2f4128a31c
Bump github/codeql-action from 4.35.4 to 4.35.5 ( #1624 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action )
from 4.35.4 to 4.35.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases ">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.35.5</h2>
<ul>
<li>We have improved how the JavaScript bundles for the CodeQL Action
are generated to avoid duplication across bundles and reduce the size of
the repository by around 70%. This should have no effect on the runtime
behaviour of the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3899 ">#3899</a></li>
<li>For performance and accuracy reasons, <a
href="https://redirect.github.com/github/roadmap/issues/1158 ">improved
incremental analysis</a> will now only be enabled on a pull request when
diff-informed analysis is also enabled for that run. If diff-informed
analysis is unavailable (for example, because the PR diff ranges could
not be computed), the action will fall back to a full analysis. <a
href="https://redirect.github.com/github/codeql-action/pull/3791 ">#3791</a></li>
<li>If multiple inputs are provided for the GitHub-internal
<code>analysis-kinds</code> input, only <code>code-scanning</code> will
be enabled. The <code>analysis-kinds</code> input is experimental, for
GitHub-internal use only, and may change without notice at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/3892 ">#3892</a></li>
<li>Added an experimental change which, when running a Code Scanning
analysis for a PR with <a
href="https://redirect.github.com/github/roadmap/issues/1158 ">improved
incremental analysis</a> enabled, prefers CodeQL CLI versions that have
a cached overlay-base database for the configured languages. This speeds
up analysis for a repository when there is not yet a cached overlay-base
database for the latest CLI version. We expect to roll this change out
to everyone in May. <a
href="https://redirect.github.com/github/codeql-action/pull/3880 ">#3880</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md ">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases ">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>4.36.0 - 22 May 2026</h2>
<ul>
<li><em>Breaking change</em>: Bump the minimum required CodeQL bundle
version to 2.19.4. <a
href="https://redirect.github.com/github/codeql-action/pull/3894 ">#3894</a></li>
<li>Add support for SHA-256 Git object IDs. <a
href="https://redirect.github.com/github/codeql-action/pull/3893 ">#3893</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5 ">2.25.5</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3926 ">#3926</a></li>
</ul>
<h2>4.35.5 - 15 May 2026</h2>
<ul>
<li>We have improved how the JavaScript bundles for the CodeQL Action
are generated to avoid duplication across bundles and reduce the size of
the repository by around 70%. This should have no effect on the runtime
behaviour of the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3899 ">#3899</a></li>
<li>For performance and accuracy reasons, <a
href="https://redirect.github.com/github/roadmap/issues/1158 ">improved
incremental analysis</a> will now only be enabled on a pull request when
diff-informed analysis is also enabled for that run. If diff-informed
analysis is unavailable (for example, because the PR diff ranges could
not be computed), the action will fall back to a full analysis. <a
href="https://redirect.github.com/github/codeql-action/pull/3791 ">#3791</a></li>
<li>If multiple inputs are provided for the GitHub-internal
<code>analysis-kinds</code> input, only <code>code-scanning</code> will
be enabled. The <code>analysis-kinds</code> input is experimental, for
GitHub-internal use only, and may change without notice at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/3892 ">#3892</a></li>
<li>Added an experimental change which, when running a Code Scanning
analysis for a PR with <a
href="https://redirect.github.com/github/roadmap/issues/1158 ">improved
incremental analysis</a> enabled, prefers CodeQL CLI versions that have
a cached overlay-base database for the configured languages. This speeds
up analysis for a repository when there is not yet a cached overlay-base
database for the latest CLI version. We expect to roll this change out
to everyone in May. <a
href="https://redirect.github.com/github/codeql-action/pull/3880 ">#3880</a></li>
</ul>
<h2>4.35.4 - 07 May 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4 ">2.25.4</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3881 ">#3881</a></li>
</ul>
<h2>4.35.3 - 01 May 2026</h2>
<ul>
<li><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.19.3 and earlier. These versions of
CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise
Server 3.15, and will be unsupported by the next minor release of the
CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3837 ">#3837</a></li>
<li>Configurations for private registries that use Cloudsmith or GCP
OIDC are now accepted. <a
href="https://redirect.github.com/github/codeql-action/pull/3850 ">#3850</a></li>
<li>Best-effort connection tests for private registries now use
<code>GET</code> requests instead of <code>HEAD</code> for better
compatibility with various registry implementations. For NuGet feeds,
the test is now always performed against the service index. <a
href="https://redirect.github.com/github/codeql-action/pull/3853 ">#3853</a></li>
<li>Fixed a bug where two diagnostics produced within the same
millisecond could overwrite each other on disk, causing one of them to
be lost. <a
href="https://redirect.github.com/github/codeql-action/pull/3852 ">#3852</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3 ">2.25.3</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3865 ">#3865</a></li>
</ul>
<h2>4.35.2 - 15 Apr 2026</h2>
<ul>
<li>The undocumented TRAP cache cleanup feature that could be enabled
using the <code>CODEQL_ACTION_CLEANUP_TRAP_CACHES</code> environment
variable is deprecated and will be removed in May 2026. If you are
affected by this, we recommend disabling TRAP caching by passing the
<code>trap-caching: false</code> input to the <code>init</code> Action.
