IQSS · pdurbin · Mar 19, 2026 · Feb 24, 2026 · Feb 24, 2026 · Feb 24, 2026
diff --git a/.github/workflows/check_property_files.yml b/.github/workflows/check_property_files.yml
@@ -9,7 +9,7 @@ jobs:
         name: Duplicate Keys
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v5
+            - uses: actions/checkout@v6
             - name: Run duplicates detection script
               shell: bash
               run: tests/check_duplicate_properties.sh
@@ -18,7 +18,7 @@ jobs:
         name: Metadata Blocks Properties
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v5
+            - uses: actions/checkout@v6
             - name: Setup GraalVM + Native Image
               uses: graalvm/setup-graalvm@v1
               with:

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -61,7 +61,7 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
 
     # Add any setup steps before running the `github/codeql-action/init` action.
     # This includes steps like installing compilers or runtimes (`actions/setup-node`

@@ -20,29 +20,29 @@ jobs:
         if: ${{ github.repository_owner == 'IQSS' }}
         steps:
             # Checkout the pull request code as when merged
-            - uses: actions/checkout@v5
+            - uses: actions/checkout@v6
               with:
                   ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'
             - uses: actions/setup-java@v5
               with:
-                  java-version: "17"
+                  java-version: "21"
                   distribution: 'adopt'
-            - uses: actions/cache@v4
+            - uses: actions/cache@v5
               with:
                   path: ~/.m2
                   key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
                   restore-keys: ${{ runner.os }}-m2
 
             # Note: Accessing, pushing tags etc. to GHCR will only succeed in upstream because secrets.
             - name: Login to Github Container Registry
-              uses: docker/login-action@v3
+              uses: docker/login-action@v4
               with:
                   registry: ghcr.io
                   username: ${{ secrets.GHCR_USERNAME }}
                   password: ${{ secrets.GHCR_TOKEN }}
 
             - name: Set up QEMU for multi-arch builds
-              uses: docker/setup-qemu-action@v3
+              uses: docker/setup-qemu-action@v4
 
             # Get the image tag from either the command or default to branch name (Not used for now)
             #-   name: Get the target tag name
@@ -69,7 +69,7 @@ jobs:
                   -Dapp.image.tag=${{ env.IMAGE_TAG }}
                   -Ddocker.registry=ghcr.io -Ddocker.platforms=${{ env.PLATFORMS }}
 
-            - uses: marocchino/sticky-pull-request-comment@v2
+            - uses: marocchino/sticky-pull-request-comment@v3
               with:
                   header: registry-push
                   hide_and_recreate: true

@@ -101,20 +101,20 @@ jobs:
             # Depending on context, we push to different targets. Login accordingly.
             - if: github.event_name != 'pull_request'
               name: Log in to Docker Hub registry
-              uses: docker/login-action@v3
+              uses: docker/login-action@v4
               with:
                   username: ${{ secrets.DOCKERHUB_USERNAME }}
                   password: ${{ secrets.DOCKERHUB_TOKEN }}
             - if: ${{ github.event_name == 'pull_request' }}
               name: Login to Github Container Registry
-              uses: docker/login-action@v3
+              uses: docker/login-action@v4
               with:
                   registry: ghcr.io
                   username: ${{ secrets.GHCR_USERNAME }}
                   password: ${{ secrets.GHCR_TOKEN }}
 
             - name: Set up QEMU for multi-arch builds
-              uses: docker/setup-qemu-action@v3
+              uses: docker/setup-qemu-action@v4
 
             - name: Add rolling image tag when pushing to develop
               if: ${{ github.event_name == 'push' && github.ref_name == 'develop' }}
@@ -141,7 +141,7 @@ jobs:
                   ${{ env.REGISTRY }} -Ddocker.platforms=${{ env.PLATFORMS }}
                   -P ct deploy
 
-            - uses: marocchino/sticky-pull-request-comment@v2
+            - uses: marocchino/sticky-pull-request-comment@v3
               if: ${{ github.event_name == 'pull_request' }}
               with:
                   header: registry-push

@@ -42,15 +42,15 @@ jobs:
             # Note: Accessing, pushing tags etc. to DockerHub will only succeed in upstream and
             #       on events in context of upstream because secrets. PRs run in context of forks by default!
             - name: Log in to the Container registry
-              uses: docker/login-action@v3
+              uses: docker/login-action@v4
               with:
                   username: ${{ secrets.DOCKERHUB_USERNAME }}
                   password: ${{ secrets.DOCKERHUB_TOKEN }}
 
