SAP
diff --git a/‎.github/workflows/blackduck.yaml‎
Lines changed: 6 additions & 0 deletions b/‎.github/workflows/blackduck.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/cache-maven-dependencies.yaml‎
Lines changed: 3 additions & 1 deletion b/‎.github/workflows/cache-maven-dependencies.yaml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/workflows/continuous-integration.yaml‎
Lines changed: 21 additions & 0 deletions b/‎.github/workflows/continuous-integration.yaml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎.github/workflows/dependabot-automerge.yaml‎
Lines changed: 16 additions & 6 deletions b/‎.github/workflows/dependabot-automerge.yaml‎
Lines changed: 16 additions & 6 deletions
diff --git a/‎.github/workflows/deploy-snapshot.yaml‎
Lines changed: 3 additions & 1 deletion b/‎.github/workflows/deploy-snapshot.yaml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/workflows/fosstars-report.yml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/fosstars-report.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/javadoc.yaml‎
Lines changed: 30 additions & 17 deletions b/‎.github/workflows/javadoc.yaml‎
Lines changed: 30 additions & 17 deletions
@@ -5,10 +5,14 @@ on:
   schedule:
     - cron: 0 23 * * *
 
+permissions: {}
+
 jobs:
   scan:
     name: "Blackduck Scan"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v6
@@ -19,6 +23,8 @@ jobs:
 
   notify-job:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: [ scan ]
     if: ${{ failure() && github.ref == 'refs/heads/main' }}
     steps:
 
@@ -13,6 +13,8 @@ env:
 jobs:
   update-cache:
     runs-on: ubuntu-latest
+    permissions:
+      actions: write # needed to delete caches
     steps:
       - name: "Checkout"
         uses: actions/checkout@v6
@@ -36,7 +38,7 @@ jobs:
               gh cache delete "${CACHE_ID}"
           done
         env:
-          GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: "Cache Dependencies"
         uses: actions/cache/save@v5
 
@@ -50,12 +50,16 @@ env:
   MVN_SINGLE_THREADED_ARGS: --batch-mode --no-transfer-progress --fail-at-end --show-version --threads 1
   MVN_SKIP_CI_PLUGINS: -DskipFormatting -Denforcer.skip -Djacoco.skip -Dmdep.analyze.skip
 
+permissions: {}
+
 jobs:
   context:
     name: "Collect Context"
     outputs:
       commit: ${{ steps.calculate-commit-sha.outputs.COMMIT }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Calculate Commit SHA"
         id: calculate-commit-sha
@@ -79,6 +83,8 @@ jobs:
     name: "Check Formatting"
     needs: [ context ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@v6
@@ -106,6 +112,8 @@ jobs:
     name: "Build"
     needs: [ context, check-formatting ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # upload-artifacts does not use github-token
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6
@@ -160,6 +168,8 @@ jobs:
     name: "Test"
     needs: [ context, build ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6
@@ -202,6 +212,8 @@ jobs:
   static-code-analysis:
     needs: [ context, build ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         task:
@@ -262,6 +274,9 @@ jobs:
     name: "Run CodeQL Analysis"
     needs: [ context ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write # needed for Perform CodeQL Analysis
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6
@@ -301,6 +316,8 @@ jobs:
   test-archetypes:
     runs-on: ubuntu-latest
     needs: [ context, build ]
+    permissions:
+      contents: read
     strategy:
       matrix:
         task:
@@ -396,6 +413,8 @@ jobs:
     if: ${{ github.event.inputs.run-blackduck-scan == 'true' }}
     needs: [ context ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6
@@ -412,6 +431,8 @@ jobs:
     if: ${{ github.event.inputs.run-security-rating == 'true' }}
     needs: [ context ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed for Run FOSStars Rating
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6
 
@@ -15,12 +15,22 @@ jobs:
   review-prs:
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
-      contents: write
+      contents: read # all write operations use app token
     steps:
       - name: Checkout
         uses: actions/checkout@v6
 
+      - name: 'Create GitHub App Token'
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          client-id: ${{ secrets.SAP_CLOUD_SDK_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }}
+          owner: SAP
+          repositories: cloud-sdk-java
+          permission-contents: write
+          permission-pull-requests: write
+
       - name: Approve and Merge PRs
         run: |
           PRS=$(gh pr list --app "dependabot" --state "open" --json number,title)
@@ -29,14 +39,14 @@ jobs:
             if [[ -z "$GROUP" ]]; then
               continue
             fi
-          
+
             MATCHES=$(jq -r --arg group "$GROUP" '.[] | select(.title | contains($group)) | .number' <<< "$PRS")
             echo "[DEBUG] Found PRs for group '$GROUP': '$MATCHES'"
-          
+
             PR_NUMBERS="$MATCHES"$'\n'"$PR_NUMBERS"
           done <<< "${{ env.DEPENDABOT_GROUPS }}"
           echo "[DEBUG] Approving and Merging following PRs: '$PR_NUMBERS'"
-          
+
           while IFS= read -r PR_NUMBER; do
             if [[ -z "$PR_NUMBER" ]]; then
               continue
@@ -47,4 +57,4 @@ jobs:
             gh pr review "$PR_NUMBER" --approve
           done <<< "$PR_NUMBERS"
         env:
-          GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
@@ -9,6 +9,8 @@ jobs:
   deploy-snapshot:
     name: Deploy Snapshot
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@v6
@@ -39,7 +41,7 @@ jobs:
 