<a
href="https://redirect.github.com/github/codeql-action/pull/3795 ">#3795</a></li>
<li>The Git version 2.36.0 requirement for improved incremental analysis
now only applies to repositories that contain submodules. <a
href="https://redirect.github.com/github/codeql-action/pull/3789 ">#3789</a></li>
<li>Python analysis on GHES no longer extracts the standard library,
relying instead on models of the standard library. This should result in
significantly faster extraction and analysis times, while the effect on
alerts should be minimal. <a
href="https://redirect.github.com/github/codeql-action/pull/3794 ">#3794</a></li>
<li>Fixed a bug in the validation of OIDC configurations for private
registries that was added in CodeQL Action 4.33.0 / 3.33.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3807 ">#3807</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2 ">2.25.2</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3823 ">#3823</a></li>
</ul>
<h2>4.35.1 - 27 Mar 2026</h2>
<ul>
<li>Fix incorrect minimum required Git version for <a
href="https://redirect.github.com/github/roadmap/issues/1158 ">improved
incremental analysis</a>: it should have been 2.36.0, not 2.11.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3781 ">#3781</a></li>
</ul>
<h2>4.35.0 - 27 Mar 2026</h2>
<ul>
<li>Reduced the minimum Git version required for <a
href="https://redirect.github.com/github/roadmap/issues/1158 ">improved
incremental analysis</a> from 2.38.0 to 2.11.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3767 ">#3767</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1 ">2.25.1</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3773 ">#3773</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/9e0d7b8d25671d64c341c19c0152d693099fb5ba "><code>9e0d7b8</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3905 ">#3905</a>
from github/update-v4.35.5-d4b485515</li>
<li><a
href="https://github.com/github/codeql-action/commit/6d7d59927c0c7336c1d1247c7e159e79edbf7684 "><code>6d7d599</code></a>
Add changelog entry for <a
href="https://redirect.github.com/github/codeql-action/issues/3899 ">#3899</a></li>
<li><a
href="https://github.com/github/codeql-action/commit/51f7e38c69d3cd7966375fe0ffff19669f22bd14 "><code>51f7e38</code></a>
Update changelog for v4.35.5</li>
<li><a
href="https://github.com/github/codeql-action/commit/d4b485515e8531d7071a39d526213eb5b2e74a11 "><code>d4b4855</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3899 ">#3899</a>
from github/mbg/esbuild/split</li>
<li><a
href="https://github.com/github/codeql-action/commit/127de8117f134e8809c127d53e940b3ffc1db8e9 "><code>127de81</code></a>
Merge remote-tracking branch 'origin/main' into mbg/esbuild/split</li>
<li><a
href="https://github.com/github/codeql-action/commit/7fde13f26ad3f7008e8fe6755cb997b54f7a2f3b "><code>7fde13f</code></a>
Use src + basename in header to avoid issues on Windows</li>
<li><a
href="https://github.com/github/codeql-action/commit/dfa61e7305ed28b74dcc2c68bd665b36751ad933 "><code>dfa61e7</code></a>
Improve pattern matching and error handling</li>
<li><a
href="https://github.com/github/codeql-action/commit/52aafec07347933a26e670390c3f894c5c05e64a "><code>52aafec</code></a>
Import and call <code>runWrapper</code> normally in <code>analyze</code>
tests</li>
<li><a
href="https://github.com/github/codeql-action/commit/0d08c01f7874da2f932e4d4e4d42b1c43be88111 "><code>0d08c01</code></a>
Auto-generate shared bundle</li>
<li><a
href="https://github.com/github/codeql-action/commit/14085a675cb6d8cddc805b946cc1d51e3232a204 "><code>14085a6</code></a>
Auto-generate entry points</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/68bde559dea0fdcac2102bfdf6230c5f70eb485e...9e0d7b8d25671d64c341c19c0152d693099fb5ba ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-28 10:27:18 -07:00
7c927b0a43
Fix deploy build ( #1623 )
...
