Merge remote-tracking branch 'upstream/master' into merge-upstream

# Conflicts:
#	src/main/java/spoon/reflect/factory/TypeFactory.java
#	src/main/java/spoon/support/compiler/jdt/ParentExiter.java

.github/workflows/jreleaser.yml

@@ -20,9 +20,14 @@ jobs:
     steps:
 # Setups the environment
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
         with:
           fetch-depth: 0
+          token: ${{ secrets.JRELEASER_GITHUB_TOKEN }}
+      - name: Set git user
+        run: |
+          git config --global user.name "GitHub Actions Bot"
+          git config --global user.email "<>"
       - name: Set up JDK 11
         uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3
         with:
@@ -62,21 +67,25 @@ jobs:
       - name: set branchname to next version
         run: echo "BRANCH_NAME=release/$NEXT_VERSION" >> $GITHUB_ENV
       - name: Set release version
-        run: mvn --no-transfer-progress --batch-mode versions:set -DnewVersion=$NEXT_VERSION -DprocessAllModules
+        run: |
+            mvn -f spoon-pom --no-transfer-progress --batch-mode versions:set -DnewVersion=$NEXT_VERSION -DprocessAllModules
+            mvn --no-transfer-progress --batch-mode versions:set -DnewVersion=$NEXT_VERSION -DprocessAllModules
+            mvn -f spoon-javadoc --no-transfer-progress --batch-mode versions:set -DnewVersion=$NEXT_VERSION -DprocessAllModules
       - name: Commit & Push changes
-        uses: actions-js/push@master
-        with:
-          github_token: ${{ secrets.JRELEASER_GITHUB_TOKEN }}
-          message: "release: Releasing version ${{ env.NEXT_VERSION }}"
-          branch: ${{ env.BRANCH_NAME }}
+        run: |
+          git checkout -b ${{env.BRANCH_NAME}}
+          git commit -am "release: Releasing version ${{ env.NEXT_VERSION }}"
+          git push --set-upstream origin ${{ env.BRANCH_NAME }}
+
+
 
 # Now we can run the release
       - name: Stage release
-        run:  mvn --no-transfer-progress --batch-mode -Prelease clean deploy -DaltDeploymentRepository=local::default::file://`pwd`/target/staging-deploy
+        run:  mvn -f spoon-pom --no-transfer-progress --batch-mode -Pjreleaser clean deploy -DaltDeploymentRepository=local::default::file:./target/staging-deploy
       - name: Print next version
         run: mvn help:evaluate -Dexpression=project.version -q -DforceStdout | sed 's/-SNAPSHOT//'
       - name: Run JReleaser
-        uses: jreleaser/release-action@v2
+        uses: jreleaser/release-action@0b198089c53ad2aef0d2bff6b5e6061ead2bbb90 # v2
         with:
           setup-java: false
           version: 1.4.0
@@ -95,23 +104,20 @@ jobs:
          echo "NEXT_RELEASE_VERSION=$(semver next patch $NEXT_VERSION)-SNAPSHOT" >> $GITHUB_ENV
          echo "NEXT_RELEASE_VERSION_WITHOUT_SNAPSHOT=$(semver next patch $NEXT_VERSION)" >> $GITHUB_ENV
       - name: Set release version
-        run: mvn --no-transfer-progress --batch-mode versions:set -DnewVersion=$NEXT_RELEASE_VERSION -DprocessAllModules
+        run: |
+            mvn -f spoon-pom --no-transfer-progress --batch-mode versions:set -DnewVersion=$NEXT_RELEASE_VERSION -DprocessAllModules
+            mvn --no-transfer-progress --batch-mode versions:set -DnewVersion=$NEXT_RELEASE_VERSION -DprocessAllModules
+            mvn -f spoon-javadoc --no-transfer-progress --batch-mode versions:set -DnewVersion=$NEXT_RELEASE_VERSION -DprocessAllModules
 # Commit and push changes
       - name: Commit & Push changes
-        uses: actions-js/push@master
-        with:
-          github_token: ${{ secrets.JRELEASER_GITHUB_TOKEN }}
-          message: "release: Setting SNAPSHOT version ${{ env.NEXT_VERSION }}"
-          branch: ${{ env.BRANCH_NAME }}
+        run: |
+          git commit -am "release: Setting SNAPSHOT version $NEXT_RELEASE_VERSION"
+          git push --set-upstream origin ${{ env.BRANCH_NAME }}
       - name: Merge Fast Forward
-        uses: MaximeHeckel/github-action-merge-fast-forward@9710f422198dd92989b8c076096d03c3bd61e6f4 # v1.1.1
-        with:
-          # Branch to merge
-          branchtomerge: ${{ env.BRANCH_NAME }}
-          # Branch that will be updated
-          branch: master
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git checkout master
+          git merge --ff-only ${{ env.BRANCH_NAME }}
+          git push origin master
 
