diff --git a/.github/workflows/changelog_generation.yaml b/.github/workflows/changelog_generation.yaml index 2231e818db28..b06ae4f7d34d 100644 --- a/.github/workflows/changelog_generation.yaml +++ b/.github/workflows/changelog_generation.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: types: @@ -23,9 +26,10 @@ jobs: github.event.sender.login == 'release-please[bot]' && github.head_ref == 'release-please--branches--main' && contains(github.event.pull_request.labels.*.name, 'autorelease: pending') steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: ref: ${{ github.head_ref }} + persist-credentials: false - name: Show status of the branch checked out run: | git status diff --git a/.github/workflows/changelog_generation_test.yaml b/.github/workflows/changelog_generation_test.yaml index 299906f4afb6..9cf1f7614320 100644 --- a/.github/workflows/changelog_generation_test.yaml +++ b/.github/workflows/changelog_generation_test.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: CHANGELOG.md generation test on: @@ -11,7 +14,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false - name: Unit Test run: | python3 .github/release-note-generation/unit_test.py diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index da9d472adaf0..13f4d80dd22b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -32,7 +35,9 @@ jobs: # runnable is true if there are changes outside the .github/workflows directory OR if ci.yaml itself (or kokoro scripts) is modified. runnable: ${{ fromJSON(steps.filter.outputs.all_count) > fromJSON(steps.filter.outputs.workflows_count) || fromJSON(steps.filter.outputs.ci_count) > 0 }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false # Use this action, rather than a file filter so that we can make this # mandatory. # See https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#example-including-branches @@ -65,16 +70,18 @@ jobs: id: date if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} run: echo "::set-output name=week_of_year::$(date +'%W' --utc)" - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} - - uses: actions/setup-java@v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} with: distribution: temurin java-version: ${{matrix.java}} - run: java -version if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: mvn-cache if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} with: @@ -94,9 +101,11 @@ jobs: id: date if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} run: echo "::set-output name=week_of_year::$(date +'%W' --utc)" - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} - - uses: actions/setup-java@v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} with: java-version: 8 @@ -107,13 +116,13 @@ jobs: if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} with: java-version: 11 distribution: temurin cache: maven - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: mvn-cache if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} with: @@ -135,7 +144,9 @@ jobs: outputs: packages: ${{ steps.filter.outputs.changes }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -233,8 +244,10 @@ jobs: - name: Get current week within the year id: date run: echo "::set-output name=week_of_year::$(date +'%W' --utc)" - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -256,14 +269,16 @@ jobs: - name: Get current week within the year id: date run: echo "::set-output name=week_of_year::$(date +'%W' --utc)" - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin cache: maven - run: java -version - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: mvn-cache with: path: ~/.m2/repository @@ -274,7 +289,7 @@ jobs: env: BUILD_SUBDIR: ${{matrix.package}} JOB_TYPE: install - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: ${{matrix.java}} distribution: temurin @@ -301,8 +316,10 @@ jobs: matrix: package: ${{ fromJSON(needs.changes.outputs.packages) }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -318,8 +335,10 @@ jobs: matrix: package: ${{ fromJSON(needs.changes.outputs.packages) }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -344,8 +363,10 @@ jobs: steps: - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -360,10 +381,11 @@ jobs: if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -381,8 +403,10 @@ jobs: - name: Get current week within the year id: date run: echo "::set-output name=week_of_year::$(date +'%W' --utc)" - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -399,8 +423,10 @@ jobs: if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -410,7 +436,7 @@ jobs: env: JOB_TYPE: install - name: Validate gapic-libraries-bom - uses: googleapis/java-cloud-bom/tests/validate-bom@v26.79.0 + uses: googleapis/java-cloud-bom/tests/validate-bom@377c8d1fac6b1521dc52a10f4d02e5d371a0de67 # v26.79.0 with: bom-path: gapic-libraries-bom/pom.xml generation-config-check: @@ -418,9 +444,13 @@ jobs: if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + # zizmor: ignore[template-injection] + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: validate generation configuration shell: bash + # zizmor: ignore[template-injection] run: | bash generation/run_generator_docker.sh "${library_generation_image_tag}" "${{ github.base_ref || 'main' }}" \ -e GENERATOR_VERSION="${library_generation_image_tag}" \ diff --git a/.github/workflows/create_additional_release_tag.yaml b/.github/workflows/create_additional_release_tag.yaml index e93a801c20c9..0d340f1096e2 100644 --- a/.github/workflows/create_additional_release_tag.yaml +++ b/.github/workflows/create_additional_release_tag.