Merge branch 'master' into expiring-tokens

Author: mawinter69

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,17 +1,15 @@
 <!-- Comment:
 A great PR typically begins with the line below.
-Replace XXXXX with the numeric part of the issue ID you created in Jira.
-Note that if you want your changes backported into LTS, you need to create a Jira issue. See https://www.jenkins.io/download/lts/#backporting-process for more information.
+Replace <issue-number> with the issue number.
 -->
 
-See [JENKINS-XXXXX](https://issues.jenkins.io/browse/JENKINS-XXXXX).
+Fixes #<issue-number>
 
 <!-- Comment:
-If the issue is not fully described in Jira, add more information here (justification, pull request links, etc.).
+If the issue is not fully described in the issue tracker, add more information here (justification, pull request links, etc.).
 
- * We do not require Jira issues for minor improvements.
- * Bug fixes should have a Jira issue to facilitate the backporting process.
- * Major new features should have a Jira issue.
+ * We do not require an issue for minor improvements.
+ * Major new features should have an issue created.
 -->
 
 ### Testing done
@@ -34,8 +32,8 @@ For refactoring and code cleanup changes, exercise the code before and after the
 The changelog entry should be in the imperative mood; e.g., write "do this"/"return that" rather than "does this"/"returns that".
 For examples, see: https://www.jenkins.io/changelog/
 
-Do not include the Jira issue in the changelog entry.
-Include the Jira issue in the description of the pull request so that the changelog generator can find it and include it in the generated changelog.
+Do not include the issue in the changelog entry.
+Include the issue in the description of the pull request so that the changelog generator can find it and include it in the generated changelog.
 
 You may add multiple changelog entries if applicable by adding a new entry to the list, e.g.
 - First changelog entry
@@ -82,7 +80,7 @@ The changelog generator relies on the presence of the upgrade guidelines section
 
 ### Submitter checklist
 
-- [ ] The Jira issue, if it exists, is well-described.
+- [ ] The issue, if it exists, is well-described.
 - [ ] The changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developers, depending on the change) and are in the imperative mood (see [examples](https://github.com/jenkins-infra/jenkins.io/blob/master/content/_data/changelogs/weekly.yml)). Fill in the **Proposed upgrade guidelines** section only if there are breaking changes or changes that may require extra steps from users during upgrade.
 - [ ] There is automated testing or an explanation as to why this change has no tests.
 - [ ] New public classes, fields, and methods are annotated with `@Restricted` or have `@since TODO` Javadocs, as appropriate.
@@ -108,4 +106,4 @@ Before the changes are marked as `ready-for-merge`:
 - [ ] Changelog entries in the pull request title and/or **Proposed changelog entries** are accurate, human-readable, and in the imperative mood.
 - [ ] Proper changelog labels are set so that the changelog can be generated automatically.
 - [ ] If the change needs additional upgrade steps from users, the `upgrade-guide-needed` label is set and there is a **Proposed upgrade guidelines** section in the pull request title (see [example](https://github.com/jenkinsci/jenkins/pull/4387)).
-- [ ] If it would make sense to backport the change to LTS, a Jira issue must exist, be a _Bug_ or _Improvement_, and be labeled as `lts-candidate` to be considered (see [query](https://issues.jenkins.io/issues/?filter=12146)).
+- [ ] If it would make sense to backport the change to LTS, be a _Bug_ or _Improvement_, and either the issue or pull request must be labeled as `lts-candidate` to be considered.

