This guide describes how to use Project Keeper (PK) in a project.
Projects that use PK require JDK versions 17 (for running Maven) and 11 (for compiling and testing). This means that developers must install both JDK versions on their machine.
Make sure that environment variable JAVA_HOME points to JDK 17.
Create file ~/.m2/toolchains.xml with the following content and adapt the jdkHome elements to your local installation.
<toolchains xmlns="http://maven.apache.org/TOOLCHAINS/1.1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/TOOLCHAINS/1.1.0 http://maven.apache.org/xsd/toolchains-1.1.0.xsd">
<toolchain>
<type>jdk</type>
<provides>
<version>11</version>
</provides>
<configuration>
<jdkHome>/path/to/jdk_11/</jdkHome>
</configuration>
</toolchain>
<toolchain>
<type>jdk</type>
<provides>
<version>17</version>
</provides>
<configuration>
<jdkHome>/path/to/jdk_17/</jdkHome>
</configuration>
</toolchain>
</toolchains>Install this plugin by adding the following lines to your project's pom.xml file:
<plugins>
<plugin>
<groupId>com.exasol</groupId>
<artifactId>project-keeper-maven-plugin</artifactId>
<version>CURRENT VERSION</version>
<executions>
<execution>
<goals>
<goal>verify</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>Create a .project-keeper.yml configuration file in the project's root directory:
sources:
- type: maven
path: pom.xml
modules:
- maven_centralFor PK a 'source' is a project inside a repository, e.g. a Maven module. PK is able to crawl multiple source projects from one repository.
Supported project types:
maven: Projects with Maven build. The path must point to thepom.xmlfilegolang: Go projects. Path must point to thego.modfilenpm: NPM based JavaScript or TypeScript projects. Path must point to thepackage.jsonfile
If you have multiple sources in a project, PK will list all of them as badges in the project's README.md. If you want to hide one source, you can set advertise: false for this source.
PK needs to know about the overall version of the project. For example for validating it in the changes file. For single source projects, PK simply takes the version from the project. For other projects you can:
- Define the version explicitly in the config:
This is required for Go projects.
version: "1.2.3"
- Define a source. PK will then take the version of that source:
version: fromSource: "subModule1/pom.xml"
Maven projects use PK's Maven plugin to run PK verify during the verify Maven lifecycle. To run PK verify also for other projects, PK generates GitHub workflow .github/workflows/project-keeper-verify.yml and shell script .github/workflows/project-keeper.sh. Both files are only generated if there is no Maven module in the project root, i.e. there is no Maven source with path: pom.xml in .project-keeper.yml.
You can run PK fix for non-Maven projects with the following command:
./.github/workflows/project-keeper.sh fixThis plugin provides different template modules for different kinds of projects.
| Module | Description |
|---|---|
jar_artifact |
This module creates a "fat" JAR, containing not only the project binary, but also the runtime dependencies. |
integration_tests |
Module for sources with integration tests. |
maven_central |
This module checks the required configuration for releasing on maven central. |
udf_coverage |
This module configures the pom for extracting the code coverage from UDF executions. |
lombok |
This module configures the pom.xml for the use of Project Lombok. |
native_image |
This module configures the project for building Java native-images (executables) for windows, linux and mac. For details see our native-image guide. |
Using the excludes tag you can tell PK to ignore some error-messages:
sources:
- type: maven
path: pom.xml
modules:
- maven_central
excludes:
- "E-PK-CORE-15: Missing maven plugin org.codehaus.mojo:versions-maven-plugin."
- regex: "E-PK-CORE-16: .*"
- regex: "W-PK-CORE-151: Pom file .* contains no reference to project-keeper-maven-plugin."Note that you can also use regular expressions (see example above). If a finding is excluded it will not show up on validation and will not be fixed.
You can define excludes globally (like E-PK-CORE-15 and E-PK-CORE-16 in the example) or scoped for one source directory (like E-PK-CORE-17).
