[pull] master from GoogleContainerTools:master

.allstar/binary_artifacts.yaml

@@ -0,0 +1,4 @@
+# Ignore reason: jars are used for testing purposes only
+ignorePaths:
+  - jib-gradle-plugin/src/integration-test/resources/gradle/projects/default-target/libs/dependency-1.0.0.jar
+  - jib-gradle-plugin/src/integration-test/resources/gradle/projects/simple/libs/dependency-1.0.0.jar

.github/ISSUE_TEMPLATE/issue_report.md

@@ -8,7 +8,13 @@ assignees: ''
 ---
 
 <!--
-Before filing an issue, please reproduce with the latest version of Jib.
+Please follow the guidelines below before opening an issue:
+1. Ensure the issue was not already reported. 
+2. Open a new issue if you are unable to find an existing issue addressing your problem. Make sure to include a title and clear description, as much relevant information as possible, and a code sample or an executable test case demonstrating the expected behavior that is not occurring.
+3. Discuss the priority and potential solutions with the maintainers in the issue. The maintainers would review the issue and add a label "Accepting Contributions" once the issue is ready for accepting contributions. 
+4. Open a PR only if the issue is labeled with "Accepting Contributions", ensure the PR description clearly describes the problem and solution. Note that an open PR without an issues labeled with "Accepting Contributions" will not be accepted.
+
+Please reproduce with the latest version of Jib.
 
 If you are encountering errors pulling or pushing to remote registries,
 please check our Frequently Asked Questions before filing an issue:

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,8 +1,12 @@
-<!--
-Before filing a pull request, make sure:
+Thank you for your interest in contributing! For general guidelines, please refer to
+the [contributing guide](https://github.com/GoogleContainerTools/jib/blob/master/CONTRIBUTING.md).
 
-1. A corresponding issue exists or file an issue, and that
-2. Your implementation plan is approved by the community.
+Please follow the guidelines below before opening an issue or a PR:
+- [ ] Ensure the issue was not already reported. 
+- [ ] Create a new issue at https://github.com/GoogleContainerTools/jib/issues/new/choose if you are unable to find an existing issue addressing your problem. Make sure to include a title and clear description, as much relevant information as possible, and a code sample or an executable test case demonstrating the expected behavior that is not occurring.
+- [ ] Discuss the priority and potential solutions with the maintainers in the issue. The maintainers would review the issue and add a label "Accepting Contributions" once the issue is ready for accepting contributions.
+- [ ] Open a PR only if the issue is labeled with "Accepting Contributions", ensure the PR description clearly describes the problem and solution. Note that an open PR without an issues labeled with "Accepting Contributions" will not be accepted.
+- [ ] Verify that integration tests and unit tests are passing after the change.
+- [ ] Address all checkstyle issues. Refer to the [style guide](https://github.com/GoogleContainerTools/jib/blob/master/STYLE_GUIDE.md).
 
-This helps to reduce the chance of having a pull request rejected.
--->
+Fixes #<issue_number_goes_here> 🛠️

.github/RELEASE_TEMPLATES/cli_release_checklist.md

@@ -4,18 +4,12 @@ labels: release
 ---
 ## Requirements
 - [ ] ⚠️ Ensure the release process has succeeded before proceeding
+- [ ] ⚠️ Publish [Release]({{ env.RELEASE_DRAFT }}) after adding CHANGELOG entries ([example](https://github.com/GoogleContainerTools/jib/releases/tag/v0.8.0-cli))
 
 ## GCS
 - [ ] Run {{ env.GCS_UPDATE_SCRIPT }} script to update GCS with the latest version number
 
 ## Github
 - [ ] Update [CHANGELOG.md]({{ env.CHANGELOG_URL }})
 - [ ] Update [README.md]({{ env.README_URL }})
-- [ ] Publish [Release]({{ env.RELEASE_DRAFT }})
 - [ ] Merge PR ({{ env.RELEASE_PR }})
-- [ ] Update the current [milestone](https://github.com/GoogleContainerTools/jib/milestones), roll over any incomplete issues to next milestone.
-
-## Announce
-- [ ] Email jib users
-- [ ] Post to [gitter](https://gitter.im/google/jib)
-- [ ] Mention on all fixed issues that latest release has addressed the issue (usually any closed issues in a [milestone](https://github.com/GoogleContainerTools/jib/milestones))

