From 52b672d88f88ea603a320e182827da0458bf7e5a Mon Sep 17 00:00:00 2001 From: Vaso Putica Date: Thu, 16 Apr 2026 23:33:45 +0200 Subject: [PATCH 1/6] Upgrade Jackson to fix Trivy finding --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7b48a6c..a1814a0 100644 --- a/pom.xml +++ b/pom.xml @@ -63,7 +63,7 @@ --add-opens=java.base/java.net=ALL-UNNAMED 3.0.12 - 2.16.2 + 2.18.6 ${jackson.version} 1.8 1.8 From 505d5d62c4830cff46fa3f014044df11662cb4a5 Mon Sep 17 00:00:00 2001 From: Vaso Putica Date: Thu, 16 Apr 2026 18:12:26 +0200 Subject: [PATCH 2/6] Pin workflow actions --- .github/workflows/build-trivy.yaml | 2 +- .github/workflows/test-against-released.yml | 12 ++++++------ .github/workflows/test-against-snapshot-1440.yml | 12 ++++++------ .github/workflows/test-against-snapshot.yml | 12 ++++++------ 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/build-trivy.yaml b/.github/workflows/build-trivy.yaml index d8d6591..eab09a9 100644 --- a/.github/workflows/build-trivy.yaml +++ b/.github/workflows/build-trivy.yaml @@ -44,7 +44,7 @@ jobs: # Checkout the source, we need a depth of zero to fetch all the history otherwise # the copyright check cannot work out the date of the files from Git. steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/test-against-released.yml b/.github/workflows/test-against-released.yml index 8d0f023..ca3aabc 100644 --- a/.github/workflows/test-against-released.yml +++ b/.github/workflows/test-against-released.yml @@ -50,17 +50,17 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Cache Maven packages - uses: actions/cache@v4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.m2 key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} restore-keys: ${{ runner.os }}-m2 - name: Set up JDK 11 for Build - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: '17' distribution: 'zulu' @@ -80,20 +80,20 @@ jobs: mvn --file coherence-visualvm-tests/coherence-visualvm-tests-ce/pom.xml --batch-mode -e -Dcoherence.version=${{ matrix.version }} clean install - name: Build Artifacts test logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: failure() with: name: test-output-${{ matrix.version }} path: coherence-visualvm-tests/**/target/test-output/**/* - name: Coherence VisualVM Plugin NBM - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: coherence-visualvm-plugin-nbm-${{ matrix.version }} path: coherence-visualvm-plugin/target/coherence-visualvm-plugin*.nbm - name: Coherence VisualVM Plugin Javadoc - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: coherence-visualvm-plugin-javadoc-${{ matrix.version }} path: coherence-visualvm-plugin/target/coherence-visualvm-plugin*javadoc.jar diff --git a/.github/workflows/test-against-snapshot-1440.yml b/.github/workflows/test-against-snapshot-1440.yml index 3af1e65..63b9222 100644 --- a/.github/workflows/test-against-snapshot-1440.yml +++ b/.github/workflows/test-against-snapshot-1440.yml @@ -48,10 +48,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Cache Maven packages - uses: actions/cache@v4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.m2 key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} @@ -61,7 +61,7 @@ jobs: run: mvn -version && ant -version - name: Set up JDK 11 for Plugin - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: 11 distribution: 'zulu' @@ -80,20 +80,20 @@ jobs: mvn --file coherence-visualvm-tests/coherence-visualvm-tests-ce/pom.xml --batch-mode -nsu -e -Dcoherence.version=$COH_VERSION clean install - name: Build Artifacts test logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: failure() with: name: test-output-${{ matrix.coherenceVersion }} path: coherence-visualvm-tests/**/target/test-output/**/* - name: Coherence VisualVM Plugin NBM - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: coherence-visualvm-plugin-nbm-${{ matrix.coherenceVersion }} path: coherence-visualvm-plugin/target/coherence-visualvm-plugin*.nbm - name: Coherence VisualVM Plugin