Merge branch 'pombast'

This branch updates the "mega-melt" integration test to use SciJava's
new pombast command-line tool, which generalizes the concept of BOM
component testing beyond only pom-scijava, and makes the pom-scijava
testing more robust and featureful. It also updates many managed
component versions in an effort to attain total BOM harmony once again.

Author: ctrueden

.github/build.sh

@@ -1,55 +1,3 @@
 #!/bin/sh
-
-# Discern whether this is a release build.
-releasing=
-if [ -f release.properties ]; then
-  releasing=1
-fi
-
-# Run the SciJava CI build script.
-curl -fsLO https://raw.githubusercontent.com/scijava/scijava-scripts/main/ci-build.sh &&
-sh ci-build.sh || { echo "Maven build failed. Skipping melting pot tests."; exit 1; }
-
-# Skip melting pot if cutting a release.
-if [ "$releasing" ]; then
-  exit 0
-fi
-
-# Helper method to get the last cache modified date as seconds since epoch
-last_cache_modified() {
-  find "$HOME/.cache/scijava/melting-pot" -type f | while read f
-  do
-    stat -c '%Y' "$f"
-  done | sort -nr 2>/dev/null | head -n1
-}
-
-# Record the last time of cache modification before running melting-pot
-cache_modified_pre=0
-cache_modified_post=0
-
-if [ -d "$HOME/.cache/scijava/melting-pot" ]; then
-  cache_modified_pre=$(last_cache_modified)
-fi
-
-# run melting-pot
-tests/run.sh
-meltResult=$?
-
-# Record the last time of cache modification after running melting-pot
-if [ -d "$HOME/.cache/scijava/melting-pot" ]; then
-  cache_modified_post=$(last_cache_modified)
-fi
-
-# Determine if cache needs to be re-generated
-echo "cache_modified_pre=$cache_modified_pre"
-echo "cache_modified_post=$cache_modified_post"
-if [ "$cache_modified_post" -gt "$cache_modified_pre" ]; then
-  echo "cacheChanged=true"
-  echo "cacheChanged=true" >> $GITHUB_ENV
-else
-  echo "cacheChanged=false"
-  echo "cacheChanged=false" >> $GITHUB_ENV
-fi
-
-# NB: This script exits 0, but saves the exit code for a later build step.
-echo $meltResult > exit-code
+curl -fsLO https://raw.githubusercontent.com/scijava/scijava-scripts/main/ci-build.sh
+sh ci-build.sh

.github/delete-cache.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+test "$1" || { echo "Usage: delete-cache.sh cache-key"; exit 1; }
+gh api --method DELETE \
+  -H "Accept: application/vnd.github+json" \
+  "/repos/scijava/pom-scijava/actions/caches?key=$1" || true

.github/exit.sh

@@ -0,0 +1,48 @@
+#!/bin/sh
+# Commit a file to the status.scijava.org gh-pages branch.
+# Requires SSH agent to be running with write access to status.scijava.org.
+set -e
+
+test $# -gt 1 || {
+  echo "Usage: publish.sh \"Commit message\" file1 [file2 ...]"
+  exit 2
+}
+
+datestamp="$(TZ=UTC date +'%Y-%m-%d %H:%M:%S UTC')"
+message="$1 ($datestamp)"
+shift
+
+git config --global user.name "SciJava CI"
+git config --global user.email ci@scijava.org
+
+dest_dir=site-publish
+
+git clone --depth=1 --branch=gh-pages git@github.com:scijava/status.scijava.org "$dest_dir"
+
+while [ $# -gt 0 ]
+do
+  file=$1
+  shift
+  test -f "$file" || { echo "File not found: $file" >&2; exit 1; }
+  dest=$(basename "$file")
+  cp "$file" "$dest_dir/$dest"
+  (cd "$dest_dir" && git add "$dest")
+done
+
+cd "$dest_dir"
+if git diff --quiet .
+then
+  echo "== No changes =="
+else
+  echo "== Committing changes =="
+  git commit -m "$message"
+  # Retry against concurrent publishers (the build and status workflows both
+  # push here), rebasing onto whatever landed in between.
+  n=0
+  until git push
+  do
+    n=$((n + 1))
+    test "$n" -lt 5 || { echo "push failed after $n attempts" >&2; exit 1; }
+    git pull --rebase
+  done
+fi

.github/publish.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+curl -fsLO https://raw.githubusercontent.com/scijava/scijava-scripts/main/ci-setup-github-actions.sh
+sh ci-setup-github-actions.sh
+
+# Install native libraries needed to smelt components.
+pkgs="libxcb-shape0"      # org.janelia:H5J_Loader_Plugin
+pkgs="$pkgs libgtk2.0-0"  # net.imagej:imagej-opencv
+pkgs="$pkgs libblosc1"    # org.janelia.saalfeldlab:n5-blosc
+sudo apt-get update
+sudo apt-get -y install $pkgs

.github/setup-build.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+curl -fsLO https://raw.githubusercontent.com/scijava/scijava-scripts/main/ci-setup-github-actions.sh
+sh ci-setup-github-actions.sh