.github/workflows/publish-release-artifact.yml

@@ -18,7 +18,7 @@ jobs:
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Set up JDK 21
-        uses: actions/setup-java@46c56d6f92c88cf540acf95a12a4a41197499222 #v 5.0.0
+        uses: actions/setup-java@4e7e684fbb6e33f88ecb2cf1e6b3797739cf499b #v 5.0.0
         with:
           distribution: "temurin"
           java-version: 21

CONTRIBUTING.md

@@ -18,8 +18,8 @@ This page provides information about contributing code to the Jenkins core codeb
 
 If you want to contribute to Jenkins, or just learn about the project,
 you can start by fixing some easier issues.
-In the Jenkins issue tracker we mark such issues as `newbie-friendly`.
-You can find them by using this query (check the link) for [newbie friendly issues](<https://issues.jenkins.io/issues/?jql=project%20%3D%20JENKINS%20AND%20status%20in%20(Open%2C%20%22In%20Progress%22%2C%20Reopened)%20AND%20component%20%3D%20core%20AND%20labels%20in%20(newbie-friendly)>).
+In the Jenkins issue tracker we mark such issues as `good first issue`.
+You can find them by using this query (check the link) for [good first issues](https://github.com/jenkinsci/jenkins/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22good%20first%20issue%22).
 
 ## Building and Debugging
 
@@ -261,4 +261,4 @@ just submit a pull request.
 - [Jenkins Contribution Landing Page](https://www.jenkins.io/participate/)
 - [Jenkins Chat Channels](https://www.jenkins.io/chat/)
 - [Beginners Guide To Contributing](https://www.jenkins.io/participate/)
-- [List of newbie-friendly issues in the core](<https://issues.jenkins.io/issues/?jql=project%20%3D%20JENKINS%20AND%20status%20in%20(Open%2C%20%22In%20Progress%22%2C%20Reopened)%20AND%20component%20%3D%20core%20AND%20labels%20in%20(newbie-friendly)>)
+- [List of good first issues in core](https://github.com/jenkinsci/jenkins/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22good%20first%20issue%22)

Jenkinsfile

@@ -14,12 +14,12 @@ properties([
 
 def axes = [
   platforms: ['linux', 'windows'],
-  jdks: [17, 21, 25],
+  jdks: [21, 25],
 ]
 
 stage('Record build') {
   retry(conditions: [kubernetesAgent(handleNonKubernetes: true), nonresumable()], count: 2) {
-    node('maven-17') {
+    node('maven-21') {
       infra.checkoutSCM()
 
       /*

core/src/main/java/hudson/Functions.java

@@ -1990,7 +1990,7 @@ public static String toEmailSafeString(String projectName) {
             else
                 buf.append('_');    // escape
         }
-        return String.valueOf(buf);
+        return buf.toString();
     }
 
     /**

core/src/main/java/hudson/markup/MarkupFormatter.java

@@ -35,11 +35,8 @@
 import java.io.Writer;
 import java.util.Collections;
 import java.util.Map;
-import java.util.function.Function;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
 import jenkins.util.SystemProperties;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
@@ -133,7 +130,7 @@ public HttpResponse doPreviewDescription(@QueryParameter String text) throws IOE
         translate(text, w);
         Map<String, String> extraHeaders = Collections.emptyMap();
         if (PREVIEWS_SET_CSP) {
-            extraHeaders = Stream.of("Content-Security-Policy", "X-WebKit-CSP", "X-Content-Security-Policy").collect(Collectors.toMap(Function.identity(), v -> "default-src 'none';"));
+            extraHeaders = Map.of("Content-Security-Policy", "default-src 'none';");
         }
         return html(200, w.toString(), extraHeaders);
     }

