From b2cfe2f7b8466cf3a0494a562d05e12bf1096f32 Mon Sep 17 00:00:00 2001
From: Tobias Gesellchen <tobias@gesellix.de>
Date: Sun, 27 Aug 2023 19:13:27 +0200
Subject: [PATCH 1/4] Publish test results using
 EnricoMi/publish-unit-test-result-action

---
 .github/workflows/cd.yml                   | 40 +++++++++++----
 .github/workflows/ci.yml                   | 29 ++++++++---
 .github/workflows/publish-test-results.yml | 57 +++++++++++-----------
 .github/workflows/release.yml              | 40 +++++++++++----
 4 files changed, 114 insertions(+), 52 deletions(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 04a8c924..975a16ee 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -5,29 +5,51 @@ on:
     branches:
       - main
 jobs:
-  publish:
+  event-file:
+    # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches
+    name: "Event File"
     runs-on: ubuntu-latest
+    steps:
+      - name: Upload
+        uses: actions/upload-artifact@v3
+        with:
+          name: event-file
+          path: ${{ github.event_path }}
+  publish:
+    strategy:
+      matrix:
+        os:
+          - ubuntu-latest
+        #          - windows-latest
+        #          - macos-latest
+        java:
+          - 8
+    #          - 17
+    runs-on: ${{ matrix.os }}
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 1
       - name: Set up JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v3.12.0
         with:
           distribution: 'zulu'
-          java-version: 8
-          cache: 'gradle'
+          java-version: ${{ matrix.java }}
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
       - name: build publish
         run: ./gradlew clean build publish --no-daemon --info --stacktrace
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           ORG_GRADLE_PROJECT_signingKey: ${{ secrets.GPG_SIGNING_KEY }}
           ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.GPG_SIGNING_PASSWORD }}
-      - name: Publish Test Report
-        if: ${{ always() }}
-        uses: scacap/action-surefire-report@v1
+      - name: Upload Test Results
+        # see publish-test-results.yml for workflow that publishes test results without security issues for forks
+        # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches
+        if: always()
+        uses: actions/upload-artifact@v3
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          report_paths: '**/build/test-results/test/TEST-*.xml'
+          name: Test Results (Java ${{ matrix.java }} on ${{ matrix.os }})
+          path: '**/build/test-results/test/TEST-*.xml'
 ...
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 70521d27..192dbcfc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,11 +6,26 @@ on:
     branches-ignore:
       - main
 jobs:
+  event-file:
+    # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches
+    name: "Event File"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Upload
+        uses: actions/upload-artifact@v3
+        with:
+          name: event-file
+          path: ${{ github.event_path }}
   ci-build:
     strategy:
       matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
-        java: [ 8, 17 ]
+        os:
+          - ubuntu-latest
+          - windows-latest
+          - macos-latest
+        java:
+          - 8
+          - 17
     runs-on: ${{ matrix.os }}
     timeout-minutes: 20
     steps:
@@ -18,18 +33,20 @@ jobs:
         with:
           fetch-depth: 1
       - name: Set up JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v3.12.0
         with:
           distribution: 'zulu'
           java-version: ${{ matrix.java }}
-          cache: 'gradle'
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
       - name: clean build
         run: ./gradlew clean build --no-daemon --info --stacktrace
       - name: Upload Test Results
         # see publish-test-results.yml for workflow that publishes test results without security issues for forks
+        # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches
+        if: always()
         uses: actions/upload-artifact@v3
-        if: ${{ always() }}
         with:
-          name: test-results
+          name: Test Results (Java ${{ matrix.java }} on ${{ matrix.os }})
           path: '**/build/test-results/test/TEST-*.xml'
 ...
diff --git a/.github/workflows/publish-test-results.yml b/.github/workflows/publish-test-results.yml
index 0a4cc3fb..bbb0ba2c 100644
--- a/.github/workflows/publish-test-results.yml
+++ b/.github/workflows/publish-test-results.yml
@@ -10,41 +10,42 @@ on:
   workflow_run:
     workflows:
       - CI
+      - Publish
+      - Release
     types:
       - completed
+permissions: {}
 
 jobs:
-  # Job based on https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  # Job based on
+  # - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  # - https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches
   publish-test-results:
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    if: github.event.workflow_run.conclusion != 'skipped'
+
+    permissions:
+      checks: write
+      # needed unless run with comment_mode: off
+      pull-requests: write
+      # only needed for private repository
+      #contents: read
+      # only needed for private repository
+      #issues: read
+      # required by download step to access artifacts API
+      actions: read
+
     steps:
-      # Unfortunately, the official actions/download-artifact action is very limited in scope.
-      # Can't use it yet in this context, https://github.com/actions/download-artifact/issues/60
-      - name: Download artifact
-        uses: actions/github-script@v6
+      - name: Download and Extract Artifacts
+        uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615
         with:
-          script: |
-            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: ${{ github.event.workflow_run.id }},
-            });
-            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
-              return artifact.name == "test-results"
-            })[0];
-            var download = await github.rest.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip',
-            });
-            var fs = require('fs');
-            fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data));
-      - run: unzip test-results.zip
+          run_id: ${{ github.event.workflow_run.id }}
+          path: artifacts
       - name: Publish Test Results
-        uses: scacap/action-surefire-report@v1
+        uses: EnricoMi/publish-unit-test-result-action@v2
         with:
-          commit: ${{ github.event.workflow_run.head_commit.id }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          report_paths: '**/build/test-results/test/TEST-*.xml'
+          commit: ${{ github.event.workflow_run.head_sha }}
+          event_file: artifacts/event-file/event.json
+          event_name: ${{ github.event.workflow_run.event }}
+          files: "artifacts/**/build/test-results/test/TEST-*.xml"
+...
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4574d978..e0c49692 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,19 +7,39 @@ on:
 #      - published
 