Some dependencies define invalid / outdated links to their project homepage. PK writes these links to the dependencies.md file. This will make the link checker break the build since a project file contains broken links.
The best way to solve this is to open an issue / pull request at the projects that contain the wrong URL. Since this is, however not always possible you can, as a mitigation, also define a replacement for links:
sources:
- type: maven
path: pom.xml
linkReplacements:
- "http://wrong-url.com|https://www.my-dependency.de"The syntax for a replacement is broken-url|replacement.
PK will then use the replacement in the dependencies.md file instead of the original URL.
PK generates GitHub workflows ci-build.yml and release.yml to verify that build artifacts are present and attached to the GitHub release. Workflow ci-build.yml will also upload all artifacts to the GitHub action summary with a retention period of five days.
The following artifacts are automatically verified and attached to the release as described in the following sections:
See details about the automatic release process.
When you enable module jar_artifact for a source, PK will configure maven-assembly-plugin in the generated parent POM. You only need to configure the actual artifact name in file pom.xml:
<plugin>
<artifactId>maven-assembly-plugin</artifactId>
<groupId>org.apache.maven.plugins</groupId>
<configuration>
<finalName>NAME_OF_YOUR_JAR</finalName>
</configuration>
</plugin>You can use ${project.version} as well as all configured properties from pom.xml as placeholders in the finalName.
PK will automatically register the configured finalName as release artifact.
If the project contains a Maven source in the project root directory, i.e. if .project-keeper.yml contains the following entry, then PK will automatically register the error-code-crawler-maven-plugin report target/error_code_report.json as release artifact:
sources:
- type: maven
path: pom.xmlIf your Maven project is not in the project root directory, you can add the error report explicitly as a custom release artifact.
You can register custom release artifacts by listing them in .project-keeper.yml:
sources:
- type: npm
path: extension/package.json
artifacts:
- build/my-extension.js- The artifact path is relative to the source path. The above configuration will archive file
$PROJECT_DIR/extension/build/my-extension.js. - The artifact path may contain placeholder
${version}. PK will replace it with the current project version.
PK allows customizing the generated CI-Build workflow scripts using the build section in file .project-keeper.yml using the following options:
Some projects require to run the integration tests in the CI build on an operating system other than the default ubuntu-latest. In this case you can use the following:
build:
runnerOs: ubuntu-20.04PK will use this setting for GitHub workflow ci-build.yml which runs integration tests. The other workflows don't run integration tests and will stick to the default ubuntu-latest.
Some projects need more disk space during build, e.g. for Docker images. You can free up disk space before the build like this:
build:
freeDiskSpace: trueThis will slow down the build by about one minute.
To CI build as a matrix build with multiple Exasol DB versions you can add the following:
build:
exasolDbVersions:
- "7.1.24"
- "8.23.1"Sonar will only run for the first version in the list.
If your project requires running workflow ci-build.yml in a certain GitHub environment, you can specify it like this:
build:
workflows:
- name: "ci-build.yml"
environment: awsIf your project requires additional or modified steps in the generated GitHub workflow ci-build.yml you can replace existing steps or insert additional steps:
build:
workflows:
- name: "ci-build.yml"
stepCustomizations:
- action: REPLACE | INSERT_AFTER
stepId: <step-id>
content:
name: <Step name>
id: <step-id>
uses: ...
with:
...name: Name of the GitHub workflow to customize. PK supports the following workflows:ci-build.ymlrelease.ymldependencies_check.ymldependencies_update.yml
stepCustomizations: List of customizations:action: Type of customizationREPLACE: Replace an existing step with the new contentINSERT_AFTER: Insert the content after the specified step
stepId: ID of the step to replace or after which to insert the new stepcontent: Content of the new step. PK does not validate this. You can use any valid GitHub action usingrunoruses, see examples below.