core/src/main/java/hudson/model/DirectoryBrowserSupport.java

@@ -64,6 +64,7 @@
 import jenkins.security.MasterToSlaveCallable;
 import jenkins.security.ResourceDomainConfiguration;
 import jenkins.security.ResourceDomainRootAction;
+import jenkins.security.csp.CspHeader;
 import jenkins.util.SystemProperties;
 import jenkins.util.VirtualFile;
 import org.apache.commons.io.IOUtils;
@@ -398,13 +399,14 @@ private void serveFile(StaplerRequest2 req, StaplerResponse2 rsp, VirtualFile ro
                 rsp.sendRedirect(302, ResourceDomainRootAction.get().getRedirectUrl(resourceToken, req.getRestOfPath()));
             } else {
                 if (!ResourceDomainConfiguration.isResourceRequest(req)) {
-                    // if we're serving this from the main domain, set CSP headers
+                    // If we're serving this from the main domain, set CSP headers. These override the default CSP headers.
                     String csp = SystemProperties.getString(CSP_PROPERTY_NAME, DEFAULT_CSP_VALUE);
                     if (!csp.trim().isEmpty()) {
                         // allow users to prevent sending this header by setting empty system property
-                        for (String header : new String[]{"Content-Security-Policy", "X-WebKit-CSP", "X-Content-Security-Policy"}) {
-                            rsp.setHeader(header, csp);
-                        }
+                        rsp.setHeader(CspHeader.ContentSecurityPolicy.getHeaderName(), csp);
+                    } else {
+                        // Clear the header value if configured by the user.
+                        rsp.setHeader(CspHeader.ContentSecurityPolicy.getHeaderName(), null);
                     }
                 }
                 InputStream in;

core/src/main/java/hudson/model/UsageStatistics.java

@@ -67,6 +67,8 @@
 import jenkins.security.FIPS140;
 import jenkins.util.SystemProperties;
 import net.sf.json.JSONObject;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.StaplerRequest2;
 
 /**
@@ -103,8 +105,7 @@ public UsageStatistics(String keyImage) {
      * Returns true if it's time for us to check for new version.
      */
     public boolean isDue() {
-        // user opted out (explicitly or FIPS is requested). no data collection
-        if (!Jenkins.get().isUsageStatisticsCollected() || DISABLED || FIPS140.useCompliantAlgorithms()) {
+        if (!isEnabled()) {
             return false;
         }
 
@@ -116,6 +117,19 @@ public boolean isDue() {
         return false;
     }
 
+    /**
+     * Returns whether between UI configuration, system property, and environment,
+     * usage statistics should be submitted.
+     *
+     * @return true if and only if usage stats should be submitted
+     * @since 2.539
+     */
+    @Restricted(NoExternalUse.class)
+    public static boolean isEnabled() {
+        // user opted out (explicitly or FIPS is requested). no data collection
+        return Jenkins.get().isUsageStatisticsCollected() && !DISABLED && !FIPS140.useCompliantAlgorithms();
+    }
+
     private RSAPublicKey getKey() {
         try {
             if (key == null) {

core/src/main/java/hudson/util/FormFieldValidator.java

@@ -231,9 +231,7 @@ private void _errorWithMarkup(String message, String cssClass) throws IOExceptio
         } else {
             response.setContentType("text/html;charset=UTF-8");
             if (APPLY_CONTENT_SECURITY_POLICY_HEADERS) {
-                for (String header : new String[]{"Content-Security-Policy", "X-WebKit-CSP", "X-Content-Security-Policy"}) {
-                    response.setHeader(header, "sandbox; default-src 'none';");
-                }
+                response.setHeader("Content-Security-Policy", "sandbox; default-src 'none';");
             }
             response.getWriter().print("<div class=" + cssClass + ">" +
                     message + "</div>");

core/src/main/java/hudson/util/FormValidation.java

@@ -612,9 +612,7 @@ public void generateResponse(StaplerRequest2 req, StaplerResponse2 rsp, Object n
     protected void respond(StaplerResponse2 rsp, String html) throws IOException, ServletException {
         rsp.setContentType("text/html;charset=UTF-8");
         if (APPLY_CONTENT_SECURITY_POLICY_HEADERS) {
-            for (String header : new String[]{"Content-Security-Policy", "X-WebKit-CSP", "X-Content-Security-Policy"}) {
-                rsp.setHeader(header, "sandbox; default-src 'none';");
-            }
+            rsp.setHeader("Content-Security-Policy", "sandbox; default-src 'none';");
         }
         rsp.getWriter().print(html);
     }