Javadoc - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: coherence-visualvm-plugin-javadoc-${{ matrix.coherenceVersion }} path: coherence-visualvm-plugin/target/coherence-visualvm-plugin*javadoc.jar diff --git a/.github/workflows/test-against-snapshot.yml b/.github/workflows/test-against-snapshot.yml index 9d97244..52dbe9b 100644 --- a/.github/workflows/test-against-snapshot.yml +++ b/.github/workflows/test-against-snapshot.yml @@ -51,17 +51,17 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Cache Maven packages - uses: actions/cache@v4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # 5.0.5 with: path: ~/.m2 key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} restore-keys: ${{ runner.os }}-m2-snapshots - name: Set up JDK 17 for Build - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: 17 distribution: 'zulu' @@ -86,20 +86,20 @@ jobs: mvn --file coherence-visualvm-tests/coherence-visualvm-tests-topics/pom.xml -P topics --batch-mode -nsu -e -Dcoherence.version=$COH_VERSION clean install - name: Build Artifacts test logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: failure() with: name: test-output-${{ matrix.coherenceVersion }} path: coherence-visualvm-tests/**/target/test-output/**/* - name: Coherence VisualVM Plugin NBM - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: coherence-visualvm-plugin-nbm-${{ matrix.coherenceVersion }} path: coherence-visualvm-plugin/target/coherence-visualvm-plugin*.nbm - name: Coherence VisualVM Plugin Javadoc - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: coherence-visualvm-plugin-javadoc-${{ matrix.coherenceVersion }} path: coherence-visualvm-plugin/target/coherence-visualvm-plugin*javadoc.jar From fe47dc721a3678761766364c4ea4dae1097db53e Mon Sep 17 00:00:00 2001 From: Vaso Putica Date: Thu, 16 Apr 2026 17:54:11 +0200 Subject: [PATCH 3/6] Update workflow permissions --- .github/workflows/build-trivy.yaml | 3 +++ .github/workflows/test-against-released.yml | 3 +++ .github/workflows/test-against-snapshot-1440.yml | 3 +++ .github/workflows/test-against-snapshot.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/.github/workflows/build-trivy.yaml b/.github/workflows/build-trivy.yaml index eab09a9..74e6ff6 100644 --- a/.github/workflows/build-trivy.yaml +++ b/.github/workflows/build-trivy.yaml @@ -37,6 +37,9 @@ on: # Every day at midnight - cron: '0 0 * * *' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/test-against-released.yml b/.github/workflows/test-against-released.yml index ca3aabc..9a32ef3 100644 --- a/.github/workflows/test-against-released.yml +++ b/.github/workflows/test-against-released.yml @@ -34,6 +34,9 @@ on: branches: - '*' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/test-against-snapshot-1440.yml b/.github/workflows/test-against-snapshot-1440.yml index 63b9222..fef2474 100644 --- a/.github/workflows/test-against-snapshot-1440.yml +++ b/.github/workflows/test-against-snapshot-1440.yml @@ -37,6 +37,9 @@ on: # Every day at midnight - cron: '0 0 * * *' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/test-against-snapshot.yml b/.github/workflows/test-against-snapshot.yml index 52dbe9b..2f8a781 100644 --- a/.github/workflows/test-against-snapshot.yml +++ b/.github/workflows/test-against-snapshot.yml @@ -37,6 +37,9 @@ on: # Every day at midnight - cron: '0 0 * * *' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From 3ea31b750035bd98a254f2bbc1d35cc66a91e14f Mon Sep 17 00:00:00 2001 From: Vaso Putica Date: Thu, 16 Apr 2026 22:50:21 +0200 Subject: [PATCH 4/6] Bump Coherence versions in test against snapshots workflow --- .github/workflows/test-against-snapshot-1440.yml | 2 +- .github/workflows/test-against-snapshot.