Improve safety in GitHub actions

Author: parttimenerd

.github/workflows/build-and-snapshot.yml

@@ -10,6 +10,9 @@ on:
     - cron: "0 0 * * 0" # Weekly on Sunday at midnight
   workflow_dispatch: # Allows manual triggering
 
+permissions:
+  contents: read
+
 jobs:
   lint-and-test-python:
     name: Lint Python Test Suite
@@ -92,6 +95,8 @@ jobs:
     needs: [build, lint-and-test-python]
     runs-on: ubuntu-latest
     if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && (needs.lint-and-test-python.result == 'success' || needs.lint-and-test-python.result == 'skipped')
+    permissions:
+      contents: write
 
     steps:
       - name: Checkout code
@@ -133,6 +138,12 @@ jobs:
         id: timestamp
         run: echo "timestamp=$(date -u +'%Y-%m-%d %H:%M:%S UTC')" >> $GITHUB_OUTPUT
 
+      - name: Get JStall version
+        id: jstall
+        run: |
+          JSTALL_VERSION=$(curl -s https://api.github.com/repos/parttimenerd/jstall/releases/latest | python3 -c "import sys,json; print(json.load(sys.stdin).get('tag_name','unknown'))")
+          echo "version=$JSTALL_VERSION" >> $GITHUB_OUTPUT
+
       - uses: thomashampson/delete-older-releases@main
         with:
           keep_latest: 0
@@ -168,6 +179,11 @@ jobs:
 
             **Build Timestamp**: ${{ steps.timestamp.outputs.timestamp }}
 
+            **Bundled JStall version**: [${{ steps.jstall.outputs.version }}](https://github.com/parttimenerd/jstall/releases/tag/${{ steps.jstall.outputs.version }})
+
+            > **Tip:** You can also use a newer JStall version directly via `jstall --cf APP_NAME COMMAND`
+            > (see [JStall README](https://github.com/parttimenerd/jstall#usage)).
+
             ## Installation
 
             Download the current snapshot release and install manually:

.github/workflows/plugin-repo.yml

@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write
+
 jobs:
   generate-plugin-repo:
     name: Generate Plugin Repository YAML

.github/workflows/pr-validation.yml

@@ -6,6 +6,9 @@ on:
       - main
       - master
 
+permissions:
+  contents: read
+
 jobs:
   validate-pr:
     name: Validate Pull Request

.github/workflows/release.yml

@@ -99,7 +99,12 @@ jobs:
           VERSION="${{ github.event.inputs.version }}"
           IFS='.' read -r MAJOR MINOR BUILD <<< "$VERSION"
           
+          # Determine the bundled JStall version
+          export JSTALL_VERSION=$(curl -s https://api.github.com/repos/parttimenerd/jstall/releases/latest | python3 -c "import sys,json; print(json.load(sys.stdin).get('tag_name','unknown'))")
+          echo "Bundled JStall version: $JSTALL_VERSION"
+
           echo "Updating version to $MAJOR.$MINOR.$BUILD"
+          source venv/bin/activate
           python3 .github/workflows/update_version.py "$MAJOR" "$MINOR" "$BUILD"
           
           # Configure git

.github/workflows/update_version.py

@@ -6,8 +6,15 @@
 
 import sys
 import re
+import os
 from pathlib import Path
 
+try:
+    import requests
+    HAS_REQUESTS = True
+except ImportError:
+    HAS_REQUESTS = False
+
 def update_version_in_go_file(file_path, major, minor, build):
     """Update the version in the Go plugin metadata."""
     with open(file_path, 'r') as f:
@@ -76,12 +83,41 @@ def is_rc_version(version_str):
     """Return True if the version string ends with -rc or -rcN."""
     return bool(re.match(r"^\d+\.\d+\.\d+-rc(\d+)?$", version_str))
 
+def get_jstall_version():
+    """Get the bundled JStall version from the GitHub API or environment variable."""
+    # Check environment variable first (set by CI workflow)
+    env_version = os.environ.get("JSTALL_VERSION")
+    if env_version:
+        return env_version
+
+    # Fall back to querying the GitHub API
+    if HAS_REQUESTS:
+        try:
+            resp = requests.get(
+                "https://api.github.com/repos/parttimenerd/jstall/releases/latest",
+                timeout=10
+            )
+            if resp.status_code == 200:
+                return resp.json().get("tag_name", "")
+        except Exception:
+            pass
+
+    return ""
+
+
 def generate_release_notes(version, changelog_content):
     """Generate complete release notes file."""
+    jstall_version = get_jstall_version()
+    jstall_note = ""
+    if jstall_version:
+        jstall_note = f"\n**Bundled JStall version**: [{jstall_version}](https://github.com/parttimenerd/jstall/releases/tag/{jstall_version})\n"
+        jstall_note += "\n> **Tip:** You can also use a newer JStall version directly via `jstall --cf APP_NAME COMMAND` "
+        jstall_note += "(see [JStall README](https://github.com/parttimenerd/jstall#usage)).\n"
+
     release_notes = f"""## CF CLI Java Plugin {version}
 
