From 63f557ecf630c519c81d685d05adf01dba48e835 Mon Sep 17 00:00:00 2001 From: Husam Date: Tue, 30 Jun 2026 01:54:51 +0000 Subject: [PATCH] chore(actions): address zizmor findings This PR is an AI assisted attempt to address zizmor findings. It may not catch everything, and should be reviewed by repository owners. If it is unhelpful, feel free to close the PR and address separately. If it is helpful, feel free to approve and merge, or edit/modify as needed to get it to the right state. Repository owners must ultimately ensure compliance by 2026-07-13. The purpose of this PR is to provide some assistance with achieving that as a first pass. This will become a blocking check for new changes to github workflows on 2026-07-13. --- .github/workflows/changelog_generation.yaml | 6 +- .../workflows/changelog_generation_test.yaml | 7 +- .github/workflows/ci.yaml | 88 +++++++++++++------ .../create_additional_release_tag.yaml | 6 +- .../generate_new_client_hermetic_build.yaml | 12 ++- .../google-auth-library-java-ci.yaml | 27 ++++-- .../workflows/hermetic-build-scripts-ci.yaml | 27 ++++-- .github/workflows/java-bigquery-jdbc-ci.yaml | 44 +++++++--- .github/workflows/java-bigquery-scorecard.yml | 8 +- .github/workflows/java-bigtable-ci.yaml | 52 +++++++---- .../workflows/java-bigtable-conformance.yaml | 20 +++-- .github/workflows/java-firestore-ci.yaml | 52 +++++++---- .github/workflows/java-pubsub-ci.yaml | 52 +++++++---- .github/workflows/java-shared-config-ci.yaml | 52 +++++++---- ...shared-config-downstream-dependencies.yaml | 21 +++-- ...hared-config-downstream-maven-plugins.yaml | 28 ++++-- ...er-integration-tests-against-emulator.yaml | 15 +++- .github/workflows/java-spanner-jdbc-ci.yaml | 44 +++++++--- ...bc-integration-tests-against-emulator.yaml | 15 +++- .../java-spanner-jdbc-quickperf.yaml | 13 ++- .../java-spanner-jdbc-sample-tests.yml | 13 ++- ...-spanner-jdbc-spring-data-jdbc-sample.yaml | 13 ++- ...anner-jdbc-spring-data-mybatis-sample.yaml | 13 ++- .github/workflows/java-storage-nio-ci.yaml | 44 +++++++--- .../workflows/librarian_generation_check.yaml | 14 +-- .github/workflows/readme.yaml | 11 ++- .github/workflows/release_tools_test.yaml | 9 +- .github/workflows/repository_sanity.yaml | 21 +++-- .../sdk-platform-java-analyze_dependency.yaml | 21 +++-- .github/workflows/sdk-platform-java-ci.yaml | 81 +++++++++++------ ...rm-java-dependency_compatibility_test.yaml | 27 ++++-- .../sdk-platform-java-downstream.yaml | 19 ++-- ...downstream_unmanaged_dependency_check.yaml | 15 +++- .../workflows/sdk-platform-java-nightly.yaml | 17 ++-- ...sdk-platform-java-shared_dependencies.yaml | 13 ++- .../workflows/sdk-platform-java-sonar.yaml | 18 ++-- .github/workflows/showcase-version-check.yaml | 9 +- .github/workflows/showcase.yaml | 34 ++++--- .../workflows/unmanaged_dependency_check.yaml | 9 +- .../update_librarian_googleapis.yaml | 11 ++- .github/workflows/versions.yaml | 11 ++- 41 files changed, 707 insertions(+), 305 deletions(-) diff --git a/.github/workflows/changelog_generation.yaml b/.github/workflows/changelog_generation.yaml index 2231e818db28..b06ae4f7d34d 100644 --- a/.github/workflows/changelog_generation.yaml +++ b/.github/workflows/changelog_generation.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: types: @@ -23,9 +26,10 @@ jobs: github.event.sender.login == 'release-please[bot]' && github.head_ref == 'release-please--branches--main' && contains(github.event.pull_request.labels.*.name, 'autorelease: pending') steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: ref: ${{ github.head_ref }} + persist-credentials: false - name: Show status of the branch checked out run: | git status diff --git a/.github/workflows/changelog_generation_test.yaml b/.github/workflows/changelog_generation_test.yaml index 299906f4afb6..9cf1f7614320 100644 --- a/.github/workflows/changelog_generation_test.yaml +++ b/.github/workflows/changelog_generation_test.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: CHANGELOG.md generation test on: @@ -11,7 +14,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false - name: Unit Test run: | python3 .github/release-note-generation/unit_test.py diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index da9d472adaf0..13f4d80dd22b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -32,7 +35,9 @@ jobs: # runnable is true if there are changes outside the .github/workflows directory OR if ci.yaml itself (or kokoro scripts) is modified. runnable: ${{ fromJSON(steps.filter.outputs.all_count) > fromJSON(steps.filter.outputs.workflows_count) || fromJSON(steps.filter.outputs.ci_count) > 0 }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false # Use this action, rather than a file filter so that we can make this # mandatory. # See https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#example-including-branches @@ -65,16 +70,18 @@ jobs: id: date if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} run: echo "::set-output name=week_of_year::$(date +'%W' --utc)" - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} - - uses: actions/setup-java@v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} with: distribution: temurin java-version: ${{matrix.java}} - run: java -version if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: mvn-cache if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} with: @@ -94,9 +101,11 @@ jobs: id: date if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} run: echo "::set-output name=week_of_year::$(date +'%W' --utc)" - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} - - uses: actions/setup-java@v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} with: java-version: 8 @@ -107,13 +116,13 @@ jobs: if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} with: java-version: 11 distribution: temurin cache: maven - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: mvn-cache if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} with: @@ -135,7 +144,9 @@ jobs: outputs: packages: ${{ steps.filter.outputs.changes }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -233,8 +244,10 @@ jobs: - name: Get current week within the year id: date run: echo "::set-output name=week_of_year::$(date +'%W' --utc)" - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -256,14 +269,16 @@ jobs: - name: Get current week within the year id: date run: echo "::set-output name=week_of_year::$(date +'%W' --utc)" - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin cache: maven - run: java -version - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: mvn-cache with: path: ~/.m2/repository @@ -274,7 +289,7 @@ jobs: env: BUILD_SUBDIR: ${{matrix.package}} JOB_TYPE: install - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: ${{matrix.java}} distribution: temurin @@ -301,8 +316,10 @@ jobs: matrix: package: ${{ fromJSON(needs.changes.outputs.packages) }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -318,8 +335,10 @@ jobs: matrix: package: ${{ fromJSON(needs.changes.outputs.packages) }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -344,8 +363,10 @@ jobs: steps: - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -360,10 +381,11 @@ jobs: if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -381,8 +403,10 @@ jobs: - name: Get current week within the year id: date run: echo "::set-output name=week_of_year::$(date +'%W' --utc)" - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -399,8 +423,10 @@ jobs: if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -410,7 +436,7 @@ jobs: env: JOB_TYPE: install - name: Validate gapic-libraries-bom - uses: googleapis/java-cloud-bom/tests/validate-bom@v26.79.0 + uses: googleapis/java-cloud-bom/tests/validate-bom@377c8d1fac6b1521dc52a10f4d02e5d371a0de67 # v26.79.0 with: bom-path: gapic-libraries-bom/pom.xml generation-config-check: @@ -418,9 +444,13 @@ jobs: if: ${{ needs.bulk-filter.outputs.runnable == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + # zizmor: ignore[template-injection] + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: validate generation configuration shell: bash + # zizmor: ignore[template-injection] run: | bash generation/run_generator_docker.sh "${library_generation_image_tag}" "${{ github.base_ref || 'main' }}" \ -e GENERATOR_VERSION="${library_generation_image_tag}" \ diff --git a/.github/workflows/create_additional_release_tag.yaml b/.github/workflows/create_additional_release_tag.yaml index e93a801c20c9..0d340f1096e2 100644 --- a/.github/workflows/create_additional_release_tag.yaml +++ b/.github/workflows/create_additional_release_tag.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: Create additional tags for each release on: @@ -13,9 +16,10 @@ jobs: contents: write steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: token: ${{ secrets.CLOUD_JAVA_BOT_GITHUB_TOKEN }} + persist-credentials: false - name: Set up Git run: | git config --local user.email "action@github.com" diff --git a/.github/workflows/generate_new_client_hermetic_build.yaml b/.github/workflows/generate_new_client_hermetic_build.yaml index e59fba01bd7b..739ed0530d68 100644 --- a/.github/workflows/generate_new_client_hermetic_build.yaml +++ b/.github/workflows/generate_new_client_hermetic_build.