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test-against-snapshot-1440.yml b/.github/workflows/test-against-snapshot-1440.yml index fef2474..cdeee8c 100644 --- a/.github/workflows/test-against-snapshot-1440.yml +++ b/.github/workflows/test-against-snapshot-1440.yml @@ -47,7 +47,7 @@ jobs: fail-fast: false matrix: coherenceVersion: - - 14.1.1-0-23-SNAPSHOT + - 14.1.1-0-25-SNAPSHOT steps: - name: Checkout diff --git a/.github/workflows/test-against-snapshot.yml b/.github/workflows/test-against-snapshot.yml index 2f8a781..f3c9870 100644 --- a/.github/workflows/test-against-snapshot.yml +++ b/.github/workflows/test-against-snapshot.yml @@ -47,10 +47,10 @@ jobs: fail-fast: false matrix: coherenceVersion: - - 25.03.3-SNAPSHOT + - 15.1.1-0-2-SNAPSHOT - 25.09-SNAPSHOT - - 22.06.14-SNAPSHOT - - 14.1.2-0-4-SNAPSHOT + - 22.06.16-SNAPSHOT + - 14.1.2-0-6-SNAPSHOT steps: - name: Checkout From ca881ba27acede85724b4f58f0e2862fe9cce8b7 Mon Sep 17 00:00:00 2001 From: Vaso Putica Date: Thu, 16 Apr 2026 17:44:58 +0200 Subject: [PATCH 5/6] Add workflow to check GitHub Actions with Macaron --- .../macaron-check-github-actions.yml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/macaron-check-github-actions.yml diff --git a/.github/workflows/macaron-check-github-actions.yml b/.github/workflows/macaron-check-github-actions.yml new file mode 100644 index 0000000..8162fb8 --- /dev/null +++ b/.github/workflows/macaron-check-github-actions.yml @@ -0,0 +1,39 @@ +name: Macaron check-github-actions + +on: + pull_request: + paths: + - ".github/workflows/**" + - ".github/actions/**" + push: + branches: + - main + paths: + - ".github/workflows/**" + - ".github/actions/**" + workflow_dispatch: + schedule: + - cron: "17 4 * * 1" + +permissions: + contents: read + +jobs: + macaron-check-github-actions: + name: Macaron policy verification + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run Macaron check-github-actions policy + uses: oracle/macaron@b31acfe389133a5587d9639063ec70cb84e7bc47 # v0.23.0 + with: + repo_path: https://github.com/${{ github.repository }} + # repo_path: ./ + policy_file: check-github-actions + policy_purl: pkg:github/${{ github.repository }}@${{ github.sha }} + reports_retention_days: 90 + From ac186db781d603d8b94c8cf309f1f334ea86d029 Mon Sep 17 00:00:00 2001 From: Vaso Putica Date: Fri, 17 Apr 2026 00:31:40 +0200 Subject: [PATCH 6/6] Configure Macaron workflow to use local defaults Run the Macaron GitHub Actions policy against the checked-out repository, load exclusions from a shared defaults file, and use a repository-level policy PURL pattern instead of pinning to one commit SHA. --- .github/macaron/defaults.ini | 13 +++++++++++++ .github/workflows/macaron-check-github-actions.yml | 8 ++++---- 2 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 .github/macaron/defaults.ini diff --git a/.github/macaron/defaults.ini b/.github/macaron/defaults.ini new file mode 100644 index 0000000..41f0ef9 --- /dev/null +++ b/.github/macaron/defaults.ini @@ -0,0 +1,13 @@ +[analysis.checks] +exclude = + mcn_build_as_code_1 + mcn_build_service_1 + mcn_find_artifact_pipeline_1 + mcn_provenance_available_1 + mcn_provenance_verified_1 + mcn_provenance_derived_commit_1 + mcn_provenance_derived_repo_1 + mcn_provenance_witness_level_one_1 + mcn_provenance_expectation_1 + mcn_trusted_builder_level_three_1 +include = * diff --git a/.github/workflows/macaron-check-github-actions.yml b/.github/workflows/macaron-check-github-actions.yml index 8162fb8..d8de3dd 100644 --- a/.github/workflows/macaron-check-github-actions.yml +++ b/.github/workflows/macaron-check-github-actions.yml @@ -26,14 +26,14 @@ jobs: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + fetch-depth: 0 persist-credentials: false - name: Run Macaron check-github-actions policy uses: oracle/macaron@b31acfe389133a5587d9639063ec70cb84e7bc47 # v0.23.0 with: - repo_path: https://github.com/${{ github.repository }} - # repo_path: ./ + repo_path: ./ + defaults_path: .github/macaron/defaults.ini policy_file: check-github-actions - policy_purl: pkg:github/${{ github.repository }}@${{ github.sha }} + policy_purl: pkg:github.com/${{ github.repository }}@.* reports_retention_days: 90 -