Fixes the following error:
```
A problem was found with the configuration of task ':pkl-core:sourcesJar' (type 'Jar').
Deprecated Gradle features were used in this build, making it incompatible with Gradle 10.
- Gradle detected a problem with the following location: '/home/runner/work/pkl/pkl/pkl-core/build/generated/sources/baseModuleMembers'.
You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
Reason: Task ':pkl-core:sourcesJar' uses this output of task ':pkl-core:generateBaseModuleMembers' without declaring an explicit or implicit dependency. This can lead to incorrect results being produced, depending on what order the tasks are executed.
For more on this, please refer to https://docs.gradle.org/9.5.1/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
Possible solutions:
94 actionable tasks: 76 executed, 18 from cache
1. Declare task ':pkl-core:generateBaseModuleMembers' as an input of ':pkl-core:sourcesJar'.
2. Declare an explicit dependency on ':pkl-core:generateBaseModuleMembers' from ':pkl-core:sourcesJar' using Task#dependsOn.
3. Declare an explicit dependency on ':pkl-core:generateBaseModuleMembers' from ':pkl-core:sourcesJar' using Task#mustRunAfter.
```
2026-05-26 15:20:54 -07:00
dbf04f6598
Resolve variables at parse time ( #1429 )
...
This replaces `ResolveVariableNode` and `ResolveMethodNode` with their resolution.
When we build the truffle node tree, we determine whether names resolve to:
* lexical scope
* base module
* implicit this
Then, we use this information to directly construct the underlying nodes (`ReadPropertyNode`, `ReadLocalPropertyNode`, etc).
Additionally, `AstBuilder` determines whether the property access must be const or not.
This introduces a `BaseModuleMembers` registry, which gets generated as part of Java compilation.
2026-05-26 14:08:20 -07:00
b2f005d11d
Enable error-prone check for GuardedBy, fix errors ( #1621 )
2026-05-26 13:39:15 -07:00
72948e50fe
Fix calls to string case api ( #1620 )
...
* Enable IntelliJ inspection for calls to `String.toLowerCase()` and
`String.toUpperCase()`
* Enable error prone check
* Fix all issues
2026-05-26 11:20:02 -07:00
d6f35dd49e
Fix formatter bugs ( #1619 )
2026-05-26 19:38:35 +02:00
ff319faef3
Use Locale.ROOT when lowercasing rewrite URIs ( #1618 )
...
Use Locale.ROOT to apply the lowecase format. For URI scheme and host
locale-neutral casing is the semantically the correct choice. Added a
unit test that sets the default locale to tr-TR and that would fail
without the fix.
2026-05-26 09:37:42 -07:00
a1eea47b3f
Restore @ThreadSafe and @Immutable annotations ( #1613 )
2026-05-22 15:58:09 -07:00
648f9143bf
Bump io.leangen.geantyref:geantyref from 1.3.16 to 2.0.1 ( #1566 )
...
Bumps [io.leangen.geantyref:geantyref](https://github.com/leangen/geantyref ) from 1.3.16 to 2.0.1.
- [Release notes](https://github.com/leangen/geantyref/releases )
- [Commits](leangen/geantyref@geantyref-v1.3.16...geantyref-v2.0.1)
---
updated-dependencies:
- dependency-name: io.leangen.geantyref:geantyref
dependency-version: 2.0.1
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-05-22 15:54:27 -07:00
95bcd6a463
Remove jsr305; switch GuardedBy to com.google.errorprone ( #1611 )
...
- Remove single usage of @immutable without replacement
- Remove HttpClient's usages of @threadsafe without replacement
- Replace javax.annotation.concurrent.GuardedBy
with com.google.errorprone.annotations.concurrent.GuardedBy
Also:
- Remove redundant final modifiers from members of a final class
---------
Co-authored-by: odenix <self@odenix.org >
2026-05-22 14:15:18 -07:00
a800072441
Fix native build ( #1610 )
...
Fix native executable build; there was a missing truffle boundary
2026-05-22 11:50:40 -07:00
b070d56741
Remove public modifier on LazyHttpClient and RequestRewritingClient ( #1609 )
...