.github/setup-release.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+# CI orchestrator for the status dashboard: fetch the most recently published
+# smelt.json, regenerate the status/badges/team reports from it, and publish
+# them to status.scijava.org. The report generation itself lives in
+# bin/report.sh so it can be run outside CI too.
+set -e
+
+# Pull the most recently published smelt results so that `pombast status` can
+# classify each available version bump by its bytecode-floor blast radius
+# (flat / local / cascading / excluded). Read straight from the gh-pages branch
+# rather than https://status.scijava.org/, so we pick up a freshly committed
+# smelt.json immediately instead of waiting on the asynchronous Pages deploy.
+#
+# Best-effort: if smelt.json is not published yet (or the fetch fails),
+# bin/report.sh still generates the reports -- just without the classification.
+smelt_url=https://raw.githubusercontent.com/scijava/status.scijava.org/gh-pages/smelt.json
+mkdir -p target/pombast
+curl -fsSL -o target/pombast/smelt.json "$smelt_url" ||
+  echo "== smelt.json unavailable; running status without classification =="
+
+bin/report.sh
+
+.github/publish.sh "Update status reports" \
+  target/pombast/index.html \
+  target/pombast/badges.json \
+  target/pombast/team.html \
+  target/pombast/team.json

.github/setup.sh

@@ -8,14 +8,23 @@ on:
     branches:
       - master
   schedule:
-    - cron: "4 5 * * 0" # every Sunday at 0405, to keep cache alive
+    # Run weekly on Sunday to keep the Maven cache alive.
+    - cron: '4 5 * * 0'
+
+# Queue runs of the same ref; cancel superseded PR builds (they never publish).
+concurrency:
+  group: build-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      actions: write  # needed to delete and re-save the pombast cache
 
     steps:
       - uses: actions/checkout@v4
+
       - name: Set up Java
         uses: actions/setup-java@v4
         with:
@@ -24,19 +33,20 @@ jobs:
           distribution: 'zulu'
           cache: 'maven'
 
-      - name: Set up CI environment
-        run: .github/setup.sh
+      - uses: astral-sh/setup-uv@v6
 
-      - name: Restore the melting-pot cache
-        id: restore-cache
-        uses: actions/cache/restore@v3
+      - uses: webfactory/ssh-agent@v0.9.0
+        if: github.ref == 'refs/heads/master' && github.event_name == 'push'
         with:
-          path: ~/.cache/scijava/melting-pot
-          key: ${{ runner.os }}-cache
+          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
+
+      - name: Set up build environment
+        run: .github/setup-build.sh
+        shell: bash
 
-      - name: Execute the build
-        id: execute-build
+      - name: Maven CI build
         run: .github/build.sh
+        shell: bash
         env:
           GPG_KEY_NAME: ${{ secrets.GPG_KEY_NAME }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
@@ -46,22 +56,40 @@ jobs:
           CENTRAL_PASS: ${{ secrets.CENTRAL_PASS }}
           SIGNING_ASC: ${{ secrets.SIGNING_ASC }}
 
-      - name: Delete the melting-pot cache
-        if: env.cacheChanged == 'true'
-        id: delete-cache
-        run: |
-          gh api --method DELETE -H "Accept: application/vnd.github+json" /repos/scijava/pom-scijava/actions/caches?key=${{ runner.os }}-cache || true
+      - name: Restore pombast cache
+        uses: actions/cache/restore@v4
+        with:
+          # pombast: success/timestamp caches; cjdk: downloaded JDKs + Maven;
+          # jgo: per-artifact bytecode-scan results. (~/.m2 is cached above by
+          # setup-java's cache: 'maven'.)
+          path: |
+            ~/.cache/pombast
+            ~/.cache/cjdk
+            ~/.cache/jgo
+          key: ${{ runner.os }}-pombast-build
+
+      - name: Run pombast checks (melt + smelt)
+        run: bin/check.sh
+        shell: bash
+
+      - name: Delete old pombast cache
+        if: always()
+        run: .github/delete-cache.sh "${{ runner.os }}-pombast-build"
+        shell: bash
         env:
-          GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Save the melting-pot cache
-        if: env.cacheChanged == 'true'
-        id: save-cache
-        uses: actions/cache/save@v3
+      - name: Save pombast cache
+        if: always()
+        uses: actions/cache/save@v4
         with:
-          path: ~/.cache/scijava/melting-pot
-          key: ${{ runner.os }}-cache
+          path: |
+            ~/.cache/pombast
+            ~/.cache/cjdk
+            ~/.cache/jgo
+          key: ${{ runner.os }}-pombast-build
 
-      - name: Return the exit code
-        id: exit-build
-        run: .github/exit.sh
+      - name: Publish smelt results
+        if: always() && github.ref == 'refs/heads/master' && github.event_name == 'push'
+        run: .github/publish.sh "Update smelt results" target/pombast/smelt.json
+        shell: bash

.github/status.sh

@@ -19,12 +19,13 @@ jobs:
           distribution: 'zulu'
           cache: 'maven'
 
-      - name: Set up CI environment
-        run: .github/setup.sh
+      - name: Set up release environment
+        run: .github/setup-release.sh
+        shell: bash
 
-      - name: Execute the build
-        id: execute-build
+      - name: Execute the release
         run: .github/build.sh
+        shell: bash
         env:
           GPG_KEY_NAME: ${{ secrets.GPG_KEY_NAME }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}