Skip to content

Commit 777dcb0

Browse files
emptyhammondemptyhammond
authored
Merge pull request #1211 from ably/worktree-fixup-workflows
ci: harden workflow security
2 parents 2822272 + 194a4b5 commit 777dcb0

7 files changed

Lines changed: 77 additions & 39 deletions

File tree

.github/workflows/check.yml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,13 +10,17 @@ on:
1010
jobs:
1111
check:
1212
runs-on: ubuntu-latest
13+
permissions:
14+
contents: read
1315
steps:
14-
- uses: actions/checkout@v3
16+
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
17+
with:
18+
persist-credentials: false
1519
- name: Set up the JDK
16-
uses: actions/setup-java@v3
20+
uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3
1721
with:
1822
java-version: '17'
1923
distribution: 'temurin'
2024
- name: Set up Gradle
21-
uses: gradle/actions/setup-gradle@v3
25+
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3
2226
- run: ./gradlew checkWithCodenarc checkstyleMain checkstyleTest runUnitTests runLiveObjectUnitTests

.github/workflows/emulate.yml

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,23 +9,27 @@ on:
99
jobs:
1010
check:
1111
runs-on: ubuntu-latest
12+
permissions:
13+
contents: read
1214
strategy:
1315
fail-fast: false
1416
matrix:
1517
android-api-level: [ 21, 24, 29, 35 ]
1618

1719
steps:
1820
- name: checkout
19-
uses: actions/checkout@v4
21+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
22+
with:
23+
persist-credentials: false
2024

2125
- name: Set up the JDK
22-
uses: actions/setup-java@v3
26+
uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3
2327
with:
2428
java-version: '17'
2529
distribution: 'temurin'
2630

2731
- name: Set up Gradle
28-
uses: gradle/actions/setup-gradle@v5
32+
uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5
2933
timeout-minutes: 5
3034

3135
# API 30+ emulators only have x86_64 system images.
@@ -38,7 +42,7 @@ jobs:
3842
sudo udevadm control --reload-rules
3943
sudo udevadm trigger --name-match=kvm
4044
41-
- uses: reactivecircus/android-emulator-runner@v2
45+
- uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2
4246
with:
4347
api-level: ${{ matrix.android-api-level }}
4448
emulator-options: -no-snapshot-save -no-window -gpu swiftshader_indirect -noaudio -no-boot-anim -camera-back none
@@ -48,7 +52,7 @@ jobs:
4852
# Print emulator logs if tests fail
4953
script: ./gradlew :android:connectedAndroidTest ${{ matrix.android-api-level == 19 && '-PhttpURLConnection' || '' }} || (adb logcat -d System.out:I && exit 1)
5054

51-
- uses: actions/upload-artifact@v4
55+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
5256
if: always()
5357
with:
5458
name: android-build-reports-${{ matrix.android-api-level }}

.github/workflows/example-app.yml

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,31 +9,35 @@ on:
99
jobs:
1010
check:
1111
runs-on: ubuntu-latest
12+
permissions:
13+
contents: read
1214
strategy:
1315
fail-fast: false
1416
matrix:
1517
android-api-level: [ 29 ]
1618

1719
steps:
1820
- name: checkout
19-
uses: actions/checkout@v4
21+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
22+
with:
23+
persist-credentials: false
2024

2125
- name: Set up the JDK
22-
uses: actions/setup-java@v3
26+
uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3
2327
with:
2428
java-version: '17'
2529
distribution: 'temurin'
2630

2731
- name: Set up Gradle
28-
uses: gradle/actions/setup-gradle@v3
32+
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3
2933

3034
- name: Enable KVM
3135
run: |
3236
echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
3337
sudo udevadm control --reload-rules
3438
sudo udevadm trigger --name-match=kvm
3539
36-
- uses: reactivecircus/android-emulator-runner@v2
40+
- uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2
3741
with:
3842
api-level: ${{ matrix.android-api-level }}
3943
emulator-options: -no-snapshot-save -no-window -gpu swiftshader_indirect -noaudio -no-boot-anim -camera-back none

.github/workflows/features.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,12 @@ on:
88

99
jobs:
1010
build:
11-
uses: ably/features/.github/workflows/sdk-features.yml@main
11+
permissions:
12+
contents: read
13+
id-token: write
14+
deployments: write
15+
uses: ably/features/.github/workflows/sdk-features.yml@6b3fc7a8ede2ebdd7a6325314f3a96c6466f1453 # main
1216
with:
1317
repository-name: ably-java
14-
secrets: inherit
18+
secrets:
19+
ABLY_AWS_ACCOUNT_ID_SDK: ${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK }}

.github/workflows/integration-test.yml

Lines changed: 32 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -10,101 +10,116 @@ on:
1010
jobs:
1111
check-rest-httpurlconnection:
1212
runs-on: ubuntu-latest
13+
permissions:
14+
contents: read
1315
steps:
14-
- uses: actions/checkout@v4
16+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
1517
with:
1618
submodules: 'recursive'
19+
persist-credentials: false
1720

1821
- name: Set up the JDK
19-
uses: actions/setup-java@v4
22+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
2023
with:
2124
java-version: '17'
2225
distribution: 'temurin'
2326

2427
- name: Set up Gradle
25-
uses: gradle/actions/setup-gradle@v3
28+
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3
2629