This introduces a test helper to expose configured HTTP settings, and
makes the underlying classes package-private again.
2026-05-22 10:17:26 -07:00
da4dd4c4f8
Make codegen default to jspecify NonNull annotations ( #1607 )
...
With JSpecify now a dependency of pkl-config-java, this moves the
non-null annotation to jspecify's.
This makes it simpler for users to do nullness checks, as tooling
already understands JSpecify nullness annotations.
2026-05-21 21:12:15 -07:00
8e2e5e4ba8
Improve HTTP headers logic ( #1584 )
...
* Relax forbidden headers constraints
- remove restriction on browser-related headers
- allow any glob pattern (no need to end with `/` or `*`, because glob
patterns already require users to explicitly declare prefix matches if
that's the intention)
* Replace `List<Pair<, ...>>`; use `Map<String, ...>` instead
* Use glob pattern strings as an API throughout, instead of `Pattern`
(e.g. in `HttpClientBuilder`)
* Add HTTP headers to message passing API
* Add HTTP headers to executor API (introduces `ExecutorSpiOptions4`)
* Add tests for Gradle, CLI, and pkl-executor invocations
* Improve documentation
* Add `isGlobPattern` API to class `String` for in-language validation
of http headers
* Behavior change: make sure explicitly configured `User-Agent` in
`HttpClientBuilder` can be shadowed by headers (allows users to set
`--http-header "**=User-Agent: My User Agent"` and for this to be the
only user agent).
CC @kyokuping
2026-05-21 20:07:06 -07:00
87ea28260b
Configure IntelliJ to respect @LateInit annotations ( #1606 )
...
IntelliJ can understand that some annotations on fields mean that they
are implicitly initialized, which means we don't get the "field XXX is
not initialized" warning for `@LateInit` fields.
This setting, unfortunately, is recorded into `.idea/misc.xml`, which
contains a bunch of arbitrary stuff that we don't want to check into
source control
This adds some logic to touch up that file to mark `@LateInit` as
implicitly initialized fields, so we don't get any editor warnings.
Also, suppress some warnings.
2026-05-21 14:34:11 -07:00
3dc93cbd4a
pkl-core: Migrate nullness to JSpecify ( #1601 )
...
Replace pkl-core's local nullness annotations with JSpecify annotations.
Enable NullAway checking for pkl-core packages except org.pkl.core.ast
and org.pkl.core.stdlib.
Notable code changes:
- Add a dedicated late-init constructor to VmTyped
- Move VmExceptionBuilder's fallback message derivation from withCause()
to build()
- Split VmException rendering between builder-provided messages and
string-backed messages
- Initialize MessageTransport handlers with default throwing handlers
- Update JSON helper collection types to allow nullable values JSON
arrays and objects can contain JSON null,
so the Java Map/List element types need to model nullable elements
explicitly
- Make public command transform APIs accept nullable transformed values
Command transforms can produce null for optional/default handling,
so the BiFunction and options-map element types now model that
explicitly
- Make ExecutorSpiException accept nullable message and cause
Existing call sites can pass nullable causes from Throwable.getCause()
- Remove JSR-305 semantics from `@LateInit`
JSpecify does not support the same type-qualifier-nickname pattern,
so `@LateInit` is now documentation plus a NullAway
constructor-initialization exemption
Out of scope:
- NullAway checking of org.pkl.core.ast and org.pkl.core.stdlib
- IntelliJ warnings related to `@LateInit` fields
- Removing the JSR-305 dependency, since concurrency annotations are
still in use
2026-05-21 13:57:20 -07:00
63ef60f3c4
Bump slf4j from 2.0.17 to 2.0.18 ( #1605 )
...
Bumps `slf4j` from 2.0.17 to 2.0.18.
Updates `org.slf4j:slf4j-api` from 2.0.17 to 2.0.18
Updates `org.slf4j:slf4j-simple` from 2.0.17 to 2.0.18
---
updated-dependencies:
- dependency-name: org.slf4j:slf4j-api
dependency-version: 2.0.18
dependency-type: direct:production
update-type: version-update:semver-patch
- dependency-name: org.slf4j:slf4j-simple
dependency-version: 2.0.18
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-05-21 09:56:49 -07:00
f10b235002
Bump gradle-wrapper from 9.5.0 to 9.5.1 ( #1604 )
2026-05-21 09:46:41 -07:00
1e33179ecc
Update codestyles ( #1602 )
...
IntelliJ keeps touching this file; these settings must be obsolete.