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: Create additional tags for each release on: @@ -13,9 +16,10 @@ jobs: contents: write steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: token: ${{ secrets.CLOUD_JAVA_BOT_GITHUB_TOKEN }} + persist-credentials: false - name: Set up Git run: | git config --local user.email "action@github.com" diff --git a/.github/workflows/generate_new_client_hermetic_build.yaml b/.github/workflows/generate_new_client_hermetic_build.yaml index e59fba01bd7b..739ed0530d68 100644 --- a/.github/workflows/generate_new_client_hermetic_build.yaml +++ b/.github/workflows/generate_new_client_hermetic_build.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: Generate new GAPIC client library (Hermetic Build) on: workflow_dispatch: @@ -56,8 +59,10 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4 with: python-version: '3.9' cache: 'pip' # caching pip dependencies @@ -90,7 +95,7 @@ jobs: # create and push to branch in origin # random_id allows multiple runs of this workflow random_id=$(tr -dc A-Za-z0-9 > $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -93,8 +102,10 @@ jobs: run: git config --system core.longpaths true - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 8 @@ -107,8 +118,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -118,8 +131,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -132,10 +147,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/java-bigquery-scorecard.yml b/.github/workflows/java-bigquery-scorecard.yml index d2063b876cce..8d30193de908 100644 --- a/.github/workflows/java-bigquery-scorecard.yml +++ b/.github/workflows/java-bigquery-scorecard.yml @@ -15,7 +15,7 @@ on: branches: [ "main" ] # Declare default permissions as read only. -permissions: read-all +permissions: read-all # zizmor: ignore[excessive-permissions] env: BUILD_SUBDIR: java-bigquery @@ -25,7 +25,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -83,6 +85,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1 + uses: github/codeql-action/upload-sarif@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3 with: sarif_file: results.sarif diff --git a/.github/workflows/java-bigtable-ci.yaml b/.github/workflows/java-bigtable-ci.yaml index b935cf9eed1b..9049505d59a8 100644 --- a/.github/workflows/java-bigtable-ci.yaml +++ b/.github/workflows/java-bigtable-ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,8 +30,10 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -43,8 +48,10 @@ jobs: matrix: java: [11, 17, 21, 25, 26] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -59,8 +66,10 @@ jobs: name: "units (8)" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -69,7 +78,7 @@ jobs: # https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#jvm run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java -P !java17" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -83,8 +92,10 @@ jobs: steps: - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -100,8 +111,10 @@ jobs: matrix: java: [17] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -112,8 +125,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -126,10 +141,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -144,8 +160,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 diff --git a/.github/workflows/java-bigtable-conformance.yaml b/.github/workflows/java-bigtable-conformance.yaml index 621e4ac6784e..5355df0f02ca 100644 --- a/.github/workflows/java-bigtable-conformance.yaml +++ b/.github/workflows/java-bigtable-conformance.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,8 +30,10 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -39,17 +44,20 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: googleapis/cloud-bigtable-clients-test ref: main path: cloud-bigtable-clients-test - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: zulu java-version: 11 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: '>=1.20.2' - run: java -version diff --git a/.github/workflows/java-firestore-ci.yaml b/.github/workflows/java-firestore-ci.yaml index f4fac240ee4e..39fcadd44c36 100644 --- a/.github/workflows/java-firestore-ci.yaml +++ b/.github/workflows/java-firestore-ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,8 +30,10 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -43,8 +48,10 @@ jobs: matrix: java: [11, 17, 21, 25, 26] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -59,8 +66,10 @@ jobs: name: "units (8)" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -69,7 +78,7 @@ jobs: # https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#jvm