2730
- run: ./gradlew :java:testRestSuite -PhttpURLConnection
2831

29-
- uses: actions/upload-artifact@v4
32+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
3033
if: always()
3134
with:
3235
name: java-build-reports-rest
3336
path: java/build/reports/
3437

3538
check-realtime-httpurlconnection:
3639
runs-on: ubuntu-latest
40+
permissions:
41+
contents: read
3742
steps:
38-
- uses: actions/checkout@v4
43+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
3944
with:
4045
submodules: 'recursive'
46+
persist-credentials: false
4147

4248
- name: Set up the JDK
43-
uses: actions/setup-java@v4
49+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
4450
with:
4551
java-version: '17'
4652
distribution: 'temurin'
4753

4854
- name: Set up Gradle
49-
uses: gradle/actions/setup-gradle@v3
55+
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3
5056

5157
- run: ./gradlew :java:testRealtimeSuite -PhttpURLConnection
5258

53-
- uses: actions/upload-artifact@v4
59+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
5460
if: always()
5561
with:
5662
name: java-build-reports-realtime
5763
path: java/build/reports/
5864
check-rest-okhttp:
5965
runs-on: ubuntu-latest
66+
permissions:
67+
contents: read
6068
steps:
61-
- uses: actions/checkout@v4
69+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
6270
with:
6371
submodules: 'recursive'
72+
persist-credentials: false
6473

6574
- name: Set up the JDK
66-
uses: actions/setup-java@v4
75+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
6776
with:
6877
java-version: '17'
6978
distribution: 'temurin'
7079

7180
- name: Set up Gradle
72-
uses: gradle/actions/setup-gradle@v3
81+
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3
7382

7483
- run: ./gradlew :java:testRestSuite
7584

7685
check-realtime-okhttp:
7786
runs-on: ubuntu-latest
87+
permissions:
88+
contents: read
7889
steps:
79-
- uses: actions/checkout@v4
90+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
8091
with:
8192
submodules: 'recursive'
93+
persist-credentials: false
8294

8395
- name: Set up the JDK
84-
uses: actions/setup-java@v4
96+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
8597
with:
8698
java-version: '17'
8799
distribution: 'temurin'
88100

89101
- name: Set up Gradle
90-
uses: gradle/actions/setup-gradle@v3
102+
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3
91103

92104
- run: ./gradlew :java:testRealtimeSuite
93105

94106
check-liveobjects:
95107
runs-on: ubuntu-latest
108+
permissions:
109+
contents: read
96110
steps:
97-
- uses: actions/checkout@v4
111+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
98112
with:
99113
submodules: 'recursive'
114+
persist-credentials: false
100115

101116
- name: Set up the JDK
102-
uses: actions/setup-java@v4
117+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
103118
with:
104119
java-version: '17'
105120
distribution: 'temurin'
106121

107122
- name: Set up Gradle
108-
uses: gradle/actions/setup-gradle@v3
123+
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3
109124

110125
- run: ./gradlew runLiveObjectIntegrationTests

.github/workflows/javadoc.yml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -13,29 +13,31 @@ jobs:
1313
id-token: write
1414
deployments: write
1515
steps:
16-
- uses: actions/checkout@v4
16+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
17+
with:
18+
persist-credentials: false
1719

1820
- name: Configure AWS Credentials
19-
uses: aws-actions/configure-aws-credentials@v1
21+
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1
2022
with:
2123
aws-region: eu-west-2
2224
role-to-assume: arn:aws:iam::${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK }}:role/ably-sdk-builds-ably-java
2325
role-session-name: "${{ github.run_id }}-${{ github.run_number }}"
2426

2527
- name: Set up the JDK
26-
uses: actions/setup-java@v4
28+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
2729
with:
2830
java-version: '17'
2931
distribution: 'temurin'
3032

3133
- name: Set up Gradle
32-
uses: gradle/actions/setup-gradle@v3
34+
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3
3335

3436
- name: Build docs
3537
run: ./gradlew javadoc
3638

3739
- name: Upload Documentation
38-
uses: ably/sdk-upload-action@v2
40+
uses: ably/sdk-upload-action@4e694297f208b72b5a9f6b1248a1556f19f821d6 # v2
3941
with:
4042
sourcePath: java/build/docs/javadoc
4143
githubToken: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yaml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,13 @@ jobs:
77
run-on-release:
88
runs-on: ubuntu-latest
99
if: github.repository == 'ably/ably-java'
10+
permissions:
11+
contents: read
1012
steps:
1113
- name: Checkout code
12-
uses: actions/checkout@v4
14+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
15+
with:
16+
persist-credentials: false
1317

1418
- name: Extract tag
1519
id: tag
@@ -34,13 +38,13 @@ jobs:
3438
TAG: ${{ steps.tag.outputs.tag }}
3539

3640
- name: Set up JDK
37-
uses: actions/setup-java@v4
41+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
3842
with:
3943
java-version: 17
4044
distribution: temurin
4145

4246
- name: Set up Gradle
43-
uses: gradle/actions/setup-gradle@v3
47+
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3
4448

4549
- name: Publish and release to Maven Central
4650
run: ./gradlew publishAndReleaseToMavenCentral

0 commit comments

Comments
 (0)