2026-05-21 08:18:29 -07:00
1733a4c6e7
Fix: docsite-info is an optional input ( #1598 )
2026-05-19 15:20:02 -07:00
dc9003d0f1
pkl-config-java: Refine nullness handling in Config and JavaType ( #1544 )
...
Motivation:
Config.as() causes nullness warnings when its result is intentionally assigned
to a non-null variable
Changes:
* Introduce Config.asNullable(Class<T>), asNullable(JavaType<T>), and
asNullable(Type) to explicitly opt into nullable values
* Keep the signatures of Config.as(Class<T>) and Config.as(JavaType<T>)
unchanged from 0.31 by adding @NullUnmarked
* This gives users time to migrate from as() to asNullable() where appropriate
* Avoids introducing new spurious warnings
* Change `<T> T Config.as(Type)` to `<T extends @nullable Object> T Config.as(Type)`
* This overload is typically used by reflective code such as
pkl-config-kotlin's Config.to() rather than directly by user code
* Clarify that JavaType<T> represents a non-null top-level type whose type arguments may be nullable
* Restricting <T> to non-null keeps method signatures understandable for humans and tools
* Enables full symmetry between Class<T> and JavaType<T> overloads in Config and JavaType
* Enables future non-null runtime checks in both Config.as() overloads
* Simplify construction of `JavaType`s with nullable type arguments
* Add ofNullable() variants for most factory methods, e.g., JavaType.listOfNullable()
* Overhaul Javadoc of Config and JavaType
Result:
* Clear separation between accessing nullable and non-null values
* Config.as() is used for the common non-null case
* Config.as() can perform non-null runtime checks in a future release (breaking change)
* More ergonomic construction of types with nullable type arguments
* More detailed and consistent documentation
2026-05-19 12:27:59 -07:00
e34c3e8c4f
Test reporter fixes ( #1597 )
...
* Fix error message when an invalid test reporter is supplied in Gradle
* Fix Gradle property name in docs
* Fix Gradle property name in tasks
* Introduce `TestReporter.default`, and use it in places where default
is applied
* Remove calls to `convention()`; this is not required because the input
is optional anyways.
2026-05-19 11:32:51 -07:00
3fbcd463e0
Introduce "minimal" test reporter ( #1563 )
2026-05-19 17:20:26 +02:00
566c42f44d
pkl-doc: Support single-package docsite mode ( #1592 )
...
When a docsite has only one package name and no DocsiteInfo.overview,
treat it like Javadoc's single-module output: redirect the top-level
index to the package page and omit the site-title breadcrumb segment
from generated pages.
Add src/test/files/SinglePackageTest fixtures to cover multiple package
versions, redirect behavior, breadcrumb behavior, and unchanged site
structure.
Also:
- Shut down Executor used in test.
- Declare expected output fixtures of DocGenerator as test inputs, not
outputs.
- Fix IntelliJ warning by using a Set for the right-hand side of
collection subtraction.
2026-05-15 18:38:24 -07:00
a7a64acbac
Improve handling of evaling dependency notation URIs ( #1595 )
2026-05-15 15:51:09 -07:00
3ad1cb3645
Ensure local dependency matches PklProject.dep.json version ( #1594 )
...
The version of local project dependencies should _always_ exactly match
up with what's declared in a PklProject.deps.json; any package in the
transitive dependency tree should always be delcaring the same import
too.
Closes #1591
2026-05-15 11:48:57 -07:00
2fe565a0f2
Added support for external readers in Gradle plugins ( #1578 )
...
Adds support for configuring external module and resource readers in the Gradle plugin
2026-05-14 11:18:22 -07:00
1b6e89c971
pkl-doc: Fix/improve Executor handling in DocGenerator ( #1590 )
...
run() now creates and closes a default Executor per call. This is fine
because there is no good reason to call this method multiple times.
run(Executor) now lets callers provide their own Executor, which is
customary for a well-behaved library.
Also: Fix IntelliJ warning by calling toSet()
Closes #1583
2026-05-14 11:02:23 -07:00
6171dbde28
Bump org.msgpack:msgpack-core from 0.9.11 to 0.9.12 ( #1587 )
2026-05-14 08:51:52 -07:00
99b29ef3c7
Bump github/codeql-action from 4.35.2 to 4.35.4 ( #1586 )
2026-05-14 08:49:18 -07:00
c428f7abd0
Bump com.palantir.javapoet:javapoet from 0.14.0 to 0.15.0 ( #1588 )
2026-05-14 08:48:29 -07:00
366b51bd21
Bump nu.validator:validator from 26.4.16 to 26.5.7 ( #1589 )
2026-05-14 08:47:25 -07:00
14085c18bb
Add support for customizing HTTP headers ( #1196 )
...
