diff --git a/.github/workflows/Lockfile.yml b/.github/workflows/Lockfile.yml index bdb88cde..a7e5f514 100644 --- a/.github/workflows/Lockfile.yml +++ b/.github/workflows/Lockfile.yml @@ -8,12 +8,12 @@ permissions: contents: read jobs: check-lockfile: - permissions: - contents: write - runs-on: ubuntu-latest - steps: - - name: run maven-lockfile - uses: chains-project/maven-lockfile@526cd67327ab19c7bd95be6d2d16530d80bf3c9e # v5.2.0 - with: - github-token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} - include-maven-plugins: true + permissions: + contents: write + runs-on: ubuntu-latest + steps: + - name: run maven-lockfile + uses: chains-project/maven-lockfile@526cd67327ab19c7bd95be6d2d16530d80bf3c9e # v5.2.0 + with: + github-token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} + include-maven-plugins: true diff --git a/.github/workflows/LockfilePR.yml b/.github/workflows/LockfilePR.yml index 52cb3356..0145376e 100644 --- a/.github/workflows/LockfilePR.yml +++ b/.github/workflows/LockfilePR.yml @@ -11,27 +11,27 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - github.com:443 - objects.githubusercontent.com:443 - raw.githubusercontent.com:443 - repo.maven.apache.org:443 - repo1.maven.org:443 - sh.jbang.dev:443 - - name: run maven-lockfile - if: ${{ github.event.pull_request.head.repo.full_name == github.repository }} - uses: chains-project/maven-lockfile@526cd67327ab19c7bd95be6d2d16530d80bf3c9e # v5.2.0 - with: - github-token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} - include-maven-plugins: true - - - name: run maven-lockfile (fork/external) - if: ${{ github.event.pull_request.head.repo.full_name != github.repository }} - uses: chains-project/maven-lockfile@526cd67327ab19c7bd95be6d2d16530d80bf3c9e # v5.2.0 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - include-maven-plugins: true + uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + repo.maven.apache.org:443 + repo1.maven.org:443 + sh.jbang.dev:443 + - name: run maven-lockfile + if: ${{ github.event.pull_request.head.repo.full_name == github.repository }} + uses: chains-project/maven-lockfile@526cd67327ab19c7bd95be6d2d16530d80bf3c9e # v5.2.0 + with: + github-token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} + include-maven-plugins: true + + - name: run maven-lockfile (fork/external) + if: ${{ github.event.pull_request.head.repo.full_name != github.repository }} + uses: chains-project/maven-lockfile@526cd67327ab19c7bd95be6d2d16530d80bf3c9e # v5.2.0 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + include-maven-plugins: true diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index df88bd55..889a59d2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -46,28 +46,28 @@ jobs: # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - name: Set up JDK 17 - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4 - with: - java-version: '17' - distribution: 'temurin' + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Set up JDK 17 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4 + with: + java-version: '17' + distribution: 'temurin' - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - name: build packages - run: mvn -B clean package - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3 - with: - category: "/language:${{matrix.language}}" + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + - name: build packages + run: mvn -B clean package + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/smoke-tests.yml b/.github/workflows/smoke-tests.yml index d795a27c..ac64cb52 100644 --- a/.github/workflows/smoke-tests.yml +++ b/.github/workflows/smoke-tests.yml @@ -13,27 +13,27 @@ jobs: runs-on: ubuntu-latest name: smoke test against different repos steps: - - name: checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4 - with: - path: /root/.jbang - key: $-jbang-$ - restore-keys: | - $-jbang- - - name: Set up JDK 17 - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4 - with: - java-version: '17' - distribution: 'temurin' - - name: Set up Maven - uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 - with: - maven-version: 3.9.6 - - name: jbang - uses: jbangdev/setup-jbang@2b1b465a7b75f4222b81426f23a01e013aa7b95c # v0.1.1 - with: - version: 0.119.0 - - name: SmokeTest - run: | - jbang .github/smoketest/SmokeTest.java + - name: checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4 + with: + path: /root/.jbang + key: $-jbang-$ + restore-keys: | + $-jbang- + - name: Set up JDK 17 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4 + with: + java-version: '17' + distribution: 'temurin' + - name: Set up Maven + uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 + with: + maven-version: 3.9.6 + - name: jbang + uses: jbangdev/setup-jbang@2b1b465a7b75f4222b81426f23a01e013aa7b95c # v0.1.1 + with: + version: 0.119.0 + - name: SmokeTest + run: | + jbang .github/smoketest/SmokeTest.java