 Plugin for profiling Java applications and getting heap and thread-dumps.
-
+{jstall_note}
 ## Changes
 
 {changelog_content}

.markdownlint.json

@@ -5,6 +5,9 @@
     "code_blocks": false,
     "tables": false
   },
+  "MD024": {
+    "siblings_only": true
+  },
   "MD033": false,
   "MD041": false,
   "MD046": {

CHANGELOG.md

@@ -2,34 +2,40 @@
 
 All notable changes to this project will be documented in this file.
 
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to
+[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
 ### Added
-- Bundle [jstall](https://github.com/parttimenerd/jstall) (jstall-minimal.jar) for one-shot JVM inspection
-  via `cf java jstall APP_NAME`. Requires Java 17+ locally. Supports all jstall subcommands via `jstall APP --args`.
+
+- Bundle [jstall](https://github.com/parttimenerd/jstall) (jstall-minimal.jar) for one-shot JVM inspection via
+  `cf java jstall APP_NAME`. Requires Java 17+ locally. Supports all jstall subcommands via `jstall APP --args`.
 
 ### Changed
+
 - Improved SSH error messages for better clarity and debugging
 - Enhanced documentation and README with better clarity
 
 ## [4.0.2]
 
 ### Fixed
+
 - Fix rare ssh connection issue
 
 ## [4.0.1]
 
 ### Fixed
+
 - Fix thread-dump command
 
 ## [4.0.0]
 
 ### Added
+
 - Create a proper test suite
 - Profiling and JCMD related features
 
 ### Fixed
+
 - Fix many bugs discovered during testing

CONTRIBUTING.md

@@ -1,44 +1,41 @@
 # Contributing
 
-When contributing to this repository, please first discuss the change you wish to make via issue before making a
-change. We restrict the scope of this plugin to keep it maintainable.
+When contributing to this repository, please first discuss the change you wish to make via issue before making a change.
+We restrict the scope of this plugin to keep it maintainable.
 
 We have a [code of conduct](#code-of-conduct), please follow it in all your interactions with the project.
 
 ## Contribute Code
 
-You are welcome to contribute code to the Cloud Foundry CLI Java Plugin in order to fix bugs or to implement new features.
+You are welcome to contribute code to the Cloud Foundry CLI Java Plugin in order to fix bugs or to implement new
+features.
 
 There are three important things to know:
 
 1. You must be aware of the Apache License (which describes contributions) and agree to the Contributors License
-   Agreement (CLA). This is common practice in all major Open Source projects.
-   To make this process as simple as possible, we are using the [CLA assistant](https://cla-assistant.io/) for
-   individual contributions.
-   CLA assistant is an open source tool that integrates with GitHub very well and enables a one-click-experience
-   for accepting the CLA.
+   Agreement (CLA). This is common practice in all major Open Source projects. To make this process as simple as
+   possible, we are using the [CLA assistant](https://cla-assistant.io/) for individual contributions. CLA assistant is
+   an open source tool that integrates with GitHub very well and enables a one-click-experience for accepting the CLA.
    For company contributors, special rules apply.
 2. We set ourselves requirements regarding code style and quality, and we kindly ask you to do the same with PRs.
-3. Not all proposed contributions can be accepted.
-   Some features may, for example, just fit a separate plugin better.
-   The code must fit the overall direction of Cloud Foundry CLI Java Plugin and really improve it, so there should
-   be some "bang for the byte".
-   For most bug fixes this is a given, but it would be advisable to first discus new major features with the
-   maintainers by opening an issue on the project.
+3. Not all proposed contributions can be accepted. Some features may, for example, just fit a separate plugin better.
+   The code must fit the overall direction of Cloud Foundry CLI Java Plugin and really improve it, so there should be
+   some "bang for the byte". For most bug fixes this is a given, but it would be advisable to first discus new major
+   features with the maintainers by opening an issue on the project.
 
 ### Pull Request Process
 
 This a checklist of things to keep in your mind when opening pull requests for this project.
 