Examples (see also .project-keeper.yml):
build:
workflows:
- name: "ci-build.yml"
stepCustomizations:
- action: INSERT_AFTER
stepId: setup-java
content:
name: Set up Go
id: setup-go
uses: actions/setup-go@v5
with:
go-version: "1.22"
cache-dependency-path: .project-keeper.yml
- action: INSERT_AFTER
stepId: setup-go
content:
name: Install Go tools
id: install-go-tools
run: go install github.com/google/[email protected]
- action: REPLACE
stepId: build-pk-verify
content:
name: Run tests and build with Maven
id: maven-build
run: |
mvn -T 1C --batch-mode clean install verify \
-Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
-DtrimStackTrace=false
env:
GITHUB_TOKEN: ${{ github.token }} # Required for integration testsFor Maven projects, PK generates a pk_generated_parent.pom file. This file contains all the required plugins, dependencies and configurations. PK configures your pom.xml to use this file as a parent pom. By that, your pom.xml inherits all the configuration.
The pk_generated_parent.pom file is required during the build and must be checked into version control. Run mvn project-keeper:fix to update the file instead of editing it manually.
If a configuration in pk_generated_parent.pom does not apply to your project you can override it in pom.xml.
By default PK configures the project to use Java 11. If you need to use a different version, you can override it by adding a property to your pom.xml:
<properties>
<java.version>17</java.version>
</properties>The specified Java version must be available on your local machine in toolchains.xml. PK will automatically update the GitHub workflows ci-build.yml and release.yml and install the required Java versions using GitHub action setup-java. This action automatically manages toolchains.xml on the GitHub runner, so that the build will use the same Java versions.
When your project uses multiple Maven modules, each can specify it's own Java version. PK will collect all versions and use them in the GitHub workflows.
PK will also calculate the maximum Java version used by all modules and use the next major Java version for generating .github/workflows/ci-build-next-java.yml.
PK's update-dependencies mode updates the project's pom.xml files and updates the versions of all dependencies. In certain cases this could break the build. To exclude a dependency from the automatic update, add the following to your pom.xml:
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<configuration>
<excludes>
<!-- Dependencies use SLF4J 1.7 so we can't upgrade to 2 -->
<exclude>org.slf4j:slf4j-jdk14:jar:*:*</exclude>
<!-- Upgrading to 6.8.0.202311291450-r causes java.lang.NoClassDefFoundError: org/eclipse/jgit/internal/JGitText in ShutdownHook-->
<exclude>org.eclipse.jgit:org.eclipse.jgit:jar:*:6.8.0.202311291450-r</exclude>
</excludes>
</configuration>
</plugin>See the documentation for <excludes> of the versions-maven-plugin for details.
If you want to use a parent POM for your project, that's not possible directly since your pom.xml must use the pk_generated_parent.pom as parent.
Instead, configure the parent in the PK config:
sources:
- type: maven
path: pom.xml
parentPom:
groupId: "com.example"
artifactId: "my-parent"
version: "1.2.3"
relativePath: "../my-parent.pom" # optionalPK will then use this parent-pom as parent for the pk_generated_parent.pom.
To use Project Keeper for Golang projects, create a .project-keeper.yml like this:
sources:
- type: golang
path: go.mod
version: 1.2.3You must specify the project version explicitly, version > fromSource is not supported for Golang projects.
Project Keeper supports projects using the Node Package Manager (NPM). For NPM projects create a .project-keeper.yml like this:
sources:
- type: npm
path: package.jsonProject Keeper will read the version of your project from file package.json.
Use the project-keeper-maven-plugin for analyzing Maven projects.
PK allows verifying the structure and configuration of your project. For Maven projects, Maven will automatically execute this verification when running mvn verify, i.e. within the maven package lifecycle phase.
You can also run the checks manually using:
mvn project-keeper:verifyPK's Maven-Goal verify-release helps you to verify if your project is ready to release:
mvn project-keeper:verify-releaseThis goal requires reading issues from the GitHub API. To allow running this locally you need to install the GitHub CLI and configure your GitHub credentials by executing gh auth login.
In addition this plugin can also fix the project structure. For that use:
mvn project-keeper:fixRun the following commands to update dependencies:
mvn project-keeper:update-dependenciesThe command will increment the project's patch version if the current version is already released.