 jobs:
-  release:
+  event-file:
+    # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches
+    name: "Event File"
     runs-on: ubuntu-latest
+    steps:
+      - name: Upload
+        uses: actions/upload-artifact@v3
+        with:
+          name: event-file
+          path: ${{ github.event_path }}
+  release:
+    strategy:
+      matrix:
+        os:
+          - ubuntu-latest
+        #          - windows-latest
+        #          - macos-latest
+        java:
+          - 8
+    #          - 17
+    runs-on: ${{ matrix.os }}
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 1
       - name: Set up JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v3.12.0
         with:
           distribution: 'zulu'
-          java-version: 8
-          cache: 'gradle'
+          java-version: ${{ matrix.java }}
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
       - name: Set artifact version
         run: |
           echo "RELEASE_VERSION=$(echo '${{ github.event.release.tag_name }}' | sed -e s/^v//)" >> $GITHUB_ENV
@@ -32,10 +52,12 @@ jobs:
           SONATYPE_STAGING_PROFILE_ID: ${{ secrets.SONATYPE_STAGING_PROFILE_ID }}
           SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
           SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
-      - name: Publish Test Report
-        if: ${{ always() }}
-        uses: scacap/action-surefire-report@v1
+      - name: Upload Test Results
+        # see publish-test-results.yml for workflow that publishes test results without security issues for forks
+        # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches
+        if: always()
+        uses: actions/upload-artifact@v3
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          report_paths: '**/build/test-results/test/TEST-*.xml'
+          name: Test Results (Java ${{ matrix.java }} on ${{ matrix.os }})
+          path: '**/build/test-results/test/TEST-*.xml'
 ...

From 6ff90d3c726b4b7205eda45d8204924ef5c22fe6 Mon Sep 17 00:00:00 2001
From: Tobias Gesellchen <tobias@gesellix.de>
Date: Sun, 27 Aug 2023 19:13:42 +0200
Subject: [PATCH 2/4] Configure grouped dependency updates

---
 .github/dependabot.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6337115b..8f29cf04 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,3 +9,15 @@ updates:
     schedule:
       interval: "daily"
     open-pull-requests-limit: 20
+    groups:
+      # https://github.blog/2023-08-24-a-faster-way-to-manage-version-updates-with-dependabot/
+      # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
+      kotlin:
+        patterns:
+          - "org.jetbrains.kotlin:*"
+      moshi:
+        patterns:
+          - "com.squareup.moshi:*"
+      okio:
+        patterns:
+          - "com.squareup.okio:*"

From 8e410460fcb6ca4e6957a01cab0705ed42e6cb67 Mon Sep 17 00:00:00 2001
From: Tobias Gesellchen <tobias@gesellix.de>
Date: Sun, 27 Aug 2023 19:14:08 +0200
Subject: [PATCH 3/4] Prefer Kotlin 1.9.10

---
 engine/build.gradle.kts          | 2 +-
 integrationtest/build.gradle.kts | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/engine/build.gradle.kts b/engine/build.gradle.kts
index bddbca79..841e5d38 100644
--- a/engine/build.gradle.kts
+++ b/engine/build.gradle.kts
@@ -61,7 +61,7 @@ dependencies {
       implementation(it) {
         version {
           strictly("[1.6,1.10)")
-          prefer("1.9.0")
+          prefer("1.9.10")
         }
       }
     }
diff --git a/integrationtest/build.gradle.kts b/integrationtest/build.gradle.kts
index ba9051c6..14ecc9e1 100644
--- a/integrationtest/build.gradle.kts
+++ b/integrationtest/build.gradle.kts
@@ -50,7 +50,7 @@ dependencies {
       implementation(it) {
         version {
           strictly("[1.6,1.10)")
-          prefer("1.9.0")
+          prefer("1.9.10")
         }
       }
     }

From 1003ee09d0da1e9cfe4805c0164e3593193cfa36 Mon Sep 17 00:00:00 2001
From: Tobias Gesellchen <tobias@gesellix.de>
Date: Sun, 27 Aug 2023 19:17:39 +0200
Subject: [PATCH 4/4] Bump TestConstants

---
 .../groovy/de/gesellix/docker/engine/TestConstants.groovy     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/integrationtest/src/test/groovy/de/gesellix/docker/engine/TestConstants.groovy b/integrationtest/src/test/groovy/de/gesellix/docker/engine/TestConstants.groovy
index 9ee3e30c..86ddb701 100644
--- a/integrationtest/src/test/groovy/de/gesellix/docker/engine/TestConstants.groovy
+++ b/integrationtest/src/test/groovy/de/gesellix/docker/engine/TestConstants.groovy
@@ -31,11 +31,11 @@ class TestConstants {
       }
       else {
         versionDetails = [
-            ApiVersion   : { it == "1.42" },
+            ApiVersion   : { it == "1.43" },
             Arch         : { it in ["amd64", "arm64"] },
             BuildTime    : { it =~ "2023-\\d{2}-\\d{2}T\\w+" },
             GitCommit    : { it =~ "\\w{6,}" },
-            GoVersion    : { it == "go1.19.10" },
+            GoVersion    : { it == "go1.20.6" },
             KernelVersion: { it =~ "\\d.\\d{1,2}.\\d{1,2}\\w*" },
             MinAPIVersion: { it == "1.12" },
             Os           : { it == "linux" },