run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java -P !java17" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -83,8 +92,10 @@ jobs: steps: - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -100,8 +111,10 @@ jobs: matrix: java: [17] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -112,8 +125,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -126,10 +141,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -144,8 +160,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 diff --git a/.github/workflows/java-pubsub-ci.yaml b/.github/workflows/java-pubsub-ci.yaml index f0e9d4f05b80..bb03a83d2895 100644 --- a/.github/workflows/java-pubsub-ci.yaml +++ b/.github/workflows/java-pubsub-ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,8 +30,10 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -43,8 +48,10 @@ jobs: matrix: java: [11, 17, 21, 25, 26] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -59,8 +66,10 @@ jobs: name: "units (8)" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -69,7 +78,7 @@ jobs: # https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#jvm run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java -P !java17" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -83,8 +92,10 @@ jobs: steps: - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -100,8 +111,10 @@ jobs: matrix: java: [17] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -112,8 +125,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -126,10 +141,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -144,8 +160,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 diff --git a/.github/workflows/java-shared-config-ci.yaml b/.github/workflows/java-shared-config-ci.yaml index b480c92ceff5..1bfa1f39645d 100644 --- a/.github/workflows/java-shared-config-ci.yaml +++ b/.github/workflows/java-shared-config-ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,8 +30,10 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -43,8 +48,10 @@ jobs: matrix: java: [11, 17, 21] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -59,8 +66,10 @@ jobs: name: "units (8)" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -69,7 +78,7 @@ jobs: # https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#jvm run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java -P !java17" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -83,8 +92,10 @@ jobs: steps: - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -100,8 +111,10 @@ jobs: matrix: java: [17] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -112,8 +125,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -126,10 +141,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -144,8 +160,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 diff --git a/.github/workflows/java-shared-config-downstream-dependencies.yaml b/.github/workflows/java-shared-config-downstream-dependencies.yaml index 923068923ba3..7216d3e35885 100644 --- a/.github/workflows/java-shared-config-downstream-dependencies.yaml +++ b/.github/workflows/java-shared-config-downstream-dependencies.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -12,8 +15,10 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -34,8 +39,10 @@ jobs: - java-storage - java-pubsub steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: zulu java-version: ${{matrix.java}} @@ -71,8 +78,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: zulu java-version: 11 diff --git a/.github/workflows/java-shared-config-downstream-maven-plugins.yaml b/.github/workflows/java-shared-config-downstream-maven-plugins.yaml index 68428c6b68b1..afc7565c1102 100644 --- a/.github/workflows/java-shared-config-downstream-maven-plugins.yaml +++ b/.github/workflows/java-shared-config-downstream-maven-plugins.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -16,8 +19,10 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -40,8 +45,10 @@ jobs: - javadoc # maven-javadoc-plugin - javadoc-with-doclet # test javadoc generation with doclet steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: zulu java-version: 11 @@ -55,7 +62,7 @@ jobs: LIB_DIR="${{matrix.repo}}" LIB_NAME="google-cloud-${LIB_DIR#java-}" mvn install -pl ${LIB_DIR}/${LIB_NAME} -am -DskipTests=true -Dmaven.javadoc.skip=true -Dgcloud.download.skip=true -B -V -q - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: zulu java-version: ${{matrix.java}} @@ -77,10 +84,11 @@ jobs: job-type: - lint # fmt-maven-plugin and google-java-format steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: zulu java-version: ${{matrix.java}} @@ -131,8 +139,10 @@ jobs: - java-datastore - java-bigquerystorage steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/java-spanner-integration-tests-against-emulator.yaml b/.github/workflows/java-spanner-integration-tests-against-emulator.yaml index 36f2f467f6b5..705ccb3a6018 100644 --- a/.github/workflows/java-spanner-integration-tests-against-emulator.yaml +++ b/.github/workflows/java-spanner-integration-tests-against-emulator.