             # In case this is a push to develop, we care about buildtime.
             # Configure a remote ARM64 build host in addition to the local AMD64 in two steps.
             - name: Setup SSH agent
-              uses: webfactory/ssh-agent@v0.9.1
+              uses: webfactory/ssh-agent@v0.10.0
               with:
                   ssh-private-key: ${{ secrets.BUILDER_ARM64_SSH_PRIVATE_KEY }}
             - name: Provide the known hosts key and the builder config

@@ -79,12 +79,12 @@ jobs:
       # Note: Accessing, pushing tags etc. to DockerHub will only succeed in upstream and
       #       on events in context of upstream because secrets. PRs run in context of forks by default!
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Set up QEMU for multi-arch builds
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
         with:
           platforms: ${{ env.PLATFORMS }}
 
@@ -122,12 +122,12 @@ jobs:
       # Note: Accessing, pushing tags etc. to DockerHub will only succeed in upstream and
       #       on events in context of upstream because secrets. PRs run in context of forks by default!
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Set up QEMU for multi-arch builds
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
         with:
           platforms: ${{ env.PLATFORMS }}
 
@@ -164,16 +164,16 @@ jobs:
       # Note: Accessing, pushing tags etc. to DockerHub will only succeed in upstream and
       #       on events in context of upstream because secrets. PRs run in context of forks by default!
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Set up QEMU for multi-arch builds
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
         with:
           platforms: ${{ env.PLATFORMS }}
       - name: Setup Trivy binary for vulnerability scanning
-        uses: aquasecurity/setup-trivy@v0.2.4
+        uses: aquasecurity/setup-trivy@v0.2.5
         with:
           version: v0.63.0
 
@@ -199,7 +199,7 @@ jobs:
       - configbaker-image
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       ### BASE IMAGE
       - name: Render README for base image

diff --git a/.github/workflows/deploy_beta_testing.yml b/.github/workflows/deploy_beta_testing.yml
@@ -14,12 +14,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-java@v5
         with:
           distribution: 'zulu'
-          java-version: '17'
+          java-version: '21'
 
       - name: Enable API Session Auth feature flag
         working-directory: src/main/resources/META-INF
@@ -36,7 +36,7 @@ jobs:
         run: echo "war_file=$(ls *.war | head -1)">> $GITHUB_ENV
 
       - name: Upload war artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: built-app
           path: ./target/${{ env.war_file }}
@@ -47,10 +47,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Download war artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           name: built-app
           path: ./
@@ -69,7 +69,7 @@ jobs:
           overwrite: true
 
       - name: Execute payara war deployment remotely
-        uses: appleboy/ssh-action@v1.2.3
+        uses: appleboy/ssh-action@v1.2.5
         env:
           INPUT_WAR_FILE: ${{ env.war_file }}
         with:
@@ -79,11 +79,11 @@ jobs:
           envs: INPUT_WAR_FILE
           script: |
             APPLICATION_NAME=dataverse-backend
-            ASADMIN='/usr/local/payara6/bin/asadmin --user admin'
+            ASADMIN='/usr/local/payara7/bin/asadmin --user admin'
             $ASADMIN undeploy $APPLICATION_NAME
             #$ASADMIN stop-domain
-            #rm -rf /usr/local/payara6/glassfish/domains/domain1/generated
-            #rm -rf /usr/local/payara6/glassfish/domains/domain1/osgi-cache
+            #rm -rf /usr/local/payara7/glassfish/domains/domain1/generated
+            #rm -rf /usr/local/payara7/glassfish/domains/domain1/osgi-cache
             #$ASADMIN start-domain
             $ASADMIN deploy --name $APPLICATION_NAME $INPUT_WAR_FILE
             #$ASADMIN stop-domain

