu-latest
     env:
-      SONATYPE_USER: ${{secrets.BUF_SONATYPE_USER}}
-      SONATYPE_PASSWORD: ${{secrets.BUF_SONATYPE_PASSWORD}}
+      SONATYPE_USER: ${{secrets.SONATYPE_USER}}
+      SONATYPE_PASSWORD: ${{secrets.SONATYPE_PASSWORD}}
       GPG_KEY_NAME: ${{secrets.GPG_KEY_NAME}}
       GPG_PASSPHRASE: ${{secrets.GPG_PASSPHRASE}}
       MAVEN_OPTS: "--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.text=ALL-UNNAMED --add-opens=java.desktop/java.awt.font=ALL-UNNAMED"
       REF_NAME: ${{ github.ref_name }}
 
     steps:
-      - uses: actions/checkout@v3
-
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: 'stable'
       - name: Set VERSION variable from tag
         run: |
           VERSION=${{ env.REF_NAME }}
@@ -41,32 +43,32 @@ jobs:
           echo $GPG_KEY | base64 --decode > signing-key
           gpg --passphrase $GPG_PASSPHRASE --batch --import signing-key
           shred signing-key
-          
+
       - name: Configure GIT
         run: |
-          git config --global user.email "[email protected]" 
+          git config --global user.email "[email protected]"
           git config --global user.name "envoy-bot"
 
       - name: Set up JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
           java-version: '17'
           cache: 'maven'
-          server-id: sonatype-nexus-snapshots
+          server-id: ossrh
           server-username: ${ env.SONATYPE_USER }
           server-password: ${ env.SONATYPE_PASSWORD }
           gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}
           gpg-passphrase: ${ env.GPG_PASSPHRASE }
 
       - name: Update version in pom
         working-directory: ${{ github.workspace }}/java
-        run: mvn -B versions:set -DnewVersion=${{ env.VERSION }} -DgenerateBackupPoms=false
+        run: ./mvnw -B versions:set -DnewVersion=${{ env.VERSION }} -DgenerateBackupPoms=false
 
       - name: Publish to Maven Packages Apache Maven
         working-directory: ${{ github.workspace }}/java
         run: |
-          mvn -B -s settings.xml clean deploy \
+          ./mvnw -B -s settings.xml clean deploy \
           -Darguments="-s settings.xml" \
           -DreleaseVersion=${{ env.VERSION }} \
           -DdevelopmentVersion=${{ env.VERSION }}-SNAPSHOT \

.github/workflows/maven-release.yaml

@@ -0,0 +1,88 @@
+# This workflow will build a package using Maven and then publish it to GitHub packages when a release is created
+## For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#apache-maven-with-a-settings-path
+
+name: Maven Manual Deploy
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: "Git ref to release"
+        required: true
+      version:
+        description: "Maven version to release (without 'v' prefix)"
+        required: true
+      deployArgs:
+        description: "Additional Maven deploy arguments (e.g. '--debug -DautoReleaseAfterClose=false')"
+        required: false
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      SONATYPE_USER: ${{secrets.SONATYPE_USER}}
+      SONATYPE_PASSWORD: ${{secrets.SONATYPE_PASSWORD}}
+      GPG_KEY_NAME: ${{secrets.GPG_KEY_NAME}}
+      GPG_PASSPHRASE: ${{secrets.GPG_PASSPHRASE}}
+      MAVEN_OPTS: "--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.text=ALL-UNNAMED --add-opens=java.desktop/java.awt.font=ALL-UNNAMED"
+      REF_NAME: ${{ inputs.ref }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+      - uses: actions/setup-go@v5
+        with:
+          go-version: 'stable'
+      - name: Set VERSION variable from tag
+        run: |
+          echo "VERSION=${{ inputs.VERSION }}" >> $GITHUB_ENV
+
+      - name: 'Configure GPG signing'
+        env:
+          GPG_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          # https://github.com/keybase/keybase-issues/issues/2798
+          export GPG_TTY=$(tty)
+          # Import gpg keys and warm the passphrase to avoid the gpg
+          # passphrase prompt when initating a deploy
+          # `--pinentry-mode=loopback` could be needed to ensure we
+          # suppress the gpg prompt
+          echo $GPG_KEY | base64 --decode > signing-key
+          gpg --passphrase $GPG_PASSPHRASE --batch --import signing-key
+          shred signing-key
+
+      - name: Configure GIT
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "envoy-bot"
+
+      - name: Set up JDK
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+          cache: 'maven'
+          server-id: ossrh
+          server-username: ${ env.SONATYPE_USER }
+          server-password: ${ env.SONATYPE_PASSWORD }
+          gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}
+          gpg-passphrase: ${ env.GPG_PASSPHRASE }
+
+      - name: Update version in pom
+        working-directory: ${{ github.workspace }}/java
+        run: ./mvnw -B versions:set -DnewVersion=${{ env.VERSION }} -DgenerateBackupPoms=false
+
+      - name: Publish to Maven Packages Apache Maven
+        working-directory: ${{ github.workspace }}/java
+        run: |
+          ./mvnw -B -s settings.xml ${{ inputs.deployArgs }} clean deploy \
+          -Darguments="-s settings.xml" \
+          -DreleaseVersion=${{ env.VERSION }} \
+          -DdevelopmentVersion=${{ env.VERSION }}-SNAPSHOT \
+          -DscmCommentPrefix="java release: "
+        env:
+          MAVEN_USERNAME: ${{ env.SONATYPE_USER }}
+          MAVEN_CENTRAL_TOKEN: ${{ env.SONATYPE_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

.github/workflows/maven-build.yaml → .github/workflows/maven-verify.yaml

@@ -1,6 +1,3 @@
-# This workflow will build a package using Maven and then publish it to GitHub packages when a release is created
-## For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#apache-maven-with-a-settings-path
-
 name: Maven Verify
 
 on:
@@ -13,13 +10,16 @@ jobs:
       contents: read
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: 'stable'
       - name: Set up JDK 17
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           java-version: "17"
           distribution: "temurin"
           cache: "maven"
       - name: Verify with Maven
         working-directory: ${{ github.workspace }}/java
-        run: mvn -B verify
+        run: ./mvnw -B verify

.github/workflows/python-package.yaml

@@ -14,13 +14,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Build and export to Docker
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
           context: .
           load: true

.github/workflows/version-bump.yaml

@@ -28,17 +28,16 @@ jobs:
     steps:
       - name: Generate token
         id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
         with:
           app_id: ${{ env.APP_ID }}
           private_key: ${{ secrets.TOKEN_EXCHANGE_GH_APP_PRIVATE_KEY }}
-          repository: ${{ github.repository }}
           permissions: >-
             {"contents": "write"}
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: "0"
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 16
       - run: npm install -g semver

.golangci.yml

@@ -0,0 +1,27 @@
+linters:
+  enable:
+    - gci
+    - gocritic
+    - gofumpt
+    - govet
+    - misspell
+    - unused
+
+linters-settings:
+  gci:
+    sections:
+      - standard
+      - default
+      - prefix(github.com/envoyproxy)
+  govet:
+    check-shadowing: true
+    # Settings per analyzer.
+    settings:
+      shadow:
+        # Whether to be strict about shadowing; can be noisy.
+        strict: true
+    enable:
+      - shadow
+
+run:
+  timeout: 5m