This patch release addresses a blocker issue with the creation of a release distribution and enhances the reliability of our caching and reproducibility mechanisms.

Fixed

• Fix staging of binary distribution archive. (#400)
• Improve Node.js caching using package-lock.json. (#366, #408)
• Improve reliability of reproducibility verification. (#388)

Updated

• Update actions/setup-java to version 4.7.1 (#376)
• Update com.diffplug.spotless:spotless-maven-plugin to version 2.44.5 (#397)
• Update com.google.errorprone:error_prone_core to version 2.38.0 (#381)
• Update com.gradle:common-custom-user-data-maven-extension to version 2.0.3 (#407)
• Update com.gradle:develocity-maven-extension to version 2.0.1 (#398)
• Update com.h3xstream.findsecbugs:findsecbugs-plugin to version 1.14.0 (#380)
• Update com.palantir.javaformat:palantir-java-format to version 2.68.0 (#410)
• Update dependabot/fetch-metadata to version 2.4.0 (#386)
• Update github/codeql-action to version 3.28.19 (#402)
• Update gradle/develocity-actions to version 1.4 (#404)
• Update org.apache.groovy:groovy to version 4.0.27 (#395)
• Update org.codehaus.gmavenplus:gmavenplus-plugin to version 4.2.0 (#383)
• Update org.codehaus.mojo:build-helper-maven-plugin to version 3.6.1 (#403)
• Update org.codehaus.mojo:exec-maven-plugin to version 3.5.1 (#396)
• Update org.eclipse.jgit:org.eclipse.jgit to version 7.3.0.202506031305-r (#405)
• Update org.jacoco:jacoco-maven-plugin to version 0.8.13 (#368)
• Update ossf/scorecard-action to version 2.4.2 (#399)

This minor release adds CodeQL checks for GitHub Actions.
It also fixes a breaking change in Error Prone that prevented projects from migrating to version 12.0.0.

Added

• Add "GitHub Actions" to the list of languages analyzed by CodeQL. (#343)

Fixed

• Use the maven.deploy.skip Maven property in nexus-staging-maven-plugin. This effectively fixes the skipping of test artifacts' deployments. (#360)
• Fix Error Prone arguments breaking maven-compiler-plugin:compile.
• Fix inheritance of url elements in children POMs.(#330)

Updated

• Update actions/cache to version 4.2.3 (#357)
• Update actions/upload-artifact to version 4.6.2 (#359)
• Update com.diffplug.spotless:spotless-maven-plugin to version 2.44.3 (#333)
• Update com.github.spotbugs:spotbugs-maven-plugin to version 4.9.3.0 (#349)
• Update com.google.errorprone:error_prone_core to version 2.37.0 (#356)
• Update com.gradle:develocity-maven-extension to version 1.23.2 (#338)
• Update com.palantir.javaformat:palantir-java-format to version 2.61.0 (#361)
• Update de.skuzzle.enforcer:restrict-imports-enforcer-rule to version 2.6.1 (#365)
• Update github/codeql-action to version 3.28.13 (#364)
• Update org.apache:apache to version 34 (#353)
• Update org.apache.groovy:groovy to version 4.0.26 (#340)
• Update org.asciidoctor:asciidoctor-maven-plugin to version 3.2.0 (#362)
• Update org.codehaus.mojo:flatten-maven-plugin to version 1.7.0 (#339)
• Update org.eclipse.jgit:org.eclipse.jgit to version 7.2.0.202503040940-r (#355)
• Update ossf/scorecard-action to version 2.4.1 (#335)

This major release contains several small improvements and certain backward incompatible changes.

Changed

• Activate flatten-bom execution of flatten-maven-plugin using a .logging-parent-bom-activator file (#265)
• Don't keep parent in flatten-bom configuration (#265, #37)
• Switch from maven-deploy-plugin to nexus-staging-maven-plugin, which helps with fetching the Nexus repository URL during a release. generate-email.sh will be called with a fourth argument containing the Nexus repository URL. (#246)
• Update deploy-*-reusable workflows to export the URL of the Nexus repository and the project version as nexus-url and project-version workflow outputs, respectively (#246)
• Add maven-args input to build-reusable and merge-dependabot-reusable (#266)
• Move from [ge.apache.org](http://ge.apache.org/) to new [develocity.apache.org](http://develocity.apache.org/) server (#313)
• Add the verify-reproducibility-reusable.yaml workflow to check reproducibility of artifacts in a Maven repository. Deprecate the reproducibility check in build-reusable.yaml. (#246)