.github/RELEASE_TEMPLATES/core_release_checklist.md

@@ -10,9 +10,3 @@ labels: release
 - [ ] Update [README.md]({{ env.README_URL }})
 - [ ] Publish [Release]({{ env.RELEASE_DRAFT }})
 - [ ] Merge PR ({{ env.RELEASE_PR }})
-- [ ] Update the current [milestone](https://github.com/GoogleContainerTools/jib/milestones), roll over any incomplete issues to next milestone.
-
-## Announce
-- [ ] Email jib users
-- [ ] Post to [gitter](https://gitter.im/google/jib)
-- [ ] Mention on all fixed issues that latest release has addressed the issue (usually any closed issues in a [milestone](https://github.com/GoogleContainerTools/jib/milestones))

.github/RELEASE_TEMPLATES/plugin_release_checklist.md

@@ -11,20 +11,10 @@ labels: release
 ## Github
 - [ ] Update [CHANGELOG.md]({{ env.CHANGELOG_URL }})
 - [ ] Update [README.md]({{ env.README_URL }})
-- [ ] Update [CONTRIBUTING.md](https://github.com/GoogleContainerTools/jib/blob/master/CONTRIBUTING.md)
-- [ ] Update [examples](https://github.com/GoogleContainerTools/jib/tree/master/examples)
+- [ ] Search/replace the old published version with the new published version in [examples](https://github.com/GoogleContainerTools/jib/tree/master/examples)
 - [ ] Publish [Release]({{ env.RELEASE_DRAFT }})
 - [ ] Merge PR ({{ env.RELEASE_PR }})
-- [ ] Update the current [milestone](https://github.com/GoogleContainerTools/jib/milestones), roll over any incomplete issues to next milestone.
-
-#### Skaffold
-- [ ] Update versions in Skaffold ([example PR](https://github.com/GoogleContainerTools/skaffold/pull/4639))
 
 #### Jib-Extensions
 - [ ] Update versions in [Jib Extensions](https://github.com/GoogleContainerTools/jib-extensions)
 - [ ] If there were Gradle API or Jib API changes, double-check compatibility and update Version Matrix on jib-extensions. It may require re-releasing first-party extensions. See [jib-extensions#45](https://github.com/GoogleContainerTools/jib-extensions/pull/45), [jib-extensions#44](https://github.com/GoogleContainerTools/jib-extensions/pull/44), and [jib-extensions#42](https://github.com/GoogleContainerTools/jib-extensions/pull/42)
-
-## Announce
-- [ ] Email jib users
-- [ ] Post to [gitter](https://gitter.im/google/jib)
-- [ ] Mention on all fixed issues that latest release has addressed the issue (usually any closed issues in a [milestone](https://github.com/GoogleContainerTools/jib/milestones))

.github/workflows/gradle-wrapper-validation.yml

@@ -6,5 +6,5 @@ jobs:
     name: "Gradle wrapper validation"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2.3.4
-      - uses: gradle/wrapper-validation-action@v1.0.4
+      - uses: actions/checkout@v4
+      - uses: gradle/wrapper-validation-action@v3.5.0

.github/workflows/jib-cli-release.yml

@@ -11,9 +11,12 @@ jobs:
   release:
     name: Release Jib CLI
     runs-on: ubuntu-latest
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+      upload_url: ${{ steps.create-release.outputs.upload_url }}
     steps:
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v4
 
       - name: Build project
         run: |
@@ -41,15 +44,19 @@ jobs:
           ./gradlew jib-cli:instDist --stacktrace
 
           cd jib-cli/build/distributions
-          sha256sum jib-${{ github.event.inputs.release_version }}.zip > zip.sha256
+          mv jib-${{ github.event.inputs.release_version }}.zip jib-jre-${{ github.event.inputs.release_version }}.zip
+          sha256sum jib-jre-${{ github.event.inputs.release_version }}.zip > zip.sha256
+
+      - name: Generate SLSA subject for Jib CLI release binaries
+        id: hash
+        working-directory: jib-cli/build/distributions
+        run: echo "hashes=$(cat zip.sha256 | base64 -w0)" >> $GITHUB_OUTPUT
 
       - name: Create pull request
-        uses: repo-sync/pull-request@v2.6
+        uses: repo-sync/pull-request@v2.12.1
         id: create-pr
         with:
-          # Use a personal token to file a PR as a non-bot author to trigger other workflows (e.g., unit tests):
-          # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token;
-          github_token: ${{ secrets.GA_RELEASE_PR_PERSONAL_TOKEN }}
+          github_token: ${{ secrets.CLOUD_JAVA_BOT_GITHUB_TOKEN }}
           source_branch: cli-release-v${{ github.event.inputs.release_version }}
           pr_title: "CLI release v${{ github.event.inputs.release_version }}"
           pr_body: "To be merged after the release is complete."
@@ -75,7 +82,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ steps.create-release.outputs.upload_url }}
-          asset_path: ./jib-cli/build/distributions/jib-${{ github.event.inputs.release_version }}.zip
+          asset_path: ./jib-cli/build/distributions/jib-jre-${{ github.event.inputs.release_version }}.zip
           asset_name: jib-jre-${{ github.event.inputs.release_version }}.zip
           asset_content_type: application/zip
 