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -10,7 +13,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -24,14 +29,16 @@ jobs: services: emulator: - image: gcr.io/cloud-spanner-emulator/emulator:latest + image: gcr.io/cloud-spanner-emulator/emulator:latest # zizmor: ignore[unpinned-images] ports: - 9010:9010 - 9020:9020 steps: - - uses: actions/checkout@v6 - - uses: actions/setup-java@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: temurin java-version: 11 diff --git a/.github/workflows/java-spanner-jdbc-ci.yaml b/.github/workflows/java-spanner-jdbc-ci.yaml index f3da655c477b..e478adc9c9a7 100644 --- a/.github/workflows/java-spanner-jdbc-ci.yaml +++ b/.github/workflows/java-spanner-jdbc-ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,7 +30,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -49,8 +54,10 @@ jobs: matrix: java: [11, 17, 21, 25, 26] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -65,8 +72,10 @@ jobs: name: "units (8)" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 8 distribution: temurin @@ -75,7 +84,7 @@ jobs: # https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#jvm run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java -P !java17" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -91,8 +100,10 @@ jobs: run: git config --system core.longpaths true - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 8 @@ -105,8 +116,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -116,8 +129,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -130,10 +145,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/java-spanner-jdbc-integration-tests-against-emulator.yaml b/.github/workflows/java-spanner-jdbc-integration-tests-against-emulator.yaml index 896957eeaddb..b2f38d9b616f 100644 --- a/.github/workflows/java-spanner-jdbc-integration-tests-against-emulator.yaml +++ b/.github/workflows/java-spanner-jdbc-integration-tests-against-emulator.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -12,7 +15,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -26,14 +31,16 @@ jobs: services: emulator: - image: gcr.io/cloud-spanner-emulator/emulator:latest + image: gcr.io/cloud-spanner-emulator/emulator:latest # zizmor: ignore[unpinned-images] ports: - 9010:9010 - 9020:9020 steps: - - uses: actions/checkout@v6 - - uses: actions/setup-java@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/java-spanner-jdbc-quickperf.yaml b/.github/workflows/java-spanner-jdbc-quickperf.yaml index e1759fb32dd6..355a5369b4eb 100644 --- a/.github/workflows/java-spanner-jdbc-quickperf.yaml +++ b/.github/workflows/java-spanner-jdbc-quickperf.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -24,7 +27,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -36,8 +41,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-java@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/java-spanner-jdbc-sample-tests.yml b/.github/workflows/java-spanner-jdbc-sample-tests.yml index a465a243630f..895996288505 100644 --- a/.github/workflows/java-spanner-jdbc-sample-tests.yml +++ b/.github/workflows/java-spanner-jdbc-sample-tests.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -24,7 +27,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -36,8 +41,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-java@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: temurin java-version: 8 diff --git a/.github/workflows/java-spanner-jdbc-spring-data-jdbc-sample.yaml b/.github/workflows/java-spanner-jdbc-spring-data-jdbc-sample.yaml index 385e5b2659a9..9ed9742c7c2b 100644 --- a/.github/workflows/java-spanner-jdbc-spring-data-jdbc-sample.yaml +++ b/.github/workflows/java-spanner-jdbc-spring-data-jdbc-sample.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -24,7 +27,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -36,8 +41,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-java@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/java-spanner-jdbc-spring-data-mybatis-sample.yaml b/.github/workflows/java-spanner-jdbc-spring-data-mybatis-sample.yaml index e91ac04b47a1..c811d4351d7f 100644 --- a/.github/workflows/java-spanner-jdbc-spring-data-mybatis-sample.yaml +++ b/.github/workflows/java-spanner-jdbc-spring-data-mybatis-sample.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -24,7 +27,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -36,8 +41,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-java@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/java-storage-nio-ci.yaml b/.github/workflows/java-storage-nio-ci.yaml index c7be8db2a222..d2527ffe0d36 100644 --- a/.github/workflows/java-storage-nio-ci.yaml +++ b/.github/workflows/java-storage-nio-ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,7 +30,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -49,8 +54,10 @@ jobs: matrix: java: [11, 17, 21, 25, 26] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -65,8 +72,10 @@ jobs: name: "units (8)" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 8 distribution: temurin @@ -75,7 +84,7 @@ jobs: # https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#jvm run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java -P !java17" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -91,8 +100,10 @@ jobs: run: git config --system core.longpaths true - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 8 @@ -105,8 +116,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -116,8 +129,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -130,10 +145,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/librarian_generation_check.yaml b/.github/workflows/librarian_generation_check.yaml index c36eaf1fdc4c..f583cb6c13f8 100644 --- a/.github/workflows/librarian_generation_check.yaml +++ b/.github/workflows/librarian_generation_check.