 # Log failure:
       - name: JReleaser release output

.github/workflows/qodana.yml

@@ -14,13 +14,29 @@ jobs:
       runs-on: ubuntu-latest
       name: code-quality qodana
       steps:
-        - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
           with:
             fetch-depth: 0
         - name: 'Qodana Scan'
-          uses: JetBrains/qodana-action@61b94e7e3a716dcb9e2030cfd79cd46149d56c26 # v2023.1.0
+          uses: JetBrains/qodana-action@54d3fc653c515607d6b1599201a383e9e07649b1 # v2023.1.5
           with:
             args: --source-directory,./src/main/java , --fail-threshold, 0
-        - uses: github/codeql-action/upload-sarif@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2
+            post-pr-comment: "false"
+        - uses: github/codeql-action/upload-sarif@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2
+          with:
+            sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json
+    code-quality-spoon-javadoc:
+      runs-on: ubuntu-latest
+      name: code-quality spoon-javadoc qodana
+      steps:
+        - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+          with:
+            fetch-depth: 0
+        - name: 'Qodana Scan (spoon-javadoc)'
+          uses: JetBrains/qodana-action@54d3fc653c515607d6b1599201a383e9e07649b1 # v2023.1.5
+          with:
+            args: --source-directory,./spoon-javadoc/src/main/java , --fail-threshold, 0
+            post-pr-comment: "false"
+        - uses: github/codeql-action/upload-sarif@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2
           with:
             sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json

.github/workflows/sbom.yml

@@ -22,7 +22,7 @@ jobs:
       SSH_AUTH_SOCK: /tmp/ssh_agent.sock
     name: Generate and store SBOM
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           fetch-depth: 0
       - uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0

.github/workflows/scorecards.yml

@@ -0,0 +1,76 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 7 * * 2'
+  push:
+    branches: ["master"]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      contents: read
+      actions: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+        with:
+          egress-policy: audit
+
+      - name: "Checkout code"
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.20.3
+        with:
+          sarif_file: results.sarif

