open-feature
/
java-sdk
mirror of https://github.com/open-feature/java-sdk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

chore: [StepSecurity] ci: Harden GitHub Actions (#120) 

* [StepSecurity] ci: Harden GitHub Actions in release.yml

* [StepSecurity] ci: Harden GitHub Actions in static-code-scanning.yaml

* [StepSecurity] ci: Harden GitHub Actions in lint-pr.yml

* [StepSecurity] ci: Harden GitHub Actions in merge.yml

* [StepSecurity] ci: Harden GitHub Actions in pullrequest.yml
This commit is contained in:
Step Security Bot 2022-10-06 09:29:47 -07:00 committed by GitHub
parent 9647c3f04d
commit 73cc784491
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 33 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/lint-pr.yml vendored
View File

@ -7,11 +7,17 @@ on:
- edited - edited
- synchronize - synchronize
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
main: main:
permissions:
pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs
statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR
name: Validate PR title name: Validate PR title
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: amannn/action-semantic-pull-request@v4 - uses: amannn/action-semantic-pull-request@505e44b4f33b4c801f063838b3f053990ee46ea7
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

8
.github/workflows/merge.yml vendored
View File

@ -22,9 +22,9 @@ jobs:
packages: write packages: write
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Set up JDK 8 - name: Set up JDK 8
uses: actions/setup-java@v3 uses: actions/setup-java@a18c333f3f14249953dab3e186e5e21bf3390f1d
with: with:
java-version: '8' java-version: '8'
distribution: 'temurin' distribution: 'temurin'
@ -34,7 +34,7 @@ jobs:
server-password: ${{ secrets.OSSRH_PASSWORD }} server-password: ${{ secrets.OSSRH_PASSWORD }}
- name: Cache local Maven repository - name: Cache local Maven repository
uses: actions/cache@v3 uses: actions/cache@56461b9eb0f8438fd15c7a9968e3c9ebb18ceff1
with: with:
path: ~/.m2/repository path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@ -51,7 +51,7 @@ jobs:
run: mvn --batch-mode --update-snapshots verify run: mvn --batch-mode --update-snapshots verify
- name: Upload coverage to Codecov - name: Upload coverage to Codecov
uses: codecov/codecov-action@v3 uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
with: with:
flags: unittests # optional flags: unittests # optional
name: coverage # optional name: coverage # optional

12
.github/workflows/pullrequest.yml vendored
View File

@ -18,22 +18,22 @@ jobs:
packages: write packages: write
steps: steps:
- name: Check out the code - name: Check out the code
uses: actions/checkout@v3 uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Set up JDK 8 - name: Set up JDK 8
uses: actions/setup-java@v3 uses: actions/setup-java@a18c333f3f14249953dab3e186e5e21bf3390f1d
with: with:
java-version: '8' java-version: '8'
distribution: 'temurin' distribution: 'temurin'
cache: maven cache: maven
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v2 uses: github/codeql-action/init@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44
with: with:
languages: java languages: java
- name: Cache local Maven repository - name: Cache local Maven repository
uses: actions/cache@v3 uses: actions/cache@56461b9eb0f8438fd15c7a9968e3c9ebb18ceff1
with: with:
path: ~/.m2/repository path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@ -44,7 +44,7 @@ jobs:
run: mvn --batch-mode --update-snapshots verify # -P integration-test - add this back once we have a compatible flagd run: mvn --batch-mode --update-snapshots verify # -P integration-test - add this back once we have a compatible flagd
- name: Upload coverage to Codecov - name: Upload coverage to Codecov
uses: codecov/codecov-action@v3 uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
with: with:
flags: unittests # optional flags: unittests # optional
name: coverage # optional name: coverage # optional
@ -52,4 +52,4 @@ jobs:
verbose: true # optional (default = false) verbose: true # optional (default = false)
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2 uses: github/codeql-action/analyze@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44

12
.github/workflows/release.yml vendored
View File

@ -7,13 +7,19 @@ on:
branches: branches:
- main - main
name: Run Release Please name: Run Release Please
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
release-please: release-please:
permissions:
contents: write # for google-github-actions/release-please-action to create release commit
pull-requests: write # for google-github-actions/release-please-action to create release PR
runs-on: ubuntu-latest runs-on: ubuntu-latest
# Release-please creates a PR that tracks all changes # Release-please creates a PR that tracks all changes
steps: steps:
- uses: google-github-actions/release-please-action@v3 - uses: google-github-actions/release-please-action@069d7229d7b10308de85bc606a91e0033e259c8e
id: release id: release
with: with:
command: manifest command: manifest
@ -23,10 +29,10 @@ jobs:
# These steps are only run if this was a merged release-please PR # These steps are only run if this was a merged release-please PR
- name: checkout - name: checkout
if: ${{ steps.release.outputs.releases_created }} if: ${{ steps.release.outputs.releases_created }}
uses: actions/checkout@v3 uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Set up JDK 8 - name: Set up JDK 8
if: ${{ steps.release.outputs.releases_created }} if: ${{ steps.release.outputs.releases_created }}
uses: actions/setup-java@v3 uses: actions/setup-java@a18c333f3f14249953dab3e186e5e21bf3390f1d
with: with:
java-version: '8' java-version: '8'
distribution: 'temurin' distribution: 'temurin'

11
.github/workflows/static-code-scanning.yaml vendored
View File

@ -15,6 +15,9 @@ on:
# * * * * * # * * * * *
- cron: '30 1 * * 1' - cron: '30 1 * * 1'
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
CodeQL-Build: CodeQL-Build:
# CodeQL runs on ubuntu-latest, windows-latest, and macos-latest # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
@ -26,16 +29,16 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v3 uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v2 uses: github/codeql-action/init@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44
with: with:
languages: java languages: java
- name: Autobuild - name: Autobuild
uses: github/codeql-action/autobuild@v2 uses: github/codeql-action/autobuild@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2 uses: github/codeql-action/analyze@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44