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2026 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -39,10 +42,11 @@ jobs: run: | echo "Error: Running this workflow manually on the main branch is not allowed." exit 1 - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-go@v5 + persist-credentials: false + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: 'stable' - name: Install Librarian @@ -58,7 +62,7 @@ jobs: cd /usr/local sudo unzip -o /tmp/protoc.zip protoc --version - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: "17" distribution: "temurin" @@ -70,7 +74,7 @@ jobs: sudo apt-get update && sudo apt-get install -y maven fi mvn -version - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.12" cache: 'pip' @@ -108,7 +112,7 @@ jobs: fi - name: Create issue if previous step fails if: ${{ failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' }} - uses: googleapis/librarian/.github/actions/create-issue-on-failure@main + uses: googleapis/librarian/.github/actions/create-issue-on-failure@main # zizmor: ignore[unpinned-uses] with: title: "Librarian generate diff check failed on main branch" body: | diff --git a/.github/workflows/readme.yaml b/.github/workflows/readme.yaml index f301ad02fce1..df1ca84452de 100644 --- a/.github/workflows/readme.yaml +++ b/.github/workflows/readme.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -23,14 +26,16 @@ jobs: runs-on: ubuntu-latest if: github.repository_owner == 'googleapis' steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.11' architecture: 'x64' - run: python3 -m pip install --require-hashes -r .github/requirements.txt - run: python3 generate-readme.py - - uses: googleapis/code-suggester@v4 + - uses: googleapis/code-suggester@589b3ac11ac2575fd561afa45034907f301a375b # v4 env: ACCESS_TOKEN: ${{ secrets.YOSHI_CODE_BOT_TOKEN }} with: diff --git a/.github/workflows/release_tools_test.yaml b/.github/workflows/release_tools_test.yaml index 774a8cc8ec71..4c825327c696 100644 --- a/.github/workflows/release_tools_test.yaml +++ b/.github/workflows/release_tools_test.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,8 +25,10 @@ jobs: release-tool-unit-test: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.12' - name: Install dependency diff --git a/.github/workflows/repository_sanity.yaml b/.github/workflows/repository_sanity.yaml index 892f8e6e5fc4..b12a37577867 100644 --- a/.github/workflows/repository_sanity.yaml +++ b/.github/workflows/repository_sanity.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -21,7 +24,9 @@ jobs: # Generated files should not match .gitignore runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: checking any files matching gitignore # By default, GitHub Actions's bash has '-e' option to fail immediately # upon non-zero exit code. Not using it here to catch the exit code 1. @@ -44,8 +49,10 @@ jobs: # Ensure generate-readme.py runs fine runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 # These parameters should match ones in readme.yaml with: python-version: '3.11' @@ -56,7 +63,9 @@ jobs: group_id_check_for_maps_libraries: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Install Maps modules run: | IncludedNonCloudModules=$(find java-maps-* -name 'pom.xml' \ @@ -84,7 +93,9 @@ jobs: package_name_check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Ensure no new invalid package name in Java files shell: bash run: | diff --git a/.github/workflows/sdk-platform-java-analyze_dependency.yaml b/.github/workflows/sdk-platform-java-analyze_dependency.yaml index 6e4b8a45d53b..5f0449f75c57 100644 --- a/.github/workflows/sdk-platform-java-analyze_dependency.yaml +++ b/.github/workflows/sdk-platform-java-analyze_dependency.