       - name: 'Slack Notification'
         if: failure()
-        uses: slackapi/slack-github-action@v3.0.1
+        uses: slackapi/slack-github-action@v3.0.3
         with:
           webhook: ${{ secrets.SLACK_WEBHOOK }}
           webhook-type: incoming-webhook
 
@@ -8,6 +8,8 @@ jobs:
   create_fosstars_report:
     runs-on: ubuntu-latest
     name: "Security rating"
+    permissions:
+      contents: write # needed to push to branch
     steps:
       - uses: actions/checkout@v6
       - uses: SAP/fosstars-rating-core-action@v1.14.0
 
@@ -11,60 +11,73 @@ on:
 env:
   JAVA_VERSION: 17
   DOCS_REPO: SAP/cloud-sdk
-  PROJECTS: "!:rfc,!:dwc-cf,!:datamodel-metadata-generator,!:odata-generator,!:odata-generator-maven-plugin,!:odata-generator-utility,!:odata-v4-generator,!:odata-v4-generator-maven-plugin,!:s4hana-connectivity,!:soap,!:testutil,!:s4hana-core"
+  PROJECTS: '!:rfc,!:dwc-cf,!:datamodel-metadata-generator,!:odata-generator,!:odata-generator-maven-plugin,!:odata-generator-utility,!:odata-v4-generator,!:odata-v4-generator-maven-plugin,!:s4hana-connectivity,!:soap,!:testutil,!:s4hana-core'
 
 jobs:
   build:
-    name: "JavaDoc to Documentation Portal"
+    name: 'JavaDoc to Documentation Portal'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # all write operations use app token
 
     steps:
-      - name: "Prepare git"
+      - name: 'Prepare git'
         run: |
           git config --global user.email "cloudsdk@sap.com"
           git config --global user.name "SAP Cloud SDK Bot"
 
-      - name: "Checkout Repository"
+      - name: 'Checkout Repository'
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
-          
-      - name: "Switch branch"
+
+      - name: 'Switch branch'
         run: git checkout "${{ github.event.inputs.branch || 'main' }}"
 
-      - name: "Set up JDK 17"
+      - name: 'Set up JDK 17'
         uses: actions/setup-java@v5
         with:
           java-version: '17'
           distribution: 'temurin'
           cache: 'maven'
 
-      - name: "Determine Versions"
+      - name: 'Determine Versions'
         id: determine-version
         run: |
           echo "MAJOR_VERSION=$(jq -r '.version' latest.json | cut -d '.' -f 1)" >> $GITHUB_OUTPUT
           echo "CURRENT_VERSION=$(jq -r '.version' latest.json)" >> $GITHUB_OUTPUT
 
-      - name: "Install project (skip tests)"
+      - name: 'Install project (skip tests)'
         run: mvn install -DskipTests --quiet
 
-      - name: "Process sources"
+      - name: 'Process sources'
         run: mvn process-sources -Drelease --fail-at-end --projects "${PROJECTS}" --quiet
 
-      - name: "Copy delombok sources"
+      - name: 'Copy delombok sources'
         run: find . -type d -path "*/target/delombok" -exec sh -c 'cp -r "$1"/* "$(dirname $(dirname "$1"))/src/main/java/"' _ {} \;
 
-      - name: "Generate aggregated Javadoc"
+      - name: 'Generate aggregated Javadoc'
         run: mvn clean javadoc:aggregate -Drelease -Djava.failOnWarning=false --projects "${PROJECTS}" --quiet
 
-      - name: "Checkout Docs Repository"
+      - name: 'Create GitHub App Token'
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          client-id: ${{ secrets.SAP_CLOUD_SDK_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }}
+          owner: SAP
+          repositories: cloud-sdk
+          permission-contents: write
+          permission-pull-requests: write
+
+      - name: 'Checkout Docs Repository'
         uses: actions/checkout@v6
         with:
           repository: ${{ env.DOCS_REPO }}
           path: .cloud-sdk-docs
-          token: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
+          token: ${{ steps.app-token.outputs.token }}
 
-      - name: "Replace JavaDoc"
+      - name: 'Replace JavaDoc'
         id: replace-javadoc
         run: |
           TARGET_DIR=./.cloud-sdk-docs/static/java-api/v${{ steps.determine-version.outputs.MAJOR_VERSION }}
@@ -95,7 +108,7 @@ jobs:
 
           git push origin $BRANCH_NAME
 
-      - name: "Create JavaDoc PR"
+      - name: 'Create JavaDoc PR'
         id: create-javadoc-pr
         if: ${{ steps.replace-javadoc.outputs.CREATE_PR == 'true' }}
         working-directory: ./.cloud-sdk-docs
@@ -107,4 +120,4 @@ jobs:
           echo "PR_URL=$PR_URL" >> $GITHUB_OUTPUT
           echo "PR: $PR_URL" >> $GITHUB_STEP_SUMMARY
         env:
-          GH_TOKEN: ${{ secrets.BOT_SDK_JS_FOR_DOCS_REPO_PR }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}