Skip to content

Commit e3ef2af

Browse files
committed
chore: harden github actions
1 parent 800f96f commit e3ef2af

6 files changed

Lines changed: 132 additions & 130 deletions

File tree

.github/workflows/build-project.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -18,19 +18,21 @@ jobs:
1818
name: Build
1919
runs-on: ubuntu-latest
2020
timeout-minutes: 15
21-
21+
permissions:
22+
contents: read
23+
2224
steps:
2325
- name: Checkout
24-
uses: actions/checkout@v4
26+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
2527

2628
- name: Set up JDK 17
27-
uses: actions/setup-java@v4
29+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #v4
2830
with:
2931
distribution: 'zulu'
3032
java-version: '17'
3133

3234
- name: Create custom Maven Settings.xml
33-
uses: whelk-io/maven-settings-xml-action@v22
35+
uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d #v22
3436
with:
3537
output_file: custom_maven_settings.xml
3638
servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'

.github/workflows/release-please.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ jobs:
1616
release_please:
1717
runs-on: ubuntu-latest
1818
steps:
19-
- uses: google-github-actions/release-please-action@v4
19+
- uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee #v4
2020
id: release
2121
with:
2222
release-type: maven
@@ -25,7 +25,7 @@ jobs:
2525

2626
- if: ${{ steps.release.outputs.release_created }}
2727
name: Checkout
28-
uses: actions/checkout@v4
28+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
2929

3030
- name: Extract tag name
3131
if: ${{ steps.release.outputs.release_created }}
@@ -35,14 +35,14 @@ jobs:
3535
run: echo "##[set-output name=tagname;]$(echo ${GITHUB_REF##*/})"
3636

3737
- name: Set up JDK 17
38-
uses: actions/setup-java@v4
38+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #v4
3939
if: ${{ steps.release.outputs.release_created }}
4040
with:
4141
distribution: 'zulu'
4242
java-version: '17'
4343

4444
- name: Create custom Maven Settings.xml
45-
uses: whelk-io/maven-settings-xml-action@v22
45+
uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d #v22
4646
if: ${{ steps.release.outputs.release_created }}
4747
with:
4848
output_file: custom_maven_settings.xml

.github/workflows/release-project.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ jobs:
1616
packages: write
1717
steps:
1818
- name: Checkout
19-
uses: actions/checkout@v4
19+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
2020

2121
- name: Extract tag name
2222
id: extract_tagname
@@ -25,13 +25,13 @@ jobs:
2525
run: echo "##[set-output name=tagname;]$(echo ${GITHUB_REF##*/})"
2626

2727
- name: Set up JDK 17
28-
uses: actions/setup-java@v4
28+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #v4
2929
with:
3030
distribution: 'zulu'
3131
java-version: '17'
3232

3333
- name: Create custom Maven Settings.xml
34-
uses: whelk-io/maven-settings-xml-action@v22
34+
uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d #v22
3535
with:
3636
output_file: custom_maven_settings.xml
3737
servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'

.github/workflows/reuse.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,6 @@ jobs:
1111
runs-on: ubuntu-latest
1212
steps:
1313
- name: Checkout
14-
uses: actions/checkout@v4
14+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
1515
- name: REUSE Compliance Check
16-
uses: fsfe/reuse-action@v3
16+
uses: fsfe/reuse-action@a46482ca367aef4454a87620aa37c2be4b2f8106 #v3