This PR adds support for custom HTTP headers, introducing a
`--http-header` CLI flag to accept `key=value` pairs. These headers can
also be specified within the `setting.pkl` file.
Closes #633
SPICE: https://github.com/apple/pkl-evolution/pull/24
---------
Co-authored-by: Jen Basch <jbasch94@gmail.com >
Co-authored-by: Islon Scherer <islonscherer@gmail.com >
2026-05-12 13:53:59 -07:00
fe58405220
Improve some doc comments in pkl:Command ( #1582 )
2026-05-12 13:53:15 -07:00
bac8b47ba8
Add resource readers from service providers in CLI ( #1581 )
...
This omission, in particular, prevents Gradle plugins (which rely on CLI
classes) from adding custom resource readers via the service loading
mechanism. This change seems benign, especially since this is already
done for module key factories.
2026-05-11 16:54:36 -07:00
713fbc5043
Add missing javadoc for org.pkl.core.CommandSpec ( #1577 )
2026-05-08 20:29:05 -07:00
38733e5781
Fix parsing of dependency notation URIs ( #1570 )
...
Fixes a thrown exception when path segments contain characters that
aren't URI safe (e.g. `import "@foo/bar baz.pkl"`).
Closes #1545
2026-05-07 13:00:52 -07:00
8ff03cfac0
Bump gradle-wrapper from 9.4.1 to 9.5.0 ( #1575 )
...
Bumps [gradle-wrapper](https://github.com/gradle/gradle ) from 9.4.1 to
9.5.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/gradle/gradle/releases ">gradle-wrapper's
releases</a>.</em></p>
<blockquote>
<h2>9.5.0</h2>
<p>The Gradle team is excited to announce Gradle 9.5.0.</p>
<p>Here are the highlights of this release:</p>
<ul>
<li>Task provenance in reports and failure messages</li>
<li>Type-safe accessors for precompiled Kotlin Settings plugins</li>
</ul>
<p><a href="https://docs.gradle.org/9.5.0/release-notes.html ">Read the
Release Notes</a></p>
<p>We would like to thank the following community members for their
contributions to this release of Gradle:
<a href="https://github.com/atm1020 ">atm1020</a>,
<a href="https://github.com/mataha ">mataha</a>,
<a href="https://github.com/aSemy ">Adam</a>,
<a href="https://github.com/kelemen ">Attila Kelemen</a>,
<a href="https://github.com/britter ">Benedikt Ritter</a>,
<a href="https://github.com/Vampire ">Björn Kautler</a>,
<a href="https://github.com/budindepunk ">Caro Silva Rode</a>,
<a href="https://github.com/chanani ">CHANHAN</a>,
<a href="https://github.com/DmitryNez ">Dmitry Nezavitin</a>,
<a href="https://github.com/Juneezee ">Eng Zer Jun</a>,
<a href="https://github.com/KugelLibelle ">KugelLibelle</a>,
<a href="https://github.com/vmadalin ">Madalin Valceleanu</a>,
<a href="https://github.com/quijote ">Markus Gaisbauer</a>,
<a href="https://github.com/koppor ">Oliver Kopp</a>,
<a href="https://github.com/hfhbd ">Philip Wedemann</a>,
<a href="https://github.com/ploober ">ploober</a>,
<a href="https://github.com/rpalcolea ">Roberto Perez Alcolea</a>,
<a href="https://github.com/R0h1tAnand ">Rohit Anand</a>,
<a href="https://github.com/Suvrat1629 ">Suvrat Acharya</a>,
<a href="https://github.com/usv240 ">Ujwal Suresh Vanjare</a>,
<a href="https://github.com/urdak ">Victor Merkulov</a></p>
<h2>Upgrade instructions</h2>
<p>Switch your build to use Gradle 9.5.0 by updating your wrapper:</p>
<pre><code>./gradlew wrapper --gradle-version=9.5.0 && ./gradlew
wrapper
</code></pre>
<p>See the Gradle <a
href="https://docs.gradle.org/9.5.0/userguide/upgrading_version_9.html ">9.x
upgrade guide</a> to learn about deprecations, breaking changes and
other considerations when upgrading.</p>
<p>For Java, Groovy, Kotlin and Android compatibility, see the <a
href="https://docs.gradle.org/9.5.0/userguide/compatibility.html ">full
compatibility notes</a>.</p>
<h2>Reporting problems</h2>
<p>If you find a problem with this release, please file a bug on <a
href="https://github.com/gradle/gradle/issues ">GitHub Issues</a>
adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the <a
href="https://discuss.gradle.org/c/help-discuss ">forum</a>.</p>
<p>We hope you will build happiness with Gradle, and we look forward to
your feedback via <a href="https://twitter.com/gradle ">Twitter</a> or on
<a href="https://github.com/gradle ">GitHub</a>.</p>
<h2>9.5.0 RC4</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/gradle/gradle/commit/3fe117d68f3907790f3809f121aa36303a9151f8 "><code>3fe117d</code></a>
Update jdks.yaml (<a
href="https://redirect.github.com/gradle/gradle/issues/37703 ">#37703</a>)</li>
<li><a
href="https://github.com/gradle/gradle/commit/33d145af6fbe7cf7c9d84646b6d7f32fea91d5e2 "><code>33d145a</code></a>
Update jdks.yaml</li>
<li><a
href="https://github.com/gradle/gradle/commit/f7a05d1ed48442eb5da4d6e2b6593da55cdec1da "><code>f7a05d1</code></a>
Update Gradle wrapper to version 9.5.0-rc-4 (<a
href="https://redirect.github.com/gradle/gradle/issues/37654 ">#37654</a>)</li>
<li><a
href="https://github.com/gradle/gradle/commit/266facdcbcb0b4c60120cc118eaf0f652bfcdfe5 "><code>266facd</code></a>
Update Gradle wrapper to version 9.5.0-rc-4</li>
<li><a
href="https://github.com/gradle/gradle/commit/0ad6dd8e143455707e444aa7e3d38327a3366513 "><code>0ad6dd8</code></a>
Suppress OSC taskbar reset on plain/piped stdout (<a
href="https://redirect.github.com/gradle/gradle/issues/37646 ">#37646</a>)</li>
<li><a
href="https://github.com/gradle/gradle/commit/966025d5850d46c9158a2f25e4096222277ecf57 "><code>966025d</code></a>
Suppress OSC taskbar reset on plain/piped stdout</li>
<li><a
href="https://github.com/gradle/gradle/commit/e7455734449e422accebf44cf7b31bf93e3a770c "><code>e745573</code></a>
Polish IP docs (<a
href="https://redirect.github.com/gradle/gradle/issues/37642 ">#37642</a>)</li>
<li><a
href="https://github.com/gradle/gradle/commit/d5cfd079acd2c8f1182edd6ec23dbab571132d0a "><code>d5cfd07</code></a>
Ensure BuildOperationQueue will progress without extra leases (<a
href="https://redirect.github.com/gradle/gradle/issues/37629 ">#37629</a>)</li>
<li><a
href="https://github.com/gradle/gradle/commit/acdf0c36fa13ba09a7ff5b51f79b9af4b1a097ee "><code>acdf0c3</code></a>
Ensure BuildOperationQueue will progress without extra leases</li>
<li><a
href="https://github.com/gradle/gradle/commit/f7d0e4f6f7896426a8b24091388e4c252b62faef "><code>f7d0e4f</code></a>
Rename anchor</li>
<li>Additional commits viewable in <a
href="https://github.com/gradle/gradle/compare/v9.4.1...v9.5.0 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-07 12:28:59 -07:00
be8366a975
Bump jline from 4.0.12 to 4.0.14 ( #1574 )
...
Bumps `jline` from 4.0.12 to 4.0.14.
Updates `org.jline:jline-reader` from 4.0.12 to 4.0.14
- [Release notes](https://github.com/jline/jline3/releases )
- [Commits](jline/jline3@4.0.12...4.0.14)
Updates `org.jline:jline-terminal` from 4.0.12 to 4.0.14
- [Release notes](https://github.com/jline/jline3/releases )
- [Commits](jline/jline3@4.0.12...4.0.14)
Updates `org.jline:jline-terminal-jni` from 4.0.12 to 4.0.14
- [Release notes](https://github.com/jline/jline3/releases )
- [Commits](jline/jline3@4.0.12...4.0.14)
---
updated-dependencies:
- dependency-name: org.jline:jline-reader
dependency-version: 4.0.14
dependency-type: direct:production
update-type: version-update:semver-patch
- dependency-name: org.jline:jline-terminal
dependency-version: 4.0.14
dependency-type: direct:production
update-type: version-update:semver-patch
- dependency-name: org.jline:jline-terminal-jni
dependency-version: 4.0.14
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-05-07 11:17:45 -07:00
8a4821c4e7
Power assertions: change source section check to an assert ( #1572 )
2026-05-04 13:53:40 -07:00
b7ba6a8649
Fix pkl:test fact power assertions when member source section is unavailable ( #1571 )
...