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: sdk-platform-java Run dependency analyzer on: workflow_dispatch: @@ -25,7 +28,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -37,14 +42,16 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 cache: maven - name: Set up Maven - uses: stCarolas/setup-maven@v4.5 + uses: stCarolas/setup-maven@07fbbe97d97ef44336b7382563d66743297e442f # v4.5 with: maven-version: 3.8.2 - name: Install dependency analyzer @@ -55,5 +62,9 @@ jobs: - name: Check dependency information shell: bash run: | - mvn exec:java -Ddep.system=${{ github.event.inputs.system }} -Ddep.name=${{ github.event.inputs.name }} -Ddep.version=${{ github.event.inputs.version }} + mvn exec:java -Ddep.system=${GITHUB_EVENT_INPUTS_SYSTEM} -Ddep.name=${GITHUB_EVENT_INPUTS_NAME} -Ddep.version=${GITHUB_EVENT_INPUTS_VERSION} working-directory: java-shared-dependencies/dependency-analyzer + env: + GITHUB_EVENT_INPUTS_SYSTEM: ${{ github.event.inputs.system }} + GITHUB_EVENT_INPUTS_NAME: ${{ github.event.inputs.name }} + GITHUB_EVENT_INPUTS_VERSION: ${{ github.event.inputs.version }} diff --git a/.github/workflows/sdk-platform-java-ci.yaml b/.github/workflows/sdk-platform-java-ci.yaml index 8d4e0f306f2d..63d4bf1a1681 100644 --- a/.github/workflows/sdk-platform-java-ci.yaml +++ b/.github/workflows/sdk-platform-java-ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -10,7 +13,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -28,8 +33,10 @@ jobs: matrix: java: [ 11, 17, 21, 25, 26 ] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: ${{ matrix.java }} distribution: temurin @@ -58,8 +65,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: distribution: temurin java-version: 11 @@ -74,8 +83,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -89,15 +100,17 @@ jobs: name: "sdk-platform-java units (8)" runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false # Java 8 tests uses JDK 17 to compile and JDK 8 to run tests. - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 8 distribution: temurin cache: maven - run: echo "JAVA8_HOME=${JAVA_HOME}" >> $GITHUB_ENV - - uses: actions/setup-java@v3 + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 17 distribution: temurin @@ -147,8 +160,10 @@ jobs: matrix: java: [ 11, 17, 21 ] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: ${{ matrix.java }} distribution: temurin @@ -175,8 +190,10 @@ jobs: matrix: java: [ 25, 26 ] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: ${{ matrix.java }} distribution: temurin @@ -201,8 +218,10 @@ jobs: matrix: java: [ 11, 17 ] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: ${{ matrix.java }} distribution: temurin @@ -240,8 +259,10 @@ jobs: name: "gapic-generator-java (8)" runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -252,7 +273,7 @@ jobs: env: BUILD_SUBDIR: sdk-platform-java JOB_TYPE: install - - uses: actions/setup-java@v3 + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 8 distribution: temurin @@ -290,8 +311,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -324,8 +347,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -346,10 +371,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -374,10 +400,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin diff --git a/.github/workflows/sdk-platform-java-dependency_compatibility_test.yaml b/.github/workflows/sdk-platform-java-dependency_compatibility_test.yaml index ea21d5ab901e..4a50aa11cf85 100644 --- a/.github/workflows/sdk-platform-java-dependency_compatibility_test.yaml +++ b/.github/workflows/sdk-platform-java-dependency_compatibility_test.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: sdk-platform-java Dependency Compatibility Test on: @@ -22,7 +25,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -39,9 +44,11 @@ jobs: contents: read steps: - name: Checkout sdk-platform-java - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: '21' distribution: 'temurin' @@ -50,7 +57,9 @@ jobs: # The normal workflow is not from `workflow_dispatch` and will use the default upper-bounds dependencies file - name: Determine Inputted Dependencies List if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.dependencies-list != '' }} - run: echo "DEPENDENCIES_LIST=${{ github.event.inputs.dependencies-list }}" >> $GITHUB_ENV + run: echo "DEPENDENCIES_LIST=${GITHUB_EVENT_INPUTS_DEPENDENCIES_LIST}" >> $GITHUB_ENV + env: + GITHUB_EVENT_INPUTS_DEPENDENCIES_LIST: ${{ github.event.inputs.dependencies-list }} - name: Install sdk-platform-java modules shell: bash @@ -63,8 +72,8 @@ jobs: - name: Perform Dependency Compatibility Unit Testing shell: bash run: | - if [[ -n "${{ env.DEPENDENCIES_LIST }}" ]]; then - .github/scripts/test_dependency_compatibility.sh -l ${{ env.DEPENDENCIES_LIST }} + if [[ -n "${DEPENDENCIES_LIST}" ]]; then + .github/scripts/test_dependency_compatibility.sh -l ${DEPENDENCIES_LIST} else .github/scripts/test_dependency_compatibility.sh fi @@ -78,7 +87,7 @@ jobs: run: | sudo mkdir -p /usr/src/showcase sudo chown -R ${USER} /usr/src/ - curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${{env.SHOWCASE_VERSION}}/gapic-showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz + curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${SHOWCASE_VERSION}/gapic-showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz cd /usr/src/showcase/ tar -xf showcase-* ./gapic-showcase run & @@ -90,8 +99,8 @@ jobs: shell: bash # Need to cd out of the directory to get the scripts as this step is run inside the java-showcase directory run: | - if [[ -n "${{ env.DEPENDENCIES_LIST }}" ]]; then - ../sdk-platform-java/.github/scripts/test_dependency_compatibility.sh -l ${{ env.DEPENDENCIES_LIST }} + if [[ -n "${DEPENDENCIES_LIST}" ]]; then + ../sdk-platform-java/.github/scripts/test_dependency_compatibility.sh -l ${DEPENDENCIES_LIST} else ../sdk-platform-java/.github/scripts/test_dependency_compatibility.sh -f ../sdk-platform-java/dependencies.txt fi diff --git a/.github/workflows/sdk-platform-java-downstream.yaml b/.github/workflows/sdk-platform-java-downstream.yaml index f865c2224dd8..3385ab481038 100644 --- a/.github/workflows/sdk-platform-java-downstream.yaml +++ b/.github/workflows/sdk-platform-java-downstream.