From 7adb8c27dbb0946fd1e044f58216174de69d60cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Yoann=20Rodi=C3=A8re?= <yoann@hibernate.org>
Date: Wed, 26 Mar 2025 08:57:14 +0100
Subject: [PATCH 1/5] Secure Develocity publishing

---
 Jenkinsfile | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Jenkinsfile b/Jenkinsfile
index 60ac7e6..e48a244 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -1,3 +1,5 @@
+@Library('hibernate-jenkins-pipeline-helpers') _
+
 def withMavenWorkspace(Closure body) {
 	withMaven(jdk: 'OpenJDK 17 Latest', maven: 'Apache Maven 3.9',
 			mavenLocalRepo: env.WORKSPACE_TMP + '/.m2repository',
@@ -21,6 +23,11 @@ pipeline {
 		disableConcurrentBuilds(abortPrevious: true)
 	}
 	stages {
+		stage('Checks') {
+			steps {
+				requireApprovalForPullRequest 'hibernate'
+			}
+		}
 		stage('Default build') {
 			agent {
 				label 'Worker&&Containers'

From 1e03409562f10e8e16c576709076565678778bc4 Mon Sep 17 00:00:00 2001
From: Tyler Bertrand <tbertrand@gradle.com>
Date: Mon, 24 Mar 2025 11:08:47 -0500
Subject: [PATCH 2/5] Migrate from Gradle Enterprise extension to the latest
 Develocity extension

Update Common Custom User Data Maven extension to latest version

Enable Build Scan publishing only if authenticated

Update Jenkins jobs to use DEVELOCITY_ACCESS_KEY env var

Update GitHub Actions workflows to use DEVELOCITY_ACCESS_KEY env var
---
 .github/workflows/build.yml                   |  4 ++--
 .gitignore                                    |  4 ++--
 .../{gradle-enterprise.xml => develocity.xml} | 19 ++++++++++++-------
 .mvn/extensions.xml                           |  6 +++---
 Jenkinsfile                                   |  2 +-
 5 files changed, 20 insertions(+), 15 deletions(-)
 rename .mvn/{gradle-enterprise.xml => develocity.xml} (73%)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f53e7ba..51eafae 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -62,11 +62,11 @@ jobs:
           ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean install \
           -Pjqassistant -Pdist -Pci-build -DskipITs
         env:
-          GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}
+          DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
       - name: Running integration tests in the default environment
         run: |
           ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean verify \
           -Pskip-checks \
           ${{ github.event.pull_request.base.ref && format('-Dincremental -Dgib.referenceBranch=refs/remotes/origin/{0}', github.event.pull_request.base.ref) || '' }}
         env:
-          GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}
+          DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
diff --git a/.gitignore b/.gitignore
index 5cbbb71..b500a07 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,5 +38,5 @@ nb-configuration.xml
 # Local environment
 .env
 