diff --git a/.github/workflows/deploy_to_internal.yml b/.github/workflows/deploy_to_internal.yml
@@ -0,0 +1,90 @@
+name: 'Deploy to dataverse-internal.iq.harvard.edu'
+
+on:
+  workflow_dispatch:
+    inputs:
+      buildlabel:
+        description: 'Custom label that will appear after the version number (the equivalent of the old "build number" entry). Leaving it empty will default to the legacy behavior, i.e. " build <branch>-<checksum>".'
+        type: string
+        required: false
+
+permissions:
+  contents: read
+
+concurrency:
+  group: deploy-to-internal
+  cancel-in-progress: false
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-java@v5
+        with:
+          distribution: 'zulu'
+          java-version: '21'
+
+      - name: Set build number
+        run: scripts/installer/custom-build-number "${{ github.event.inputs.buildlabel }}"
+
+      - name: Build application war
+        run: mvn package
+
+      - name: Get war file name
+        working-directory: target
+        run: echo "war_file=$(ls *.war | head -1)">> $GITHUB_ENV
+
+      - name: Upload war artifact
+        uses: actions/upload-artifact@v7
+        with:
+          name: built-app
+          path: ./target/${{ env.war_file }}
+
+  deploy-to-payara:
+    needs: build
+    if: ${{ github.repository_owner == 'IQSS' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Download war artifact
+        uses: actions/download-artifact@v8
+        with:
+          name: built-app
+          path: ./
+
+      - name: Get war file name
+        run: echo "war_file=$(ls *.war | head -1)">> $GITHUB_ENV
+
+      - name: Copy war file to remote instance
+        uses: appleboy/scp-action@master
+        with:
+          host: ${{ secrets.INTERNAL_PAYARA_INSTANCE_HOST }}
+          username: ${{ secrets.INTERNAL_PAYARA_INSTANCE_USERNAME }}
+          key: ${{ secrets.INTERNAL_PAYARA_INSTANCE_SSH_PRIVATE_KEY }}
+          source: './${{ env.war_file }}'
+          target: '/home/${{ secrets.INTERNAL_PAYARA_INSTANCE_USERNAME }}'
+          overwrite: true
+
+      - name: Execute payara war deployment remotely
+        uses: appleboy/ssh-action@v1.2.5
+        env:
+          INPUT_WAR_FILE: ${{ env.war_file }}
+        with:
+          host: ${{ secrets.INTERNAL_PAYARA_INSTANCE_HOST }}
+          username: ${{ secrets.INTERNAL_PAYARA_INSTANCE_USERNAME }}
+          key: ${{ secrets.INTERNAL_PAYARA_INSTANCE_SSH_PRIVATE_KEY }}
+          envs: INPUT_WAR_FILE
+          script: |
+            APPLICATION_NAME=dataverse-backend
+            ASADMIN='/usr/local/payara7/bin/asadmin --user admin'
+            $ASADMIN undeploy $APPLICATION_NAME
+            #$ASADMIN stop-domain
+            #$ASADMIN start-domain
+            $ASADMIN deploy --name $APPLICATION_NAME $INPUT_WAR_FILE
+            #$ASADMIN stop-domain
+            #$ASADMIN start-domain
diff --git a/.github/workflows/generate_war_file.yml b/.github/workflows/generate_war_file.yml
@@ -0,0 +1,37 @@
+name: 'Generate dataverse war file'
+
+on:
+  workflow_dispatch:
+    inputs:
+      buildlabel:
+        description: 'Custom label that will appear after the version number (the equivalent of the old "build number" entry).  Leaving it empty will default to the legacy behavior, i.e. " build <branch>-<checksum>".'
+        type: string
+        required: false
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-java@v5
+        with:
+          distribution: 'zulu'
+          java-version: '21'
+
+      - name: Set build number
+        run: scripts/installer/custom-build-number "${{ github.event.inputs.buildlabel }}"
+
+      - name: Build application war
+        run: mvn package
+
+      - name: Get war file name
+        working-directory: target
+        run: echo "war_file=$(ls *.war | head -1)">> $GITHUB_ENV
+
+      - name: Upload war artifact
+        uses: actions/upload-artifact@v7
+        with:
+          name: built-app
+          path: ./target/${{ env.war_file }}
@@ -1,5 +1,8 @@
 name: 'Generate dataverse war file'
+permissions:
+  contents: read
+
 on:
  workflow_dispatch:
    inputs:
@@ -1,5 +1,8 @@
 name: 'Generate dataverse war file'

+permissions:
+  contents: read
+
 on:
  workflow_dispatch:
    inputs:
diff --git a/.github/workflows/guides_build_sphinx.yml b/.github/workflows/guides_build_sphinx.yml
@@ -10,7 +10,7 @@ jobs:
   docs:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
     - id: lookup
       run: |
         echo "sphinx_version=$(grep Sphinx== ./doc/sphinx-guides/requirements.txt | tr -s "=" | cut -f 2 -d=)" | tee -a "${GITHUB_OUTPUT}"