Removed

• Remove following managed dependencies to avoid polluting BOMs: biz.aQute.bnd:biz.aQute.bnd.annotation, com.github.spotbugs:spotbugs-annotations, org.jspecify:jspecify, org.osgi:osgi.annotation, org.osgi:org.osgi.annotation.bundle, org.osgi:org.osgi.annotation.versioning (#265, apache/logging-log4j2#3066)

Updated

• Update biz.aQute.bnd:bnd-baseline-maven-plugin to version 7.1.0 (#290)
• Update biz.aQute.bnd:bnd-maven-plugin to version 7.1.0 (#289)
• Update com.diffplug.spotless:spotless-maven-plugin to version 2.44.2 (#314)
• Update com.github.spotbugs:spotbugs-maven-plugin to version 4.8.6.6 (#293)
• Update com.google.errorprone:error_prone_core to version 2.36.0 (#287)
• Update org.apache.groovy:groovy to version 4.0.25 (#320)
• Update org.apache.maven.plugins:maven-artifact-plugin to version 3.6.0 (#312)
• Update org.asciidoctor:asciidoctor-maven-plugin to version 3.1.1 (#285)
• Update org.codehaus.gmavenplus:gmavenplus-plugin to version 4.1.1 (#307)
• Update org.codehaus.mojo:exec-maven-plugin to version 3.5.0 (#274)
• Update org.cyclonedx:cyclonedx-maven-plugin to version 2.9.1 (#291)

This minor release migrates the BeanShell distribution archive script to Groovy.

The update to the Develocity extensions should fix the lack of test results with Maven Surefire 3.5.0.

Changed

• Switch the distribution script from BeanShell to Groovy. (#196)

Fixed

• Fix race condition, which marks merged Dependabot PRs as closed.

Updated

• Update actions/setup-java to version 4.3.0 (#237)
• Update actions/upload-artifact to version 4.4.0 (#233)
• Update com.github.spotbugs:spotbugs-maven-plugin to version 4.8.6.3 (#235)
• Update com.google.errorprone:error_prone_core to version 2.32.0 (#240)
• Update com.gradle:common-custom-user-data-maven-extension to version 2.0.1 (#236)
• Update com.gradle:develocity-maven-extension to version 1.22.1 (#239)
• Update github/codeql-action to version 3.26.7 (#243)
• Update org.apache.groovy:groovy to version 4.0.23 (#244)
• Update org.eclipse.jgit:org.eclipse.jgit to version 7.0.0.202409031743-r (#238)

This minor release integrates Gradle Develocity into the reusable workflows.
See Develocity Configuration for more details.

Added

• Add option to disable reproducibility check in reusable builds. (#195)
• Add option to enable Develocity in builds.

Updated

• Update actions/checkout to version 4.1.7 (#192)
• Update actions/setup-java to version 4.2.2 (#217)
• Update actions/upload-artifact to version 4.3.6 (#219)
• Update com.github.spotbugs:spotbugs-annotations to version 4.8.6 (#194)
• Update com.github.spotbugs:spotbugs-maven-plugin to version 4.8.6.2 (#201)
• Update com.google.errorprone:error_prone_core to version 2.30.0 (#222)
• Update com.palantir.javaformat:palantir-java-format to version 2.50.0 (#226)
• Update dependabot/fetch-metadata to version 2.2.0 (#200)
• Update github/codeql-action to version 3.26.5 (#230)
• Update org.apache:apache to version 33 (#203)
• Update org.codehaus.mojo:build-helper-maven-plugin to version 3.6.0 (#183)
• Update org.codehaus.mojo:exec-maven-plugin to version 3.4.1 (#223)
• Update org.cyclonedx:cyclonedx-maven-plugin to version 2.8.1 (#216)
• Update org.eclipse.jgit:org.eclipse.jgit to version 6.10.0.202406032230-r (#190)
• Update org.jspecify:jspecify to version 1.0.0 (#206)
• Update ossf/scorecard-action to version 2.4.0 (#212)

This minor release contains small improvements and some dependency updates.

Changed

• Use default Java SE architecture and packaging (JDK) in workflows
• Change the JDK distribution used in workflows from Temurin to Zulu (#169)

Updated

• Update com.github.spotbugs:spotbugs-annotations to version 4.8.5 (#174)
• Update com.github.spotbugs:spotbugs-maven-plugin to version 4.8.5.0 (#175)
• Update com.google.errorprone:error_prone_core to version 2.27.1 (#172)
• Update com.h3xstream.findsecbugs:findsecbugs-plugin to version 1.13.0 (#159)
• Update com.palantir.javaformat:palantir-java-format to version 2.46.0 (#173)
• Update org.apache:apache to version 32 (#160)
• Update org.apache.logging.log4j:log4j-changelog-maven-plugin to version 0.9.0 (#181)

This release contains a big revamp to the website build and several other minor enhancements.