.github/workflows/sonarcloud-analysis.yml

Lines changed: 85 additions & 90 deletions
Original file line numberDiff line numberDiff line change
@@ -14,96 +14,91 @@ jobs:
1414
runs-on: ubuntu-latest
1515
if: github.event.workflow_run.conclusion == 'success'
1616
timeout-minutes: 15
17+
permissions:
18+
contents: read
19+
actions: read
20+
pull-requests: read
1721
steps:
18-
- name: echo event
19-
run: cat $GITHUB_EVENT_PATH
20-
- name: Download PR number artifact
21-
if: github.event.workflow_run.event == 'pull_request'
22-
uses: dawidd6/action-download-artifact@v3
23-
with:
24-
workflow: SonarCloud Build
25-
run_id: ${{ github.event.workflow_run.id }}
26-
name: PR_NUMBER
27-
- name: Read PR_NUMBER.txt
28-
if: github.event.workflow_run.event == 'pull_request'
29-
id: pr_number
30-
uses: juliangruber/read-file-action@v1
31-
with:
32-
path: ./PR_NUMBER.txt
33-
- name: Request GitHub API for PR data
34-
if: github.event.workflow_run.event == 'pull_request'
35-
uses: octokit/request-action@v2.x
36-
id: get_pr_data
37-
with:
38-
route: GET /repos/{full_name}/pulls/{number}
39-
number: ${{ steps.pr_number.outputs.content }}
40-
full_name: ${{ github.event.repository.full_name }}
41-
env:
42-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
43-
- uses: actions/checkout@v4
44-
with:
45-
repository: ${{ github.event.workflow_run.head_repository.full_name }}
46-
ref: ${{ github.event.workflow_run.head_branch }}
47-
fetch-depth: 0
48-
- name: Checkout base branch
49-
if: github.event.workflow_run.event == 'pull_request'
50-
run: |
51-
git remote add upstream ${{ github.event.repository.clone_url }}
52-
git fetch upstream
53-
git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
54-
git checkout ${{ github.event.workflow_run.head_branch }}
55-
git clean -ffdx && git reset --hard HEAD
56-
- name: Cache SonarCloud packages
57-
uses: actions/cache@v4
58-
with:
59-
path: ~/.sonar/cache
60-
key: ${{ runner.os }}-sonar
61-
restore-keys: ${{ runner.os }}-sonar
62-
- name: Cache Maven packages
63-
uses: actions/cache@v4
64-
with:
65-
path: ~/.m2
66-
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
67-
restore-keys: ${{ runner.os }}-m2
22+
- name: echo event
23+
run: cat $GITHUB_EVENT_PATH
24+
- name: Download PR number artifact
25+
if: github.event.workflow_run.event == 'pull_request'
26+
uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
27+
with:
28+
workflow: SonarCloud Build
29+
run_id: ${{ github.event.workflow_run.id }}
30+
name: PR_NUMBER
31+
- name: Read PR_NUMBER.txt
32+
if: github.event.workflow_run.event == 'pull_request'
33+
id: pr_number
34+
uses: juliangruber/read-file-action@271ff311a4947af354c6abcd696a306553b9ec18 # v1
35+
with:
36+
path: ./PR_NUMBER.txt
37+
- name: Request GitHub API for PR data
38+
if: github.event.workflow_run.event == 'pull_request'
39+
uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae # v3.0.0
40+
id: get_pr_data
41+
with:
42+
route: GET /repos/{full_name}/pulls/{number}
43+
number: ${{ steps.pr_number.outputs.content }}
44+
full_name: ${{ github.event.repository.full_name }}
45+
env:
46+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
47+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
48+
with:
49+
fetch-depth: 0
50+
- name: Download build artifacts
51+
uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
52+
with:
53+
workflow: SonarCloud Build
54+
run_id: ${{ github.event.workflow_run.id }}
55+
name: build-artifacts
56+
- name: Cache SonarCloud packages
57+
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
58+
with:
59+
path: ~/.sonar/cache
60+
key: ${{ runner.os }}-sonar
61+
restore-keys: ${{ runner.os }}-sonar
6862

69-
- name: Set up JDK 17
70-
uses: actions/setup-java@v4
71-
with:
72-
distribution: 'zulu'
73-
java-version: '17'
63+
- name: Set up JDK 17
64+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
65+
with:
66+
distribution: 'zulu'
67+
java-version: '17'
68+
cache: 'maven'
7469

75-
- name: Set Common Sonar Variables
76-
id: sonar_env
77-
run: |
78-
echo "##[set-output name=sonar_opts;]$(echo -Dsonar.host.url=https://sonarcloud.io \
79-
-Dsonar.projectKey=com-pas_compas-core \
80-
-Dsonar.organization=com-pas )"
81-
- name: Create custom Maven Settings.xml
82-
uses: whelk-io/maven-settings-xml-action@v22
83-
with:
84-
output_file: custom_maven_settings.xml
85-
servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
86-
- name: Build and analyze (Pull Request)
87-
if: ${{ github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target') }}
88-
env:
89-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
90-
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
91-
run: |
92-
./mvnw -B -s custom_maven_settings.xml -Psonar \
93-
${{ steps.sonar_env.outputs.sonar_opts }} \
94-
-Dsonar.pullrequest.branch=${{ fromJson(steps.get_pr_data.outputs.data).head.ref }} \
95-
-Dsonar.pullrequest.key=${{ fromJson(steps.get_pr_data.outputs.data).number }} \
96-
-Dsonar.pullrequest.base=${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} \
97-
-Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \
98-
clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
99-
- name: Build and analyze (Push)
100-
if: ${{ github.event.workflow_run.event == 'push' }}
101-
env:
102-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
103-
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
104-
run: |
105-
./mvnw -B -s custom_maven_settings.xml -Psonar \
106-
${{ steps.sonar_env.outputs.sonar_opts }} \
107-
-Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \
108-
-Dsonar.branch.name=${{ github.event.workflow_run.head_branch }} \
109-
clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
70+
- name: Set Common Sonar Variables
71+
id: sonar_env
72+
run: |
73+
echo "sonar_opts=-Dsonar.host.url=https://sonarcloud.io \
74+
-Dsonar.projectKey=com-pas_compas-core \
75+
-Dsonar.organization=com-pas" >> $GITHUB_OUTPUT
76+
- name: Create custom Maven Settings.xml
77+
uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d # v22
78+
with:
79+
output_file: custom_maven_settings.xml
80+
servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
81+
- name: Build and analyze (Pull Request)
82+
if: ${{ github.event.workflow_run.event == 'pull_request' }}
83+
env:
84+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
85+
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
86+
run: |
87+
mvn -B -s custom_maven_settings.xml -Psonar \
88+
${{ steps.sonar_env.outputs.sonar_opts }} \
89+
-Dsonar.pullrequest.branch=${{ fromJson(steps.get_pr_data.outputs.data).head.ref }} \
90+
-Dsonar.pullrequest.key=${{ fromJson(steps.get_pr_data.outputs.data).number }} \
91+
-Dsonar.pullrequest.base=${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} \
92+
-Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \
93+
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
94+
- name: Build and analyze (Push)
95+
if: ${{ github.event.workflow_run.event == 'push' }}
96+
env:
97+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
98+
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
99+
run: |
100+
mvn -B -s custom_maven_settings.xml -Psonar \
101+
${{ steps.sonar_env.outputs.sonar_opts }} \
102+
-Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \
103+
-Dsonar.branch.name=${{ github.event.workflow_run.head_branch }} \
104+
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar

