We meet every week via a google meeting. The times alternate each week to encourage attendance from multiple time zones. Each week we will provide a summary here to facilitate historical preservation & further discussion. If you would like to join this meeting, you can do so here: https://meet.google.com/her-tjpt-xmf
1. Community Over Code - presentation submission cut off was 3/20 - abstracts are being reviewed now 2. Groovy 5 & Grails 8 - no updates this week - try for some next week 3. TeamPCP / trivy compromise - https://infra.apache.org/blog/trivy_security_incident.html - workaround: https://github.com/apache/grails-core/pull/15523 - we are worried an ecosystem compromise could occurs and we do not want to update packages without a more thorough review to ensure no compromise. - Spring Boot 3.5.12 predates the Trivy compromise: * Spring Boot 3.5.12 release: Published on March 19, 2026 at ~14:01 (by the spring-builds GitHub account). This is confirmed on the official GitHub release tag and the Spring blog post announcing it the same day. * Trivy compromise: The incident (malicious v0.69.4 binary, tag force-pushes on trivy-action/setup-trivy, and related Docker images) began with the first observed malicious activity at ~17:43 UTC on March 19, 2026. This was the second breach in the Trivy ecosystem (following an earlier incomplete containment in late February/early March). The attackers poisoned GitHub Action tags and published credential-stealing malware that exfiltrated secrets from CI/CD runners. * The Spring Boot release happened several hours before the Trivy malicious activity started, so it was unaffected. - update docker image references to SHA instead of tag to further harden our actions - defer updating dependencies for this coming week, and look at releasing the week after (in case of impact not found by Trivy compromise) - as discussion: there has been no compromise of Grails or it's infrastructure, the Grails team is simply taking precaution with updates given the scope of impact to GitHub actions and to ensure we don't deliver anything that has been compromised. 4. Article after James Fredley's meeting: https://foojay.io/today/grails-isnt-done-yet-part-1-inside-the-asf-reboot/ 5. Grails 8 - Hibernate 7 PR * https://github.com/apache/grails-core/pull/15530 * Walter claims to have most issues resolved locally, will push soon - Spring Boot 4.x: https://github.com/apache/grails-core/pull/15354 - Gradle 9.4.x: https://github.com/apache/grails-core/pull/15365 - CLI Updates: https://github.com/apache/grails-core/pull/15367 6. Gradle Caching Issue - https://github.com/apache/grails-core/pull/15532 7. Conditional Plugin Configuration - Agreement to merge into 7.1.x - PR https://github.com/apache/grails-core/pull/15409 8. Testlens Discussion - feedback needed on its PR integrations - ZulipChat between testlens developers & Grails core team has been created. See James D for access. 9. Develocity Build Cache - Still awaiting ASF infra response - James D to push on infra this week 10. Branch Clean Up - James D is diffing all old branches and removing if a) changes are in code line b) ticket is closed; leaving branches that added tests that were never merged for further review. - Will follow-up in a future dev meeting