Website build changes

The website build system is migrated from asciidoctor-maven-plugin to Antora. This implies that src/site and generate-email.sh files need to be adapted, and target/site can be viewed without needing a local web server.

The Maven site phase is re-engineered such that generated sources (i.e., src/site/_release_notes and src/site/_constants.adoc) will be targeted to target/generated-site and the website will be built from there. This avoids the need to commit generated sources to the repository and, hence, works around changelog merge conflict problems.

Website deployment changes

The newly added site-deploy-reusable.yaml GitHub Actions workflow enables to automate the website deployment. Using the <source-branch>-site-<environment>-out branch naming convention, the Maven site goal running on

• the main branch populates the main-site-stg-out branch serving the logging.staged.apache.org/logging-parent
• the main-site-pro branch populates the main-site-pro-out branch serving the logging.apache.org/logging-parent
• the release/<version> branch populates the release/<version>-site-stg-out branch serving the logging.staged.apache.org/logging-parent-<version>

Refer to the usage and project release instructions pages for details.

Added

• Add coverage profile to generate a test coverage report (#140)
• Add deploy-site-yaml GitHub actions workflow to automate the website deployment
• Add instructions on XML schema publication (#138)

Changed

• Replace process-sbom script with CycloneDX plugin configuration (#105)
• Support parallel releases by uploading the distribution to <projectId>/<version> folders. This is needed for parallel Log4j 2 and 3 releases. (#139)
• Migrate website support from asciidoctor-maven-plugin to Antora

Updated

• Update com.diffplug.spotless:spotless-maven-plugin to version 2.43.0 (#108)
• Update com.github.spotbugs:spotbugs-maven-plugin to version 4.8.4.0 (#156)
• Update com.google.errorprone:error_prone_core to version 2.26.1 (#134)
• Update com.palantir.javaformat:palantir-java-format to version 2.43.0 (#154)
• Update org.apache.logging.log4j:log4j-changelog-maven-plugin to version 0.8.0 (#146)
• Update org.apache.maven.plugins:maven-artifact-plugin to version 3.5.1 (#149)
• Update org.codehaus.mojo:flatten-maven-plugin to version 1.6.0 (#102)
• Update org.cyclonedx:cyclonedx-maven-plugin to version 2.8.0 (#145)

This minor release contains several small changes to the build pipeline.

Most notably it bans wildcard imports from source code, which will require expanding those imports before upgrading logging-parent.

Added

• Add JSpecify to dependency management. (#88)
• Add enforcer rule to ban wildcard imports. All imports must be expanded to provide better comparison of branches. (#63)

Changed

• Merge Dependabot PRs instead of closing them. (#82)
• Disable -jpms-multi-release BND option. (#93)
• Clean up residual module-info.class before compilation. (#90)

Updated

• Update com.google.errorprone:error_prone_core to version 2.24.1 (#89)
• Update github/codeql-action to version 3.23.0 (#91)
• Update org.apache.rat:apache-rat-plugin to version 0.16 (#92)

This minor release contains dependency updates and a change in the way BND is employed.

BND Maven Plugins are upgraded to version 7.0.0, which requires Java 17. Log4j was the blocker for this upgrade and the issue is resolved in apache/logging-log4j2#2021. Note that BND Maven Plugins version 7.0.0 increased the minimum required Maven version to 3.8.1.

Changed

• Switch from bnd:jar to bnd:bnd-process to improve integration with the ecosystem; IDEs, Maven plugins, etc. (#69)
• Replace log4j-changelog entry type of dependabot updates from changed to updated
• Minimum required Maven version is increased to 3.8.1 due to BND Maven Plugin updates

Updated

• Update biz.aQute.bnd:bnd-baseline-maven-plugin to version 7.0.0 (#78)
• Update biz.aQute.bnd:bnd-maven-plugin to version 7.0.0
• Update com.diffplug.spotless:spotless-maven-plugin to version 2.41.1 (#70)
• Update com.github.spotbugs:spotbugs-annotations to version 4.8.3 (#80)
• Update com.github.spotbugs:spotbugs-maven-plugin to version 4.8.2.0 (#71)
• Update com.palantir.javaformat:palantir-java-format to version 2.39.0
• Update org.apache:apache to version 31 (#73)
• Update org.apache.logging.log4j:log4j-changelog-maven-plugin to version 0.7.0 (#84)

This minor release contains several small improvements.

Added

• Add deterministic Palantir Java formatter

Changed

• Increase directory scanning depth from 8 to 32 in the distribution BeanShell script