Power assertions only work when the source section is available. If it
is unavailable, power assertions throw a ParserError (unexpected EOF on
an empty input) when re-parsing the expression for presentation.
2026-05-04 12:25:15 -07:00
9c1a9cb4f8
Bump kotlinToolchain from 2.3.20 to 2.3.21 ( #1567 )
...
Updates `org.jetbrains.kotlin:kotlin-gradle-plugin` from 2.3.20 to 2.3.21
- [Release notes](https://github.com/JetBrains/kotlin/releases )
- [Changelog](https://github.com/JetBrains/kotlin/blob/master/ChangeLog.md )
- [Commits](JetBrains/kotlin@v2.3.20...v2.3.21)
Updates `org.jetbrains.kotlin.plugin.serialization` from 2.3.20 to 2.3.21
- [Release notes](https://github.com/JetBrains/kotlin/releases )
- [Changelog](https://github.com/JetBrains/kotlin/blob/master/ChangeLog.md )
- [Commits](JetBrains/kotlin@v2.3.20...v2.3.21)
---
updated-dependencies:
- dependency-name: org.jetbrains.kotlin:kotlin-gradle-plugin
dependency-version: 2.3.21
dependency-type: direct:production
update-type: version-update:semver-patch
- dependency-name: org.jetbrains.kotlin.plugin.serialization
dependency-version: 2.3.21
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-04-30 08:31:46 -07:00
5d4bac8f61
Bump com.uber.nullaway:nullaway from 0.13.2 to 0.13.4 ( #1568 )
...
Bumps [com.uber.nullaway:nullaway](https://github.com/uber/NullAway ) from 0.13.2 to 0.13.4.
- [Release notes](https://github.com/uber/NullAway/releases )
- [Changelog](https://github.com/uber/NullAway/blob/master/CHANGELOG.md )
- [Commits](uber/NullAway@v0.13 .2...v0.13.4)
---
updated-dependencies:
- dependency-name: com.uber.nullaway:nullaway
dependency-version: 0.13.4
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-04-30 08:31:14 -07:00
4a25320995
Fix import/read verification when encountering glob wildcards ( #1559 )
...
Fixes an issue where the import verifier can possibly throw when
packaging on Windows due to `*` being an invalid filename.
2026-04-29 20:20:49 -07:00
df063f17f3
Added pkg module key factory and resource reader to project loading ( #1547 )
...
This change allows `PklProject` files, usually loaded via the `Project`
static methods, to have references to external packages via `package://`
URIs.
This is helpful for centralizing and sharing common package
configuration via packages.
2026-04-29 16:45:14 -07:00
d3a3a14aaa
Fix CRLF handling in line continuation escapes ( #1564 )
2026-04-29 13:53:55 -07:00
39c01c24ba
Add another commit to ignore revs file ( #1561 )
...
Add commit from https://github.com/apple/pkl/pull/1560
2026-04-25 11:58:55 -07:00
2b3603b544
Reformat Kotlin code ( #1560 )
...
ktfmt has much improved how it formats Kotlin code. Unfortunately, this
means that whenever we touch a single line in a Kotlin file, we get a
_lot_ more changes thanks to ratcheting now picking up this file for
formatting.
This PR just reformats every single Kotlin file so we don't have to deal
with this churn in future PRs that touch Kotlin code.
2026-04-25 06:14:44 -07:00
c4f56bf20d
Fix setting DEBUG_ARGS ( #1558 )
...
Looks like context variable `runner` isn't available on the job level
`env`. It's available on the step level `env` though.
2026-04-24 19:34:08 -07:00
87b15f7a70
Only set --stacktrace --info if verbose logging is enabled ( #1557 )
...
This is a quality-of-life improvement; make our build logs more easy to
read through for the default case.
If we need more information, we can click on the "Enable debug logging"
checkbox when re-running a job, which then populates the `runner.debug`
context variable.
2026-04-24 15:28:57 -07:00
dependabot[bot]