For multi-module projects these commands may fail with the following error:
[ERROR] No plugin found for prefix 'project-keeper' in the current project and in the plugin groups [org.apache.maven.plugins, org.codehaus.mojo] available from the repositories [local (/home/user/.m2/repository), central (https://repo.maven.apache.org/maven2)] -> [Help 1]
In this case add command line option --projects .:
mvn project-keeper:verify --projects .
mvn project-keeper:verify-release --projects .
mvn project-keeper:fix --projects .
mvn project-keeper:update-dependencies --projects .You can skip the execution of project-keeper by adding -Dproject-keeper.skip=true to your maven command.
Use the project-keeper-cli for analyzing non-Maven projects like Golang. PK fix generates a shell script that simplifies running PK standalone on the command line:
cd path/to/project
./.github/workflows/project-keeper.sh $GOALThe standalone variant supports the same goals as the Maven plugin: fix, verify and update-dependencies.
GitHub Workflow release.yml will automatically release the project when ci-build.yml succeeded on main branch and the changes file contains an up-to-date release date. In case of problems you can start the workflow manually on GitHub and skip the release to Maven Central or GitHub if necessary.
To check if a project meets all preconditions for an automated release, run PK goal verify-release:
# Maven
mvn com.exasol:project-keeper-maven-plugin:verify-release
# Standalone:
./.github/workflows/project-keeper.sh verify-releasePK generates the following GitHub scheduled Workflows:
Scheduled weekly, checks Markdown files for broken links.
Scheduled daily, checks the Maven project for vulnerable dependencies, creates new issues using security_issues and starts the dependencies_update.yml workflow that updates dependencies.
This workflow is triggered manually or by workflow dependencies_check.yml. It updates dependencies, creates a changelog with fixed vulnerabilities and creates a new Pull Requests.
In order to send notifications, this workflow requires GitHub secret INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK.
This workflow runs for each change of a Pull Request and whenever a Pull Request is merged to main. It runs all tests and verification steps.
This workflow is triggered manually or by workflow ci-build.yml. It verifies that all preconditions for a release are met and performs the release.
In order to send notifications, this workflow requires GitHub secret INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK.
Problem: Validation on CI fails but succeeds locally. In the CI PK wants to list all dependencies as Added.
PK retrieves the dependency update information from the git history. In CI sometimes only the latest commit is fetched. Then PK thinks that the latest release would be the very first one.
For GitHub Actions you can solve this by adding fetch-depth: 0 to the checkout action:
- name: Checkout the repository
uses: actions/checkout@v4
with:
fetch-depth: 0Problem: PK locally shows more dependency changes than in CI.
Typically, this happens if you did not fetch all tags. Simply run git pull.
Problem: Maven build fails with the following error message:
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.4.1:enforce (enforce-maven) on project project-keeper-shared-model-classes:
[ERROR] Rule 1: org.apache.maven.enforcer.rules.version.RequireJavaVersion failed with message:
[ERROR] Detected JDK version 11.0.18 (JAVA_HOME=/Users/chp/Applications/java/jdk-11.0.18+10/Contents/Home) is not in the allowed range [17,).
This means that environment variable JAVA_HOME points to a JDK 11. Please ensure that JDK 17 is installed and JAVA_HOME points to it.
See section Install Required JDK Versions for details.
Problem:: Maven build fails with the following error message:
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-toolchains-plugin:3.1.0:toolchain (default) on project project-keeper-shared-model-classes: Cannot find matching toolchain definitions for the following toolchain types:
[ERROR] jdk [ version='11' ]
[ERROR] Please make sure you define the required toolchains in your ~/.m2/toolchains.xml file.
Ensure that ~/.m2/toolchains.xml exists and contains a JDK version 11. See section Configure Maven's toolchains.xml for details.
Problem:: Running PK using Maven fails but the error message is not helpful.
Run Maven with the --errors option to get a stack trace.