@@ -90,7 +97,7 @@ jobs:
           asset_content_type: text/plain
 
       - name: Create Jib CLI release checklist issue
-        uses: JasonEtco/create-an-issue@v2.6
+        uses: JasonEtco/create-an-issue@v2.9.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           RELEASE_NAME: v${{ github.event.inputs.release_version }}-cli
@@ -102,3 +109,32 @@ jobs:
         with:
           filename: .github/RELEASE_TEMPLATES/cli_release_checklist.md
 
+  provenance:
+    needs: [release]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
+    with:
+      base64-subjects: "${{ needs.release.outputs.hashes }}"
+
+  upload:
+    needs: [release, provenance]
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download attestation
+        uses: actions/download-artifact@v3
+        with:
+          name: "${{ needs.provenance.outputs.attestation-name }}"
+
+      - uses: actions/upload-release-asset@v1.0.2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.release.outputs.upload_url }}
+          asset_path: "${{ needs.provenance.outputs.attestation-name }}"
+          asset_name: "${{ needs.provenance.outputs.attestation-name }}"
+          asset_content_type: application/json

.github/workflows/prepare-release.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v4
 
       - name: Check input
         run: |
@@ -59,14 +59,10 @@ jobs:
             -Prelease.releaseVersion=${{ github.event.inputs.release_version }}
 
       - name: Create pull request
-        uses: repo-sync/pull-request@v2.6
+        uses: repo-sync/pull-request@v2.12.1
         id: create-pr
         with:
-          # Use a personal token to file a PR to trigger other workflows (e.g., unit tests).
-          # Save your access token as GA_RELEASE_PR_PERSONAL_TOKEN.             
-          # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token
-          # https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets
-          github_token: ${{ secrets.GA_RELEASE_PR_PERSONAL_TOKEN }}
+          github_token: ${{ secrets.CLOUD_JAVA_BOT_GITHUB_TOKEN }}
           source_branch: ${{ github.event.inputs.project }}-release-v${{ github.event.inputs.release_version }}
           pr_title: "${{ github.event.inputs.project }} release v${{ github.event.inputs.release_version }}"
           pr_body: "To be merged after the release is complete."
@@ -92,7 +88,7 @@ jobs:
             See [CHANGELOG.md](https://github.com/GoogleContainerTools/jib/blob/master/jib-${{ github.event.inputs.project }}-plugin/CHANGELOG.md) for more details.
 
       - name: Create Maven/Gradle release checklist issue
-        uses: JasonEtco/create-an-issue@v2.6
+        uses: JasonEtco/create-an-issue@v2.9.2
         if: ${{ github.event.inputs.project == 'maven' || github.event.inputs.project == 'gradle' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -121,7 +117,7 @@ jobs:
             See [CHANGELOG.md](https://github.com/GoogleContainerTools/jib/blob/master/jib-core/CHANGELOG.md) for more details.
 
       - name: Create Core release checklist issue
-        uses: JasonEtco/create-an-issue@v2.6
+        uses: JasonEtco/create-an-issue@v2.9.2
         if: ${{ github.event.inputs.project == 'core' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/sonar.yml

@@ -17,21 +17,21 @@ jobs:
     steps:
       - name: Get current date
         id: date
-        run: echo "::set-output name=date::$(date +'%Y-%m-%d' --utc)"
-      - uses: actions/checkout@v2
+        run: echo "date=$(date +'%Y-%m-%d' --utc)" >> $GITHUB_OUTPUT
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
       - name: Set up JDK 11
-        uses: actions/setup-java@v2.3.1
+        uses: actions/setup-java@v3
         with:
           distribution: 'adopt'
           java-version: 11
       - name: Cache SonarCloud packages
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar-${{ steps.date.outputs.date }}
-      - uses: actions/cache@v2
+      - uses: actions/cache@v4
         with:
           path: |
             ~/.m2/repository

.github/workflows/unit-tests.yml

@@ -17,14 +17,14 @@ jobs:
       # for gradle
       TERM: dumb
     steps:
-      - uses: actions/checkout@v2.3.4
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 2
-      - uses: actions/setup-java@v2.3.1
+      - uses: actions/setup-java@v3
         with:
           distribution: 'adopt'
           java-version: ${{ matrix.java }}
-      - uses: actions/cache@v2.1.6
+      - uses: actions/cache@v4
         with:
           path: |
             ~/.m2/repository

