diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d343c5a93d..4ada4d9821 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -23,7 +23,7 @@ updates: interval: "cron" cronjob: "15 9 * * *" cooldown: - default-days: 4 + default-days: 7 - package-ecosystem: "maven" directory: "/" schedule: @@ -31,7 +31,7 @@ updates: interval: "cron" cronjob: "15 10 * * *" cooldown: - default-days: 4 + default-days: 7 ignore: # requires Java 11 - dependency-name: "com.github.spotbugs:spotbugs" diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index cb3d31d1fe..7d38342068 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -76,6 +76,11 @@ on: default: 30 required: false + secrets: + DEVELOCITY_ACCESS_KEY: + description: 'Token for submitting build scan to Develocity' + required: false + env: MAVEN_ARGS: --batch-mode --show-version MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 @@ -90,11 +95,13 @@ jobs: steps: - name: Checkout project if: ${{ !inputs.needs-source-tarball }} - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Download source tarball if: ${{ inputs.needs-source-tarball }} - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ratis-src @@ -105,7 +112,7 @@ jobs: - name: Create cache for Maven dependencies if: ${{ inputs.script == 'build' }} - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.m2/repository/*/*/* @@ -116,7 +123,7 @@ jobs: - name: Restore cache for Maven dependencies if: ${{ inputs.script != 'build' }} - uses: actions/cache/restore@v5 + uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.m2/repository/*/*/* @@ -128,7 +135,7 @@ jobs: - name: Download Maven repo id: download-maven-repo if: ${{ inputs.needs-maven-repo }} - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: maven-repo path: | @@ -136,7 +143,7 @@ jobs: - name: Download binary tarball if: ${{ inputs.needs-binary-tarball }} - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ratis-bin @@ -148,7 +155,7 @@ jobs: - name: Setup java ${{ inputs.java-version }} if: ${{ inputs.java-version }} - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' java-version: ${{ inputs.java-version }} @@ -169,7 +176,7 @@ jobs: - name: Archive build results if: ${{ !cancelled() }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ (inputs.split && format('{0}-{1}', inputs.script, inputs.split)) || inputs.script }} path: target/${{ inputs.script }} @@ -179,7 +186,7 @@ jobs: # to avoid the need for 3 more inputs. - name: Store binaries for tests if: ${{ inputs.script == 'build' && !cancelled() }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ratis-bin path: | @@ -188,7 +195,7 @@ jobs: - name: Store source tarball for compilation if: ${{ inputs.script == 'build' && !cancelled() }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ratis-src path: | @@ -197,7 +204,7 @@ jobs: - name: Store Maven repo for tests if: ${{ inputs.script == 'build' && !cancelled() }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: maven-repo path: | diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 272cb33d90..d8f9f8365d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -23,6 +23,15 @@ on: description: Ratis git ref (branch, tag or commit hash) default: '' required: false + secrets: + DEVELOCITY_ACCESS_KEY: + description: 'Token for submitting build scan to Develocity' + required: false + SONARCLOUD_TOKEN: + description: 'Token for submitting coverage data to SonarCloud' + required: false + +permissions: { } jobs: build: @@ -31,7 +40,8 @@ jobs: script: build script-args: -Prelease timeout-minutes: 30 - secrets: inherit + secrets: + DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} compile: needs: @@ -48,14 +58,16 @@ jobs: script-args: -Dmaven.compiler.release=${{ matrix.java }} split: ${{ matrix.java }} timeout-minutes: 30 - secrets: inherit + secrets: + DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} release: uses: ./.github/workflows/check.yaml with: script: release timeout-minutes: 30 - secrets: inherit + secrets: + DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} repro: needs: @@ -66,7 +78,8 @@ jobs: script: repro script-args: -Prelease timeout-minutes: 30 - secrets: inherit + secrets: + DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} basic: strategy: @@ -81,7 +94,8 @@ jobs: with: script: ${{ matrix.check }} timeout-minutes: 30 - secrets: inherit + secrets: + DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} unit: strategy: @@ -98,7 +112,8 @@ jobs: script-args: -P${{ matrix.profile }}-tests split: ${{ matrix.profile }} timeout-minutes: 60 - secrets: inherit + secrets: + DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} coverage: needs: @@ -109,11 +124,12 @@ jobs: if: github.event_name != 'pull_request' steps: - name: Checkout project - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Cache for maven dependencies - uses: actions/cache/restore@v5 + uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.m2/repository @@ -122,12 +138,12 @@ jobs: restore-keys: | maven-repo- - name: Setup java 17 - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' java-version: 17 - name: Download artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: target/artifacts - name: Untar binaries @@ -143,7 +159,7 @@ jobs: SONAR_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Archive build results - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: always() with: name: ${{ github.job }} diff --git a/.github/workflows/close-stale-pr.yaml b/.github/workflows/close-stale-pr.yaml index 6c24bf0e51..010f0c955d 100644 --- a/.github/workflows/close-stale-pr.yaml +++ b/.github/workflows/close-stale-pr.yaml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-slim steps: - name: Close Stale PRs - uses: actions/stale@v10 + uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: stale-pr-label: 'stale' exempt-draft-pr: false diff --git a/.github/workflows/post-commit.yaml b/.github/workflows/post-commit.yaml index 1d1ba06fd9..4a946f8621 100644 --- a/.github/workflows/post-commit.yaml +++ b/.github/workflows/post-commit.yaml @@ -27,10 +27,14 @@ concurrency: group: ci-${{ github.event.pull_request.number || case(github.repository == 'apache/ratis', github.sha, github.ref_name) }} cancel-in-progress: ${{ github.event_name == 'pull_request' || github.repository != 'apache/ratis' }} +permissions: { } + jobs: CI: if: github.event_name == 'pull_request' || github.repository == 'apache/ratis' || github.ref_name != 'master' uses: ./.github/workflows/ci.yaml - secrets: inherit + secrets: + DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} + SONARCLOUD_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }} diff --git a/.github/workflows/repeat-test.yaml b/.github/workflows/repeat-test.yaml index 9a985fd23c..26fef26f75 100644 --- a/.github/workflows/repeat-test.yaml +++ b/.github/workflows/repeat-test.yaml @@ -49,6 +49,9 @@ env: FAIL_FAST: ${{ github.event.inputs.fail-fast }} SPLITS: ${{ github.event.inputs.splits }} run-name: ${{ github.event_name == 'workflow_dispatch' && format('{0}#{1}[{2}]-{3}x{4}', inputs.test-class, inputs.test-method, inputs.ref, inputs.splits, inputs.iterations) || '' }} + +permissions: { } + jobs: prepare: runs-on: ubuntu-24.04 @@ -95,11 +98,12 @@ jobs: split: ${{ fromJson(needs.prepare.outputs.matrix) }} fail-fast: ${{ fromJson(github.event.inputs.fail-fast) }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + persist-credentials: false ref: ${{ needs.prepare.outputs.ref }} - name: Cache for maven dependencies - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.m2/repository @@ -108,7 +112,7 @@ jobs: restore-keys: | maven-repo- - name: Setup java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' java-version: 8 @@ -121,7 +125,7 @@ jobs: run: dev-support/checks/_summary.sh target/unit/summary.txt if: ${{ !cancelled() }} - name: Archive build results - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: ${{ failure() }} with: name: result-${{ github.run_number }}-${{ github.run_id }}-split-${{ matrix.split }} @@ -132,7 +136,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Download build results - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - name: Count failures run: | failures=$(find . -name 'summary.txt' | grep -v 'iteration' | xargs grep -v 'exit code: 0' | wc -l) diff --git a/.github/workflows/vulnerability-check.yaml b/.github/workflows/vulnerability-check.yaml index a0146f14de..336332a845 100644 --- a/.github/workflows/vulnerability-check.yaml +++ b/.github/workflows/vulnerability-check.yaml @@ -29,15 +29,19 @@ env: MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 MAVEN_ARGS: --batch-mode --no-transfer-progress +permissions: { } + jobs: dependency-check: if: ${{ github.event_name == 'workflow_dispatch' || github.repository == 'apache/ratis' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up JDK 11 - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: corretto java-version: 11 @@ -52,13 +56,14 @@ jobs: - name: Generate report date for artifact name run: | - utc_time="${{ github.run_started_at }}" target_time=$(TZ=Asia/Shanghai date -d "$utc_time" +"%Y-%m-%d") echo "REPORT_DATE=$target_time" >> $GITHUB_ENV + env: + utc_time: ${{ github.run_started_at }} - name: Upload Artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: vulnerability-check-result-${{ env.REPORT_DATE }} path: target/dependency-check-report.html - retention-days: 15 \ No newline at end of file + retention-days: 15 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..6b7263f91d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: zizmor + +on: + push: + pull_request: + +permissions: { } + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout project + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3