security: harden release workflow and declare workflow_call secrets#487
Conversation
Security Policy Alert: Actions Policy ViolationThis workflow run has been blocked by StepSecurity's actions policy. Disallowed Actions:
To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed. For more information, see StepSecurity's Actions Policy documentation. |
Security Policy Alert: Secret Policy ViolationThis workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch. Secret references detected:
To approve this workflow, please add the Note: The label must be added by someone other than the PR author (cx-luis-ventuzelos) or automation bots to ensure proper security review. After the label is added, you can re-run the blocked workflow to proceed. This workflow will be automatically approved once merged into the default branch. For more information, see StepSecurity's Secret Exfiltration Policy documentation. |
- Replace actions/checkout v4.3.1 with v6.0.3 and switch from PERSONAL_ACCESS_TOKEN to GITHUB_TOKEN - Fix script injection in Download CLI, Tag, Update POM, Build artifactId, and Publish steps by moving inputs to env vars - Replace deprecated ::set-output with $GITHUB_OUTPUT in Tag step - Update actions/setup-java v4.3.0 to v5.2.0 - Add explicit secrets declaration for workflow_call (MAVEN_GPG_PASSPHRASE, MAVEN_GPG_PRIVATE_KEY, OSSRH_TOKEN, OSSRH_USERNAME) - Fix broken shell conditional in Build artifactId property step
cx-luis-ventuzelos
force-pushed
the
fix/workflow-security-hardening
branch
from
71bfedb to
7e0901c
Compare
2 participants
Summary
actions/checkoutv4.3.1 → v6.0.3 and switch fromPERSONAL_ACCESS_TOKENtoGITHUB_TOKENDownload CLI,Tag,Update POM,Build artifactId, andPublishsteps by movinginputs.*context expressions toenvvars::set-outputwith$GITHUB_OUTPUTinTagstepactions/setup-javav4.3.0 → v5.2.0secrets:declaration underworkflow_call(MAVEN_GPG_PASSPHRASE,MAVEN_GPG_PRIVATE_KEY,OSSRH_TOKEN,OSSRH_USERNAME)Build artifactId propertystepCloses #484, closes #486.