CONTRIBUTING.md

@@ -1,7 +1,13 @@
+
+This project is currently stable, and we are primarily focused on critical bug fixes and platform evolution to ensure it continues to work for its supported use cases.
+
 # Contributing to Jib
 
-We'd love to accept your patches and contributions to this project. There are
-just a few small guidelines you need to follow.
+Please follow the guidelines below before opening an issue or a PR:
+1. Ensure the issue was not already reported. 
+2. Open a new issue if you are unable to find an existing issue addressing your problem. Make sure to include a title and clear description, as much relevant information as possible, and a code sample or an executable test case demonstrating the expected behavior that is not occurring.
+3. Discuss the priority and potential solutions with the maintainers in the issue. The maintainers would review the issue and add a label "Accepting Contributions" once the issue is ready for accepting contributions. 
+4. Open a PR only if the issue is labeled with "Accepting Contributions", ensure the PR description clearly describes the problem and solution. Note that an open PR without an issues labeled with "Accepting Contributions" will not be accepted.
 
 ## Contributor License Agreement
 
@@ -15,25 +21,20 @@ You generally only need to submit a CLA once, so if you've already submitted one
 (even if it was for a different project), you probably don't need to do it
 again.
 
-## Building Jib
+## Code Reviews
 
-Jib comes as 3 public components:
+All submissions, including submissions by project members, require review. We
+use Github pull requests for this purpose.
 
-  - `jib-core`: a library for building containers
-  - `jib-maven-plugin`: a Maven plugin that uses `jib-core` and `jib-plugins-common`
-  - `jib-gradle-plugin`: a Gradle plugin that uses `jib-core` and `jib-plugins-common`
+Before submitting a pull request, please make sure to:
 
-And 1 internal component:
+- Identify an existing [issue](https://github.com/GoogleContainerTools/jib/issues) to associate
+  with your proposed change, or [file a new issue](https://github.com/GoogleContainerTools/jib/issues/new).
+- Describe any implementation plans in the issue and wait for a review from the repository maintainers.
 
-  - `jib-plugins-common`: a library with helpers for maven/gradle plugins
+### Typical Contribution Cycle
 
-The project is configured as a single gradle build. Run `./gradlew build` to build the
-whole project. Run `./gradlew install` to install all public components into the
-local maven repository.
-
-## Code Reviews
-
-1. Set your git user.email property to the address used for step 1. E.g.
+1. Set your git user.email property to the address used for signing the CLA. E.g.
    ```
    git config --global user.email "janedoe@google.com"
    ```
@@ -47,6 +48,22 @@ local maven repository.
 5. Associate the change with an existing issue or file a [new issue](../../issues).
 6. Create a pull request!
 
+## Building Jib
+
+Jib comes as 3 public components:
+
+- `jib-core`: a library for building containers
+- `jib-maven-plugin`: a Maven plugin that uses `jib-core` and `jib-plugins-common`
+- `jib-gradle-plugin`: a Gradle plugin that uses `jib-core` and `jib-plugins-common`
+
+And 1 internal component:
+
+- `jib-plugins-common`: a library with helpers for maven/gradle plugins
+
+The project is configured as a single gradle build. Run `./gradlew build` to build the
+whole project. Run `./gradlew install` to install all public components into the
+local maven repository.
+
 ### Integration Tests
 **Note** that in order to run integration tests, you will need to set one of the
 following environment variables:
@@ -64,10 +81,14 @@ To run select integration tests, use `--tests=<testPattern>`, see [gradle docs](
 
 # Development Tips
 
+## Java version
+
+Use Java 8 or 11 for development. https://sdkman.io/ is a helpful tool to switch between Java versions.
+
 ## Configuring Eclipse
 
 Although jib is a mix of Gradle and Maven projects, we build everything using one
-unifed gradle build. There is special code to include some projects directly as
+unified gradle build. There is special code to include some projects directly as
 source, but importing your project should be pretty straight forward.
 
   1. Ensure you have installed the Gradle tooling for Eclipse, called
@@ -122,11 +143,11 @@ To use a local build of the `jib-gradle-plugin`:
           }
         }
         ```
-  1. Modify your test project's `build.gradle` to use the snapshot version
+  1. Modify your test project's `build.gradle` to use the [latest snapshot version](jib-gradle-plugin/gradle.properties)
         ```groovy
         plugins {
-          // id 'com.google.cloud.tools.jib' version '3.1.4'
-          id 'com.google.cloud.tools.jib' version '3.1.5-SNAPSHOT'
+          // id 'com.google.cloud.tools.jib' version 'major.minor.patch'
+          id 'com.google.cloud.tools.jib' version 'major.minor.patch-SNAPSHOT'
         }
 
         ```