open-feature
/
java-sdk
mirror of https://github.com/open-feature/java-sdk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

chore: [StepSecurity] ci: Harden GitHub Actions (#120) 

* [StepSecurity] ci: Harden GitHub Actions in release.yml

* [StepSecurity] ci: Harden GitHub Actions in static-code-scanning.yaml

* [StepSecurity] ci: Harden GitHub Actions in lint-pr.yml

* [StepSecurity] ci: Harden GitHub Actions in merge.yml

* [StepSecurity] ci: Harden GitHub Actions in pullrequest.yml
This commit is contained in:
Step Security Bot 2022-10-06 09:29:47 -07:00 committed by GitHub
parent 9647c3f04d
commit 73cc784491
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 33 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/lint-pr.yml vendored
View File

@ -7,11 +7,17 @@ on:
- edited
- synchronize
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
main:
permissions:
pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs
statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@v4
- uses: amannn/action-semantic-pull-request@505e44b4f33b4c801f063838b3f053990ee46ea7
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

8
.github/workflows/merge.yml vendored
View File

@ -22,9 +22,9 @@ jobs:
packages: write
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Set up JDK 8
uses: actions/setup-java@v3
uses: actions/setup-java@a18c333f3f14249953dab3e186e5e21bf3390f1d
with:
java-version: '8'
distribution: 'temurin'
@ -34,7 +34,7 @@ jobs:
server-password: ${{ secrets.OSSRH_PASSWORD }}
- name: Cache local Maven repository
uses: actions/cache@v3
uses: actions/cache@56461b9eb0f8438fd15c7a9968e3c9ebb18ceff1
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@ -51,7 +51,7 @@ jobs:
run: mvn --batch-mode --update-snapshots verify
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v3
uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
with:
flags: unittests # optional
name: coverage # optional

12
.github/workflows/pullrequest.yml vendored
View File

@ -18,22 +18,22 @@ jobs:
packages: write
steps:
- name: Check out the code
uses: actions/checkout@v3
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Set up JDK 8
uses: actions/setup-java@v3
uses: actions/setup-java@a18c333f3f14249953dab3e186e5e21bf3390f1d
with:
java-version: '8'
distribution: 'temurin'
cache: maven
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44
with:
languages: java
- name: Cache local Maven repository
uses: actions/cache@v3
uses: actions/cache@56461b9eb0f8438fd15c7a9968e3c9ebb18ceff1
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@ -44,7 +44,7 @@ jobs:
run: mvn --batch-mode --update-snapshots verify # -P integration-test - add this back once we have a compatible flagd
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v3
uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
with:
flags: unittests # optional
name: coverage # optional
@ -52,4 +52,4 @@ jobs:
verbose: true # optional (default = false)
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44

12
.github/workflows/release.yml vendored
View File

@ -7,13 +7,19 @@ on:
branches:
- main
name: Run Release Please
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
release-please:
permissions:
contents: write # for google-github-actions/release-please-action to create release commit
pull-requests: write # for google-github-actions/release-please-action to create release PR
runs-on: ubuntu-latest
# Release-please creates a PR that tracks all changes
steps:
- uses: google-github-actions/release-please-action@v3
- uses: google-github-actions/release-please-action@069d7229d7b10308de85bc606a91e0033e259c8e
id: release
with:
command: manifest
@ -23,10 +29,10 @@ jobs:
# These steps are only run if this was a merged release-please PR
- name: checkout
if: ${{ steps.release.outputs.releases_created }}
uses: actions/checkout@v3
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Set up JDK 8
if: ${{ steps.release.outputs.releases_created }}
uses: actions/setup-java@v3
uses: actions/setup-java@a18c333f3f14249953dab3e186e5e21bf3390f1d
with:
java-version: '8'
distribution: 'temurin'

11
.github/workflows/static-code-scanning.yaml vendored
View File

@ -15,6 +15,9 @@ on:
# * * * * *
- cron: '30 1 * * 1'
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
CodeQL-Build:
# CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
@ -26,16 +29,16 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44
with:
languages: java
- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44