.github/workflows/sonarcloud-build.yml

Lines changed: 32 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -12,66 +12,71 @@ on:
1212
branches:
1313
- 'main'
1414
- 'develop'
15-
pull_request_target:
16-
branches:
17-
- 'main'
18-
- 'develop'
1915

2016
jobs:
2117
precheck-build:
2218
name: Pre Check Build
2319
runs-on: ubuntu-latest
2420
timeout-minutes: 30
21+
permissions:
22+
contents: read
2523

26-
if: ${{ (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }}
2724
steps:
2825
- name: Checkout
29-
uses: actions/checkout@v4
26+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
3027
with:
3128
fetch-depth: 0
3229

3330
- name: Cache SonarCloud packages
34-
uses: actions/cache@v4
31+
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
3532
with:
3633
path: ~/.sonar/cache
3734
key: ${{ runner.os }}-sonar
3835
restore-keys: ${{ runner.os }}-sonar
39-
- name: Cache Maven packages
40-
uses: actions/cache@v4
41-
with:
42-
path: ~/.m2
43-
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
44-
restore-keys: ${{ runner.os }}-m2
45-
4636
- name: Set up JDK 17
47-
uses: actions/setup-java@v4
37+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
4838
with:
4939
distribution: 'zulu'
5040
java-version: '17'
41+
cache: 'maven'
5142

5243
- name: Create custom Maven Settings.xml
53-
uses: whelk-io/maven-settings-xml-action@v22
44+
uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d # v22
5445
with:
5546
output_file: custom_maven_settings.xml
5647
servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
57-
- name: Build and analyze (Pull Request)
58-
if: ${{ github.event_name == 'pull_request' || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }}
48+
49+
- name: Build
5950
env:
6051
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6152
run: |
62-
./mvnw -B -s custom_maven_settings.xml clean verify
63-
- name: Build and analyze (Push)
64-
if: ${{ github.event_name == 'push' }}
65-
env:
66-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
67-
run: |
68-
./mvnw -B -s custom_maven_settings.xml clean verify
53+
./mvnw -B -s custom_maven_settings.xml -Psonar clean verify
54+
- name: Upload build artifacts
55+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
56+
with:
57+
name: build-artifacts
58+
path: |
59+
commons/src/
60+
commons/target/
61+
rest-commons/src/
62+
rest-commons/target/
63+
scl-extension/src/
64+
scl-extension/target/
65+
scl2003/src/
66+
scl2003/target/
67+
scl2007b/src/
68+
scl2007b/target/
69+
scl2007b4/src/
70+
scl2007b4/target/
71+
websocket-commons/src/
72+
websocket-commons/target/
73+
retention-days: 1
6974
- name: Save PR number to file
7075
if: github.event_name == 'pull_request'
71-
run: echo ${{ github.event.number }} > PR_NUMBER.txt
76+
run: echo ${{ github.event.pull_request.number }} > PR_NUMBER.txt
7277
- name: Archive PR number
7378
if: github.event_name == 'pull_request'
74-
uses: actions/upload-artifact@v4
79+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
7580
with:
7681
name: PR_NUMBER
7782
path: PR_NUMBER.txt

0 commit comments

Comments
 (0)