-# Gradle Enterprise/Develocity
-/.mvn/.gradle-enterprise
+# Develocity
+/.mvn/.develocity
diff --git a/.mvn/gradle-enterprise.xml b/.mvn/develocity.xml
similarity index 73%
rename from .mvn/gradle-enterprise.xml
rename to .mvn/develocity.xml
index a2b86dc..e5e79f8 100644
--- a/.mvn/gradle-enterprise.xml
+++ b/.mvn/develocity.xml
@@ -1,6 +1,6 @@
-<gradleEnterprise
-        xmlns="https://www.gradle.com/gradle-enterprise-maven" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="https://www.gradle.com/gradle-enterprise-maven https://www.gradle.com/schema/gradle-enterprise-maven.xsd">
+<develocity
+        xmlns="https://www.gradle.com/develocity-maven" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="https://www.gradle.com/develocity-maven https://www.gradle.com/schema/develocity-maven.xsd">
     <server>
         <url>https://ge.hibernate.org</url>
         <allowUntrusted>false</allowUntrusted>
@@ -16,12 +16,17 @@
         <!--
         Expression support is documented here: https://docs.gradle.com/enterprise/maven-extension/#expression_support
         -->
+        <publishing>
+            <onlyIf>
+                <![CDATA[authenticated]]>
+            </onlyIf>
+        </publishing>
         <obfuscation>
-          <!-- Don't share ip addresses-->
-          <ipAddresses>#{{'0.0.0.0'}}</ipAddresses>
+            <!-- Don't share ip addresses-->
+            <ipAddresses>#{{'0.0.0.0'}}</ipAddresses>
         </obfuscation>
         <capture>
-          <goalInputFiles>true</goalInputFiles>
+            <fileFingerprints>true</fileFingerprints>
         </capture>
         <!-- https://docs.gradle.com/enterprise/maven-extension/#manual_access_key_configuration -->
         <backgroundBuildScanUpload>#{env['CI'] == null}</backgroundBuildScanUpload>
@@ -38,4 +43,4 @@
             </server>
         </remote>
     </buildCache>
-</gradleEnterprise>
+</develocity>
\ No newline at end of file
diff --git a/.mvn/extensions.xml b/.mvn/extensions.xml
index 39d812b..95a3fd0 100644
--- a/.mvn/extensions.xml
+++ b/.mvn/extensions.xml
@@ -1,12 +1,12 @@
 <extensions>
     <extension>
         <groupId>com.gradle</groupId>
-        <artifactId>gradle-enterprise-maven-extension</artifactId>
-        <version>1.20.1</version>
+        <artifactId>develocity-maven-extension</artifactId>
+        <version>1.23.2</version>
     </extension>
     <extension>
         <groupId>com.gradle</groupId>
         <artifactId>common-custom-user-data-maven-extension</artifactId>
-        <version>1.13</version>
+        <version>2.0.1</version>
     </extension>
 </extensions>
diff --git a/Jenkinsfile b/Jenkinsfile
index e48a244..c3af51c 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -8,7 +8,7 @@ def withMavenWorkspace(Closure body) {
 					junitPublisher(disabled: true)
 			]) {
 		withCredentials([string(credentialsId: 'ge.hibernate.org-access-key',
-				variable: 'GRADLE_ENTERPRISE_ACCESS_KEY')]) {
+				variable: 'DEVELOCITY_ACCESS_KEY')]) {
 			withGradle { // withDevelocity, actually: https://plugins.jenkins.io/gradle/#plugin-content-capturing-build-scans-from-jenkins-pipeline
 				body()
 			}

From b9a618f5642952d7c7b5f563358fad49ffd08014 Mon Sep 17 00:00:00 2001
From: Tyler Bertrand <tbertrand@gradle.com>
Date: Mon, 24 Mar 2025 11:16:04 -0500
Subject: [PATCH 3/5] Switch to the Commonhaus Develocity instance