 1. Make sure you have accepted the [Developer Certificate of Origin](#developer-certificate-of-origin-dco)
 2. Make sure any added dependency is licensed under Apache v2.0 license
-3. Strive for very high unit-test coverage and favor testing productive code over mocks
-   (mock in depth wherever possible)
+3. Strive for very high unit-test coverage and favor testing productive code over mocks (mock in depth wherever
+   possible)
 4. Update the README.md with details of changes to the options
 
 Pull requests will be tested and validated by maintainers. In case small changes are needed (e.g., correcting typos),
-the maintainers may fix those issues themselves.
-In case of larger issues, you may be asked to apply modifications to your changes before the Pull Request can be merged.
+the maintainers may fix those issues themselves. In case of larger issues, you may be asked to apply modifications to
+your changes before the Pull Request can be merged.
 
 ### Developer Certificate of Origin (DCO)
 
@@ -52,80 +49,68 @@ As artificial intelligence evolves, AI-generated code is becoming valuable for m
 open-source initiatives. While we recognize the potential benefits of incorporating AI-generated content into our
 open-source projects there a certain requirements that need to be reflected and adhered to when making contributions.
 
-Please see our [guideline for AI-generated code contributions to SAP Open Source Software Projects](CONTRIBUTING_USING_GENAI.md)
-for these requirements.
+Please see our
+[guideline for AI-generated code contributions to SAP Open Source Software Projects](CONTRIBUTING_USING_GENAI.md) for
+these requirements.
 
 ## Code of Conduct
 
 ### Our Pledge
 
-In the interest of fostering an open and welcoming environment, we as
-contributors and maintainers pledge to making participation in our project and
-our community a harassment-free experience for everyone, regardless of age, body
-size, disability, ethnicity, gender identity and expression, level of experience,
-nationality, personal appearance, race, religion, or sexual identity and
-orientation.
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making
+participation in our project and our community a harassment-free experience for everyone, regardless of age, body size,
+disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race,
+religion, or sexual identity and orientation.
 
 ### Our Standards
 
-Examples of behavior that contributes to creating a positive environment
-include:
+Examples of behavior that contributes to creating a positive environment include:
 
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
 
 Examples of unacceptable behavior by participants include:
 
-* The use of sexualized language or imagery and unwelcome sexual attention or
-advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic
-  address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
+- The use of sexualized language or imagery and unwelcome sexual attention or advances
+- Trolling, insulting/derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or electronic address, without explicit permission
+- Other conduct which could reasonably be considered inappropriate in a professional setting
 
 ### Our Responsibilities
 
-Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective action in
-response to any instances of unacceptable behavior.
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take
+appropriate and fair corrective action in response to any instances of unacceptable behavior.
 
-Project maintainers have the right and responsibility to remove, edit, or
-reject comments, commits, code, wiki edits, issues, and other contributions
-that are not aligned to this Code of Conduct, or to ban temporarily or
-permanently any contributor for other behaviors that they deem inappropriate,
-threatening, offensive, or harmful.
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits,
+issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any
+contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
 
 ### Scope
 
-This Code of Conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community. Examples of
-representing a project or community include using an official project e-mail
-address, posting via an official social media account, or acting as an appointed
-representative at an online or offline event. Representation of a project may be
-further defined and clarified by project maintainers.
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the
+project or its community. Examples of representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed representative at an online or offline
+event. Representation of a project may be further defined and clarified by project maintainers.
 
 ### Enforcement
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at [sap_cp_performance [at] sap.com](mailto:sap_cp_performance@sap.com). All
-complaints will be reviewed and investigated and will result in a response that
-is deemed necessary and appropriate to the circumstances. The project team is
-obligated to maintain confidentiality with regard to the reporter of an incident.
-Further details of specific enforcement policies may be posted separately.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at
+[sap_cp_performance [at] sap.com](mailto:sap_cp_performance@sap.com). All complaints will be reviewed and investigated
+and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific
+enforcement policies may be posted separately.
 
-Project maintainers who do not follow or enforce the Code of Conduct in good
-faith may face temporary or permanent repercussions as determined by other
-members of the project's leadership.
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent
+repercussions as determined by other members of the project's leadership.
 
 ### Attribution
 
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
-available at [http://contributor-covenant.org/version/1/4][version]
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at
+[http://contributor-covenant.org/version/1/4][version]
 
 [homepage]: http://contributor-covenant.org
 [version]: http://contributor-covenant.org/version/1/4/