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: # Changes to these directories do not directly affect the downstream libraries @@ -16,7 +19,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -38,8 +43,10 @@ jobs: - java-firestore - java-pubsub steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 17 distribution: temurin @@ -60,8 +67,10 @@ jobs: strategy: fail-fast: false steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 17 distribution: temurin diff --git a/.github/workflows/sdk-platform-java-downstream_unmanaged_dependency_check.yaml b/.github/workflows/sdk-platform-java-downstream_unmanaged_dependency_check.yaml index 9be00dc15b8f..a7f40fa01d25 100644 --- a/.github/workflows/sdk-platform-java-downstream_unmanaged_dependency_check.yaml +++ b/.github/workflows/sdk-platform-java-downstream_unmanaged_dependency_check.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -13,7 +16,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -34,21 +39,23 @@ jobs: - java-pubsub steps: - name: Checkout sdk-platform-java - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: path: google-cloud-java + persist-credentials: false - name: Checkout the downstream repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: googleapis/${{ matrix.repo }} path: ${{ matrix.repo }} + persist-credentials: false - name: Check the environment shell: bash run: | set -euxo pipefail pwd ls -alt - - uses: actions/setup-java@v3 + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 11 distribution: temurin diff --git a/.github/workflows/sdk-platform-java-nightly.yaml b/.github/workflows/sdk-platform-java-nightly.yaml index 91efdc0ed3c5..dd1b7adfa4bb 100644 --- a/.github/workflows/sdk-platform-java-nightly.yaml +++ b/.github/workflows/sdk-platform-java-nightly.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: sdk-platform-java Nightly on: workflow_dispatch: @@ -16,8 +19,10 @@ jobs: runs-on: ${{ matrix.os }} steps: - run: git config --global core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: java-version: ${{ matrix.java }} distribution: temurin @@ -49,8 +54,10 @@ jobs: runs-on: ${{ matrix.os }} steps: - run: git config --global core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: java-version: 11 distribution: temurin @@ -62,7 +69,7 @@ jobs: env: BUILD_SUBDIR: sdk-platform-java JOB_TYPE: install - - uses: actions/setup-java@v5 + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: java-version: 8 distribution: temurin diff --git a/.github/workflows/sdk-platform-java-shared_dependencies.yaml b/.github/workflows/sdk-platform-java-shared_dependencies.yaml index d40df3c0ad5a..a54851711157 100644 --- a/.github/workflows/sdk-platform-java-shared_dependencies.yaml +++ b/.github/workflows/sdk-platform-java-shared_dependencies.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -16,7 +19,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -29,8 +34,10 @@ jobs: name: Shared Dependencies BOM upper-bound check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/sdk-platform-java-sonar.yaml b/.github/workflows/sdk-platform-java-sonar.yaml index f9010c073b78..925ad6208901 100644 --- a/.github/workflows/sdk-platform-java-sonar.yaml +++ b/.github/workflows/sdk-platform-java-sonar.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: sdk-platform-java SonarCloud Build on: push: @@ -13,7 +16,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -27,22 +32,23 @@ jobs: name: Build runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + persist-credentials: false - name: Set up JDK 17 - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 17 distribution: temurin - name: Cache SonarCloud packages - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar restore-keys: ${{ runner.os }}-sonar - name: Cache Maven packages - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: ~/.m2 key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} @@ -64,7 +70,7 @@ jobs: run: | sudo mkdir -p /usr/src/showcase sudo chown -R ${USER} /usr/src/ - curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${{env.SHOWCASE_VERSION}}/gapic-showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz + curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${SHOWCASE_VERSION}/gapic-showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz cd /usr/src/showcase/ tar -xf showcase-* ./gapic-showcase run & diff --git a/.github/workflows/showcase-version-check.yaml b/.github/workflows/showcase-version-check.yaml index 9e7dea307cd1..2af9445d58cf 100644 --- a/.github/workflows/showcase-version-check.yaml +++ b/.github/workflows/showcase-version-check.