---
 .github/workflows/build.yml |  2 ++
 .mvn/develocity.xml         |  5 +----
 Jenkinsfile                 | 16 ++++++++++------
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 51eafae..8b55da2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -63,6 +63,7 @@ jobs:
           -Pjqassistant -Pdist -Pci-build -DskipITs
         env:
           DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+          DEVELOCITY_BASE_URL: "${{ env.DEVELOCITY_BASE_URL || 'https://develocity.commonhaus.dev' }}"
       - name: Running integration tests in the default environment
         run: |
           ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean verify \
@@ -70,3 +71,4 @@ jobs:
           ${{ github.event.pull_request.base.ref && format('-Dincremental -Dgib.referenceBranch=refs/remotes/origin/{0}', github.event.pull_request.base.ref) || '' }}
         env:
           DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+          DEVELOCITY_BASE_URL: "${{ env.DEVELOCITY_BASE_URL || 'https://develocity.commonhaus.dev' }}"
diff --git a/.mvn/develocity.xml b/.mvn/develocity.xml
index e5e79f8..28a6a00 100644
--- a/.mvn/develocity.xml
+++ b/.mvn/develocity.xml
@@ -2,7 +2,7 @@
         xmlns="https://www.gradle.com/develocity-maven" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="https://www.gradle.com/develocity-maven https://www.gradle.com/schema/develocity-maven.xsd">
     <server>
-        <url>https://ge.hibernate.org</url>
+        <url>#{env['DEVELOCITY_BASE_URL']?:'https://develocity.commonhaus.dev'}</url>
         <allowUntrusted>false</allowUntrusted>
     </server>
     <buildScan>
@@ -38,9 +38,6 @@
         <remote>
             <enabled>#{properties['no-build-cache'] == null}</enabled>
             <storeEnabled>#{env['CI'] != null and (env['CHANGE_ID']?:'').isBlank() and (env['GITHUB_BASE_REF']?:'').isBlank() and !(env['GRADLE_ENTERPRISE_ACCESS_KEY']?:'').isBlank()}</storeEnabled>
-            <server>
-                <url>https://ge.hibernate.org/cache/hsearchtest01/</url>
-            </server>
         </remote>
     </buildCache>
 </develocity>
\ No newline at end of file
diff --git a/Jenkinsfile b/Jenkinsfile
index c3af51c..7a14c05 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -7,12 +7,16 @@ def withMavenWorkspace(Closure body) {
 					artifactsPublisher(disabled: true),
 					junitPublisher(disabled: true)
 			]) {
-		withCredentials([string(credentialsId: 'ge.hibernate.org-access-key',
-				variable: 'DEVELOCITY_ACCESS_KEY')]) {
-			withGradle { // withDevelocity, actually: https://plugins.jenkins.io/gradle/#plugin-content-capturing-build-scans-from-jenkins-pipeline
-				body()
-			}
-		}
+		def develocityMainCredentialsId = helper.configuration.file?.develocity?.credentials?.main
+		def develocityBaseUrl = helper.configuration.file?.develocity?.url
+		withEnv(["DEVELOCITY_BASE_URL=${develocityBaseUrl}"]) {
+            withCredentials([string(credentialsId: develocityMainCredentialsId,
+                    variable: 'DEVELOCITY_ACCESS_KEY')]) {
+                withGradle { // withDevelocity, actually: https://plugins.jenkins.io/gradle/#plugin-content-capturing-build-scans-from-jenkins-pipeline
+                    body()
+                }
+            }
+        }
 	}
 }
 

From bc48011eed6c2a9b829ca846563126975e8598bb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Yoann=20Rodi=C3=A8re?= <yoann@hibernate.org>
Date: Wed, 26 Mar 2025 08:51:49 +0100
Subject: [PATCH 4/5] Restore .mvn/.gradle-enterprise in .gitignore

---
 .gitignore | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.gitignore b/.gitignore
index b500a07..884b22d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,5 +38,8 @@ nb-configuration.xml
 # Local environment
 .env
 
+# Gradle Enterprise (obsolete)
+/.mvn/.gradle-enterprise
+
 # Develocity
 /.mvn/.develocity

From 5e62e23a7da81344f9188f6b7f920f7ed3bf5b31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Yoann=20Rodi=C3=A8re?= <yoann@hibernate.org>
Date: Wed, 26 Mar 2025 08:54:30 +0100
Subject: [PATCH 5/5] Fix use of Develocity credentials

---
 Jenkinsfile | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/Jenkinsfile b/Jenkinsfile
index 7a14c05..6f10108 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -7,16 +7,12 @@ def withMavenWorkspace(Closure body) {
 					artifactsPublisher(disabled: true),
 					junitPublisher(disabled: true)
 			]) {
-		def develocityMainCredentialsId = helper.configuration.file?.develocity?.credentials?.main
-		def develocityBaseUrl = helper.configuration.file?.develocity?.url
-		withEnv(["DEVELOCITY_BASE_URL=${develocityBaseUrl}"]) {
-            withCredentials([string(credentialsId: develocityMainCredentialsId,
-                    variable: 'DEVELOCITY_ACCESS_KEY')]) {
-                withGradle { // withDevelocity, actually: https://plugins.jenkins.io/gradle/#plugin-content-capturing-build-scans-from-jenkins-pipeline
-                    body()
-                }
-            }
-        }
+		// These credentials can only push reports.
+		withCredentials([string(credentialsId: 'ge.hibernate.org-access-key-pr')]) {
+			withGradle { // withDevelocity, actually: https://plugins.jenkins.io/gradle/#plugin-content-capturing-build-scans-from-jenkins-pipeline
+				body()
+			}
+		}
 	}
 }