From 64bc2c14c8f5fc9bffec09c207b0d85d2240c659 Mon Sep 17 00:00:00 2001 From: "alexandria.gomez" Date: Wed, 8 Jul 2026 14:48:53 -0400 Subject: [PATCH 1/7] fix(security): bump jackson-databind to 2.18.8 to remediate CVE-2026-54512 and CVE-2026-54513 Co-Authored-By: Claude Sonnet 5 --- CHANGELOG.md | 6 ++++++ pom.xml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c6bf7da..6be08078 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## 1.0.4 + +### Chore & Maintenance + +- Update `jackson-databind` dependency due to vulnerability + ## 1.0.3 ### Chore & Maintenance diff --git a/pom.xml b/pom.xml index 87300363..0fda0899 100644 --- a/pom.xml +++ b/pom.xml @@ -309,7 +309,7 @@ ${java.version} 1.8.0 2.0.0 - 2.18.2 + 2.18.8 2.9.0 1.3.5 1.0.2 From f9cab6f213328a8b0f0692edaada0998bb969710 Mon Sep 17 00:00:00 2001 From: "alexandria.gomez" Date: Wed, 8 Jul 2026 17:28:33 -0400 Subject: [PATCH 2/7] Bump project version to 1.0.4 to match CHANGELOG Co-Authored-By: Claude Sonnet 5 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 0fda0899..9553d53f 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ lf-repository-api-client-v2 jar Laserfiche Repository API Client V2 - 1.0.0 + 1.0.4 https://github.com/Laserfiche/lf-repository-api-client-java The Java Laserfiche Repository API Client library for accessing the v2 Laserfiche Repository APIs. From fa6adccb1727faacad178a8e02252f1840332069 Mon Sep 17 00:00:00 2001 From: "alexandria.gomez" Date: Wed, 8 Jul 2026 19:23:09 -0400 Subject: [PATCH 3/7] ci: grant checks:write to build-n-test so publish-unit-test-result-action can post check runs Default GITHUB_TOKEN permissions are read-only, so EnricoMi/publish-unit-test-result-action was failing with 403 Resource not accessible by integration on every PR. Co-Authored-By: Claude Sonnet 5 --- .github/workflows/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 32a6c6d3..c98a0fd1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -19,6 +19,10 @@ jobs: build-n-test: runs-on: ubuntu-latest + permissions: + contents: read + checks: write + steps: - uses: actions/checkout@v4 From 2f1aad75bd9201293d0df4308197ede6ff6279ac Mon Sep 17 00:00:00 2001 From: "alexandria.gomez" Date: Wed, 8 Jul 2026 19:45:59 -0400 Subject: [PATCH 4/7] ci: grant pull-requests:write for publish-unit-test-result-action's PR comment checks:write alone got the check runs created, but the action's default comment_mode also posts/updates a PR comment, which needs pull-requests:write. Co-Authored-By: Claude Sonnet 5 --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c98a0fd1..2eb53312 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,6 +22,7 @@ jobs: permissions: contents: read checks: write + pull-requests: write steps: - uses: actions/checkout@v4 From 397492549ad682ce5b8b0557c452a11b62f49607 Mon Sep 17 00:00:00 2001 From: "alexandria.gomez" Date: Thu, 9 Jul 2026 18:03:21 -0400 Subject: [PATCH 5/7] ci: diagnostic run against REPOSITORY_ID_1 with hardcoded readonly folder Access denied errors trace back to the service principal not having access to whatever repo DEV_CA_PUBLIC_USE_REPOSITORY_ID_2 points to (confirmed via RepositoriesClientTest.listRepositoriesWorks: listRepositories() succeeds but that repo ID isn't in the returned list). Trying REPOSITORY_ID_1 (used by the dotnet/JS clients) with a hardcoded folder ID to see what actually fails now that auth itself isn't the blocker. Not a real fix - just a diagnostic. Co-Authored-By: Claude Sonnet 5 --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2eb53312..081bd60e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -54,10 +54,10 @@ jobs: env: ACCESS_KEY: ${{ secrets.DEV_CA_PUBLIC_USE_INTEGRATION_TEST_ACCESS_KEY }} SERVICE_PRINCIPAL_KEY: ${{ secrets.DEV_CA_PUBLIC_USE_TESTOAUTHSERVICEPRINCIPAL_SERVICE_PRINCIPAL_KEY }} - REPOSITORY_ID: ${{ secrets.DEV_CA_PUBLIC_USE_REPOSITORY_ID_2 }} + REPOSITORY_ID: ${{ secrets.DEV_CA_PUBLIC_USE_REPOSITORY_ID_1 }} AUTHORIZATION_TYPE: ${{ secrets.AUTHORIZATION_TYPE }} TEST_HEADER: ${{ secrets.TEST_HEADER }} - READONLY_TEST_FOLDER_ID: ${{ secrets.DEV_CA_READONLY_TEST_FOLDER_ID }} + READONLY_TEST_FOLDER_ID: "2729986" # TODO: hardcoded for diagnostic run, revert to secrets.DEV_CA_READONLY_TEST_FOLDER_ID run: mvn -Dtest=com.laserfiche.repository.api.integration.** test - name: Publish cloud test results From 1da0e7c33852fc57e6dd96ae8ccbc0255cfe22cf Mon Sep 17 00:00:00 2001 From: "alexandria.gomez" Date: Fri, 10 Jul 2026 16:31:31 -0400 Subject: [PATCH 6/7] dummy commit to trigger build From 030ca55e454822139599bc12f4d1186845b591d8 Mon Sep 17 00:00:00 2001 From: "alexandria.gomez" Date: Fri, 10 Jul 2026 16:37:35 -0400 Subject: [PATCH 7/7] hardcode different folder --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 081bd60e..7c3fde07 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -57,7 +57,7 @@ jobs: REPOSITORY_ID: ${{ secrets.DEV_CA_PUBLIC_USE_REPOSITORY_ID_1 }} AUTHORIZATION_TYPE: ${{ secrets.AUTHORIZATION_TYPE }} TEST_HEADER: ${{ secrets.TEST_HEADER }} - READONLY_TEST_FOLDER_ID: "2729986" # TODO: hardcoded for diagnostic run, revert to secrets.DEV_CA_READONLY_TEST_FOLDER_ID + READONLY_TEST_FOLDER_ID: "2732097" # TODO: hardcoded for diagnostic run, revert to secrets.DEV_CA_READONLY_TEST_FOLDER_ID run: mvn -Dtest=com.laserfiche.repository.api.integration.** test - name: Publish cloud test results