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2026 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -30,7 +33,9 @@ jobs: permissions: issues: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Extract showcase version from pom.xml id: extract_version shell: bash @@ -38,7 +43,7 @@ jobs: version=$(awk -F'[<>]' '/gapic-showcase.version/{print $3; exit}' java-showcase/gapic-showcase/pom.xml) echo "version=$version" >> "$GITHUB_OUTPUT" - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: '1.24' - name: Extract showcase commit from librarian.yaml diff --git a/.github/workflows/showcase.yaml b/.github/workflows/showcase.yaml index bb9901619966..1fe522b6796e 100644 --- a/.github/workflows/showcase.yaml +++ b/.github/workflows/showcase.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -10,7 +13,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -27,8 +32,10 @@ jobs: name: "showcase (8)" runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -39,7 +46,7 @@ jobs: env: BUILD_SUBDIR: sdk-platform-java JOB_TYPE: install - - uses: actions/setup-java@v3 + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 8 distribution: temurin @@ -51,7 +58,7 @@ jobs: run: | sudo mkdir -p /usr/src/showcase sudo chown -R ${USER} /usr/src/ - curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${{env.SHOWCASE_VERSION}}/gapic-showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz + curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${SHOWCASE_VERSION}/gapic-showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz cd /usr/src/showcase/ tar -xf showcase-* ./gapic-showcase run & @@ -103,8 +110,10 @@ jobs: matrix: java: [ 11, 17, 21, 25, 26 ] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: ${{ matrix.java }} distribution: temurin @@ -129,7 +138,7 @@ jobs: run: | sudo mkdir -p /usr/src/showcase sudo chown -R ${USER} /usr/src/ - curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${{env.SHOWCASE_VERSION}}/gapic-showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz + curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${SHOWCASE_VERSION}/gapic-showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz cd /usr/src/showcase/ tar -xf showcase-* ./gapic-showcase run & @@ -182,10 +191,11 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout @ target branch - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.base_ref }} - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -203,7 +213,9 @@ jobs: echo "SHOWCASE_CLIENT_VERSION=$SHOWCASE_CLIENT_VERSION" >> "$GITHUB_ENV" working-directory: java-showcase - name: Checkout sdk-platform-java @ PR merge commit - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false - name: Install sdk-platform-java @ PR merge commit shell: bash run: .kokoro/build.sh diff --git a/.github/workflows/unmanaged_dependency_check.yaml b/.github/workflows/unmanaged_dependency_check.yaml index 34e6a4f72ea1..d433e4e8bd2a 100644 --- a/.github/workflows/unmanaged_dependency_check.yaml +++ b/.github/workflows/unmanaged_dependency_check.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: name: sdk-platform-java Unmanaged dependency check @@ -5,8 +8,10 @@ jobs: unmanaged_dependency_check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: distribution: temurin java-version: 11 diff --git a/.github/workflows/update_librarian_googleapis.yaml b/.github/workflows/update_librarian_googleapis.yaml index e8143025db43..5e1d66ecda98 100644 --- a/.github/workflows/update_librarian_googleapis.yaml +++ b/.github/workflows/update_librarian_googleapis.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2026 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -28,7 +31,7 @@ jobs: working-directory: google-cloud-java steps: - name: Checkout google-cloud-java - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: repository: googleapis/google-cloud-java path: google-cloud-java @@ -54,7 +57,7 @@ jobs: fi fi - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: '>=1.20.2' - name: Get librarian version @@ -96,7 +99,7 @@ jobs: cd /usr/local sudo unzip -o /tmp/protoc.zip protoc --version - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 if: steps.detect_librarian.outputs.has_changes == 'true' with: java-version: "17" @@ -110,7 +113,7 @@ jobs: sudo apt-get update && sudo apt-get install -y maven fi mvn -version - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 if: steps.detect_librarian.outputs.has_changes == 'true' with: python-version: "3.12" diff --git a/.github/workflows/versions.yaml b/.github/workflows/versions.yaml index 80593baecb6f..efc3cb008a54 100644 --- a/.github/workflows/versions.yaml +++ b/.github/workflows/versions.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -23,7 +26,9 @@ jobs: unmanaged-versions-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false - run: ./generation/check_non_release_please_versions.sh # For Release Please pull requests, the artifacts being published must not @@ -39,5 +44,7 @@ jobs: steps: - run: sudo apt-get update -y - run: sudo apt-get install libxml2-utils - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false - run: ./generation/check_existing_release_versions.sh