diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 1c667ad..1c0f7b7 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -13,6 +13,8 @@ on: pull_request: merge_group: +permissions: {} + jobs: build: runs-on: ubuntu-latest @@ -25,6 +27,8 @@ jobs: - {druid: druid-37.0.0, java: '21'} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up JDK uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 diff --git a/.github/workflows/pr_prek.yaml b/.github/workflows/pr_prek.yaml new file mode 100644 index 0000000..780b86c --- /dev/null +++ b/.github/workflows/pr_prek.yaml @@ -0,0 +1,18 @@ +--- +name: prek + +on: + pull_request: + +permissions: {} + +jobs: + prek: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + submodules: recursive + fetch-depth: 0 + - uses: stackabletech/actions/run-prek@a14cbd08d9e034e2361ea9205b32aff0491885db # v0.15.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cd12810..94105da 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,7 +5,7 @@ on: workflow_dispatch: inputs: druid-version: - description: 'Select the Druid version to build the authorizer for.' + description: "Select the Druid version to build the authorizer for." required: true type: choice options: @@ -19,21 +19,31 @@ on: description: 'The next stackable version to use, this updates the POM (without the "-SNAPSHOT"). If stackable-version is 0 then set this to 1 etc.' required: true +permissions: {} + jobs: build: runs-on: ubuntu-latest + permissions: + # Write is needed to draft the release + # See https://github.com/softprops/action-gh-release/blob/153bb8e04406b158c6c84fc1615b65b24149a1fe/README.md?plain=1#L281 + contents: write steps: - name: Set Java Version id: set_java_version + env: + DRUID_VERSION: ${{ github.event.inputs.druid-version }} run: | - if [ "${{ github.event.inputs.druid-version }}" == "druid-30.0.0" ] || [ "${{ github.event.inputs.druid-version }}" == "druid-30.0.1" ] || [ "${{ github.event.inputs.druid-version }}" == "druid-31.0.1" ]; then + if [ "$DRUID_VERSION" == "druid-30.0.0" ] || [ "$DRUID_VERSION" == "druid-30.0.1" ] || [ "$DRUID_VERSION" == "druid-31.0.1" ]; then echo "JAVA_VERSION=17" >> "$GITHUB_ENV" else echo "JAVA_VERSION=unknown" >> "$GITHUB_ENV" fi - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Release uses: qcastel/github-actions-maven-release@0fd7a9e2ba3a4af8728a88cf57b11592fd8bdd0f # v1.12.43 diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml deleted file mode 100644 index c79f34e..0000000 --- a/.github/workflows/reviewdog.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -name: reviewdog -on: - pull_request - -permissions: - contents: read - checks: write - pull-requests: write - issues: write - -jobs: - actionlint: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: reviewdog/action-actionlint@a5524e1c19e62881d79c1f1b9b6f09f16356e281 # v1.65.2 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - detect-secrets: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: reviewdog/action-detect-secrets@bc63f9282b0cee5af6187043f8e79e80e7f6ffe3 # v0.28.3 - with: - github_token: ${{ secrets.github_token }} - - flake8: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 - with: - python-version: "3.9" - - uses: reviewdog/action-flake8@b65981e158319f08cb7d0132f28bc0081e110adc # v3.15.2 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - markdownlint: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: reviewdog/action-markdownlint@3667398db9118d7e78f7a63d10e26ce454ba5f58 # v0.26.2 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - shellcheck: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: reviewdog/action-shellcheck@5ebd09ddbe2ebb471646ce234c6c8dd18663ca7c # v1.30.0 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - yamllint: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: reviewdog/action-yamllint@f01d8a48fd8d89f89895499fca2cff09f9e9e8c0 # v1.21.0 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..a223069 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,40 @@ +--- +default_language_version: + node: system + +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # 6.0.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: detect-aws-credentials + args: ["--allow-missing-credentials"] + - id: detect-private-key + + - repo: https://github.com/adrienverge/yamllint + rev: 79a6b2b1392eaf49cdd32ac4f14be1a809bbd8f7 # 1.37.1 + hooks: + - id: yamllint + args: ["--strict"] + + - repo: https://github.com/igorshubovych/markdownlint-cli + rev: 192ad822316c3a22fb3d3cc8aa6eafa0b8488360 # 0.45.0 + hooks: + - id: markdownlint + - repo: https://github.com/koalaman/shellcheck-precommit + rev: 99470f5e12208ff0fb17ab81c3c494f7620a1d8d # 0.11.0 + hooks: + - id: shellcheck + args: ["--severity=info"] + + - repo: https://github.com/rhysd/actionlint + rev: e7d448ef7507c20fc4c88a95d0c448b848cd6127 # 1.7.8 + hooks: + - id: actionlint + + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: 7fc963270df722f37707d47ff41265fe8f460822 # v1.20.0 + hooks: + - id: zizmor + args: ["--no-progress", "--min-confidence", "medium"]