.github/workflows/tests.yml

@@ -44,8 +44,8 @@ jobs:
     steps:
       - name: Disable Git's autocrlf
         run: git config --global core.autocrlf false
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-      - uses: oracle-actions/setup-java@v1
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: oracle-actions/setup-java@2c4df2930e35870536667f383d87f1246fbe613f # v1
         with:
           website: jdk.java.net
           java-version: ${{ matrix.java }}
@@ -65,21 +65,21 @@ jobs:
         run: mv chore/logback.xml src/test/resources/
       - name: Build
         run: |
-          mvn -B test-compile
+          mvn -f spoon-pom -B test-compile
       - name: Fetch final dependencies
         # this is a hack to download the final test dependencies required to actually run the tests
-        run: timeout 20 mvn -B test || echo "Done fetching dependencies"
+        run: timeout 20 mvn -f spoon-pom -B test || echo "Done fetching dependencies"
         shell: bash
       - name: Test
-        run: 
-          mvn test
+        run:
+          mvn -f spoon-pom test
       - name: print run tests
         run: cat testResults.spoon
   coverage:
     runs-on: ubuntu-latest
     name: Test with coverage
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
         with:
           java-version: 17
@@ -100,9 +100,9 @@ jobs:
         run: mv chore/logback.xml src/test/resources/
       - name: Build
         run: |
-          mvn -B test-compile
+          mvn -f spoon-pom -B test-compile
       - name: Test with coverage
-        run: mvn -Pcoveralls test jacoco:report coveralls:report -DrepoToken=$GITHUB_TOKEN -DserviceName=github -DpullRequest=$PR_NUMBER --fail-never
+        run: mvn -f spoon-pom -Pcoveralls test jacoco:report coveralls:report -DrepoToken=$GITHUB_TOKEN -DserviceName=github -DpullRequest=$PR_NUMBER --fail-never
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.number }}
@@ -111,17 +111,16 @@ jobs:
     runs-on: ubuntu-latest
     name: Extra checks
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           fetch-depth: 0
       - uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
         with:
           java-version: 11
           distribution: ${{ env.JAVA_DISTRIBUTION }}
-      - uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0
+      - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
         with:
           python-version: 3.11
-
       - name: Get date for cache # see https://github.com/actions/cache README
         id: get-date
         run: echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
@@ -132,18 +131,94 @@ jobs:
           path: ~/.m2/repository
           key: ${{ runner.os }}-${{ steps.get-date.outputs.date }}-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-maven-
-
       - name: Use silent log config
         run: mv chore/logback.xml src/test/resources/
-      - name: Run extra checks
-        run: ./chore/ci-extra.sh
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          fetch-depth: 0
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y python3-pip
+          pip3 install --user CommonMark==0.9.1 requests pygithub
+
+      - name: Verify and Site Maven goals
+        run: mvn verify license:check site -DskipTests -DadditionalJOption=-Xdoclint:syntax,-missing -Dscan
+      - name: Install spoon-pom
+        working-directory: spoon-pom
+        run: mvn install -DskipTests
+
+      - name: Checkstyle in src/tests
+        run: mvn -q checkstyle:checkstyle -Pcheckstyle-test
+
+      - name: Check documentation links
+        run: python3 ./chore/check-links-in-doc.py
+
+      - name: Analyze dependencies through DepClean in spoon-core
+        run: mvn -q depclean:depclean
+
+      - name: Spoon-decompiler
+        working-directory: spoon-decompiler
+        run: |
+          mvn -q versions:use-latest-versions -DallowSnapshots=true -Dincludes=fr.inria.gforge.spoon
+          mvn -q versions:update-parent -DallowSnapshots=true
+          git diff
+          mvn -q test
+          mvn -q checkstyle:checkstyle license:check
+          mvn -q depclean:depclean
+
+      - name: Spoon-control-flow
+        working-directory: spoon-control-flow
+        run: |
+          mvn -q versions:use-latest-versions -DallowSnapshots=true -Dincludes=fr.inria.gforge.spoon
+          mvn -q versions:update-parent -DallowSnapshots=true
+          git diff
+          mvn -q test
+          mvn -q checkstyle:checkstyle license:check
+      # spoon dataflow
+      - name: Cache downloaded file
+        uses: actions/cache@v2
+        with:
+          path: spoon-dataflow/z3-4.8.4.d6df51951f4c-x64-ubuntu-14.04.zip
+          key: ${{ runner.os }}-z3-4.8.4.d6df51951f4c-x64-ubuntu-14.04.zip
+          restore-keys: |
+            ${{ runner.os }}-z3-4.8.4.d6df51951f4c-x64-ubuntu-14.04.zip
+      - name: Spoon-dataflow
+        working-directory: spoon-dataflow
+        run: |
+          wget https://projects.ow2.org/download/spoon/WebHome/z3-4.8.4.d6df51951f4c-x64-ubuntu-14.04.zip
+          unzip z3-4.8.4.d6df51951f4c-x64-ubuntu-14.04.zip
+          export LD_LIBRARY_PATH=./z3-4.8.4.d6df51951f4c-x64-ubuntu-14.04/bin
+          ./gradlew build
+      - name: Spoon-visualisation
+        working-directory: spoon-visualisation
+        run: |
+          mvn -q versions:use-latest-versions -DallowSnapshots=true -Dincludes=fr.inria.gforge.spoon
+          mvn -q versions:update-parent -DallowSnapshots=true
+          git diff
+          mvn -q test
+          mvn -q depclean:depclean
+
+      - name: Spoon-smpl
+        working-directory: spoon-smpl
+        run: |
+          mvn -q versions:use-latest-versions -DallowSnapshots=true -Dincludes=fr.inria.gforge.spoon
+          mvn -q versions:update-parent -DallowSnapshots=true
+          git diff
+          mvn -q -Djava.src.version=11 test
+          mvn -q checkstyle:checkstyle license:check
+          mvn -q depclean:depclean
+      - name: Trigger extra tasks
+        if: github.repository == 'INRIA/spoon' && github.event_name == 'pull_request'
+        run: |
+          curl https://raw.githubusercontent.com/SpoonLabs/spoon-ci-external/master/spoon-pull-request.sh | bash
       - name: Run Javadoc quality check
         run: ./chore/check-javadoc-regressions.py COMPARE_WITH_MASTER
   reproducible-builds:
     runs-on: ubuntu-latest
     name: reproducible-builds
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           fetch-depth: 0
       - uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
@@ -155,7 +230,7 @@ jobs:
   maven-central-requirements:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
       - name: Set up JDK 11
         uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3
         with:
@@ -168,4 +243,4 @@ jobs:
           maven-version: 3.9.0
       # we dont enforce that the version must be non snapshot as this is not possible for SNAPSHOT versions in our workflow.
       - name: Check maven pom quality
-        run: mvn org.kordamp.maven:pomchecker-maven-plugin:1.9.0:check-maven-central -D"checker.release=false"
+        run: mvn -f spoon-pom org.kordamp.maven:pomchecker-maven-plugin:1.9.0:check-maven-central -D"checker.release=false"

.gitignore

@@ -59,3 +59,5 @@ gradle-app.setting
 .mvn/.gradle-enterprise/gradle-enterprise-workspace-id
 # Jreleaser files
 out/
+# Mvn release plugin creates this during version update
+pom.xml.versionsBackup