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: Generate new GAPIC client library (Hermetic Build) on: workflow_dispatch: @@ -56,8 +59,10 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4 with: python-version: '3.9' cache: 'pip' # caching pip dependencies @@ -90,7 +95,7 @@ jobs: # create and push to branch in origin # random_id allows multiple runs of this workflow random_id=$(tr -dc A-Za-z0-9 > $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -93,8 +102,10 @@ jobs: run: git config --system core.longpaths true - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 8 @@ -107,8 +118,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -118,8 +131,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -132,10 +147,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/java-bigquery-scorecard.yml b/.github/workflows/java-bigquery-scorecard.yml index d2063b876cce..8d30193de908 100644 --- a/.github/workflows/java-bigquery-scorecard.yml +++ b/.github/workflows/java-bigquery-scorecard.yml @@ -15,7 +15,7 @@ on: branches: [ "main" ] # Declare default permissions as read only. -permissions: read-all +permissions: read-all # zizmor: ignore[excessive-permissions] env: BUILD_SUBDIR: java-bigquery @@ -25,7 +25,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -83,6 +85,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1 + uses: github/codeql-action/upload-sarif@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3 with: sarif_file: results.sarif diff --git a/.github/workflows/java-bigtable-ci.yaml b/.github/workflows/java-bigtable-ci.yaml index b935cf9eed1b..9049505d59a8 100644 --- a/.github/workflows/java-bigtable-ci.yaml +++ b/.github/workflows/java-bigtable-ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,8 +30,10 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -43,8 +48,10 @@ jobs: matrix: java: [11, 17, 21, 25, 26] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -59,8 +66,10 @@ jobs: name: "units (8)" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -69,7 +78,7 @@ jobs: # https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#jvm run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java -P !java17" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -83,8 +92,10 @@ jobs: steps: - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -100,8 +111,10 @@ jobs: matrix: java: [17] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -112,8 +125,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -126,10 +141,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -144,8 +160,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 diff --git a/.github/workflows/java-bigtable-conformance.yaml b/.github/workflows/java-bigtable-conformance.yaml index 621e4ac6784e..5355df0f02ca 100644 --- a/.github/workflows/java-bigtable-conformance.yaml +++ b/.github/workflows/java-bigtable-conformance.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,8 +30,10 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -39,17 +44,20 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: googleapis/cloud-bigtable-clients-test ref: main path: cloud-bigtable-clients-test - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: zulu java-version: 11 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: '>=1.20.2' - run: java -version diff --git a/.github/workflows/java-firestore-ci.yaml b/.github/workflows/java-firestore-ci.yaml index f4fac240ee4e..39fcadd44c36 100644 --- a/.github/workflows/java-firestore-ci.yaml +++ b/.github/workflows/java-firestore-ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,8 +30,10 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -43,8 +48,10 @@ jobs: matrix: java: [11, 17, 21, 25, 26] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -59,8 +66,10 @@ jobs: name: "units (8)" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -69,7 +78,7 @@ jobs: # https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#jvm run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java -P !java17" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -83,8 +92,10 @@ jobs: steps: - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -100,8 +111,10 @@ jobs: matrix: java: [17] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -112,8 +125,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -126,10 +141,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -144,8 +160,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 diff --git a/.github/workflows/java-pubsub-ci.yaml b/.github/workflows/java-pubsub-ci.yaml index f0e9d4f05b80..bb03a83d2895 100644 --- a/.github/workflows/java-pubsub-ci.yaml +++ b/.github/workflows/java-pubsub-ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,8 +30,10 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -43,8 +48,10 @@ jobs: matrix: java: [11, 17, 21, 25, 26] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -59,8 +66,10 @@ jobs: name: "units (8)" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -69,7 +78,7 @@ jobs: # https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#jvm run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java -P !java17" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -83,8 +92,10 @@ jobs: steps: - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -100,8 +111,10 @@ jobs: matrix: java: [17] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -112,8 +125,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -126,10 +141,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -144,8 +160,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 diff --git a/.github/workflows/java-shared-config-ci.yaml b/.github/workflows/java-shared-config-ci.yaml index b480c92ceff5..1bfa1f39645d 100644 --- a/.github/workflows/java-shared-config-ci.yaml +++ b/.github/workflows/java-shared-config-ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,8 +30,10 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -43,8 +48,10 @@ jobs: matrix: java: [11, 17, 21] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -59,8 +66,10 @@ jobs: name: "units (8)" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -69,7 +78,7 @@ jobs: # https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#jvm run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java -P !java17" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -83,8 +92,10 @@ jobs: steps: - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -100,8 +111,10 @@ jobs: matrix: java: [17] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -112,8 +125,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -126,10 +141,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 @@ -144,8 +160,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 11 diff --git a/.github/workflows/java-shared-config-downstream-dependencies.yaml b/.github/workflows/java-shared-config-downstream-dependencies.yaml index 923068923ba3..7216d3e35885 100644 --- a/.github/workflows/java-shared-config-downstream-dependencies.yaml +++ b/.github/workflows/java-shared-config-downstream-dependencies.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -12,8 +15,10 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -34,8 +39,10 @@ jobs: - java-storage - java-pubsub steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: zulu java-version: ${{matrix.java}} @@ -71,8 +78,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: zulu java-version: 11 diff --git a/.github/workflows/java-shared-config-downstream-maven-plugins.yaml b/.github/workflows/java-shared-config-downstream-maven-plugins.yaml index 68428c6b68b1..afc7565c1102 100644 --- a/.github/workflows/java-shared-config-downstream-maven-plugins.yaml +++ b/.github/workflows/java-shared-config-downstream-maven-plugins.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -16,8 +19,10 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: filters: | @@ -40,8 +45,10 @@ jobs: - javadoc # maven-javadoc-plugin - javadoc-with-doclet # test javadoc generation with doclet steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: zulu java-version: 11 @@ -55,7 +62,7 @@ jobs: LIB_DIR="${{matrix.repo}}" LIB_NAME="google-cloud-${LIB_DIR#java-}" mvn install -pl ${LIB_DIR}/${LIB_NAME} -am -DskipTests=true -Dmaven.javadoc.skip=true -Dgcloud.download.skip=true -B -V -q - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: zulu java-version: ${{matrix.java}} @@ -77,10 +84,11 @@ jobs: job-type: - lint # fmt-maven-plugin and google-java-format steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: zulu java-version: ${{matrix.java}} @@ -131,8 +139,10 @@ jobs: - java-datastore - java-bigquerystorage steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/java-spanner-integration-tests-against-emulator.yaml b/.github/workflows/java-spanner-integration-tests-against-emulator.yaml index 36f2f467f6b5..705ccb3a6018 100644 --- a/.github/workflows/java-spanner-integration-tests-against-emulator.yaml +++ b/.github/workflows/java-spanner-integration-tests-against-emulator.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -10,7 +13,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -24,14 +29,16 @@ jobs: services: emulator: - image: gcr.io/cloud-spanner-emulator/emulator:latest + image: gcr.io/cloud-spanner-emulator/emulator:latest # zizmor: ignore[unpinned-images] ports: - 9010:9010 - 9020:9020 steps: - - uses: actions/checkout@v6 - - uses: actions/setup-java@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: temurin java-version: 11 diff --git a/.github/workflows/java-spanner-jdbc-ci.yaml b/.github/workflows/java-spanner-jdbc-ci.yaml index f3da655c477b..e478adc9c9a7 100644 --- a/.github/workflows/java-spanner-jdbc-ci.yaml +++ b/.github/workflows/java-spanner-jdbc-ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,7 +30,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -49,8 +54,10 @@ jobs: matrix: java: [11, 17, 21, 25, 26] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -65,8 +72,10 @@ jobs: name: "units (8)" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 8 distribution: temurin @@ -75,7 +84,7 @@ jobs: # https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#jvm run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java -P !java17" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -91,8 +100,10 @@ jobs: run: git config --system core.longpaths true - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 8 @@ -105,8 +116,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -116,8 +129,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -130,10 +145,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/java-spanner-jdbc-integration-tests-against-emulator.yaml b/.github/workflows/java-spanner-jdbc-integration-tests-against-emulator.yaml index 896957eeaddb..b2f38d9b616f 100644 --- a/.github/workflows/java-spanner-jdbc-integration-tests-against-emulator.yaml +++ b/.github/workflows/java-spanner-jdbc-integration-tests-against-emulator.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -12,7 +15,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -26,14 +31,16 @@ jobs: services: emulator: - image: gcr.io/cloud-spanner-emulator/emulator:latest + image: gcr.io/cloud-spanner-emulator/emulator:latest # zizmor: ignore[unpinned-images] ports: - 9010:9010 - 9020:9020 steps: - - uses: actions/checkout@v6 - - uses: actions/setup-java@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/java-spanner-jdbc-quickperf.yaml b/.github/workflows/java-spanner-jdbc-quickperf.yaml index e1759fb32dd6..355a5369b4eb 100644 --- a/.github/workflows/java-spanner-jdbc-quickperf.yaml +++ b/.github/workflows/java-spanner-jdbc-quickperf.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -24,7 +27,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -36,8 +41,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-java@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/java-spanner-jdbc-sample-tests.yml b/.github/workflows/java-spanner-jdbc-sample-tests.yml index a465a243630f..895996288505 100644 --- a/.github/workflows/java-spanner-jdbc-sample-tests.yml +++ b/.github/workflows/java-spanner-jdbc-sample-tests.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -24,7 +27,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -36,8 +41,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-java@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: temurin java-version: 8 diff --git a/.github/workflows/java-spanner-jdbc-spring-data-jdbc-sample.yaml b/.github/workflows/java-spanner-jdbc-spring-data-jdbc-sample.yaml index 385e5b2659a9..9ed9742c7c2b 100644 --- a/.github/workflows/java-spanner-jdbc-spring-data-jdbc-sample.yaml +++ b/.github/workflows/java-spanner-jdbc-spring-data-jdbc-sample.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -24,7 +27,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -36,8 +41,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-java@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/java-spanner-jdbc-spring-data-mybatis-sample.yaml b/.github/workflows/java-spanner-jdbc-spring-data-mybatis-sample.yaml index e91ac04b47a1..c811d4351d7f 100644 --- a/.github/workflows/java-spanner-jdbc-spring-data-mybatis-sample.yaml +++ b/.github/workflows/java-spanner-jdbc-spring-data-mybatis-sample.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -24,7 +27,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -36,8 +41,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-java@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/java-storage-nio-ci.yaml b/.github/workflows/java-storage-nio-ci.yaml index c7be8db2a222..d2527ffe0d36 100644 --- a/.github/workflows/java-storage-nio-ci.yaml +++ b/.github/workflows/java-storage-nio-ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,7 +30,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -49,8 +54,10 @@ jobs: matrix: java: [11, 17, 21, 25, 26] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: ${{matrix.java}} @@ -65,8 +72,10 @@ jobs: name: "units (8)" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 8 distribution: temurin @@ -75,7 +84,7 @@ jobs: # https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#jvm run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java -P !java17" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -91,8 +100,10 @@ jobs: run: git config --system core.longpaths true - name: Support longpaths run: git config --system core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 8 @@ -105,8 +116,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -116,8 +129,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -130,10 +145,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/librarian_generation_check.yaml b/.github/workflows/librarian_generation_check.yaml index c36eaf1fdc4c..f583cb6c13f8 100644 --- a/.github/workflows/librarian_generation_check.yaml +++ b/.github/workflows/librarian_generation_check.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2026 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -39,10 +42,11 @@ jobs: run: | echo "Error: Running this workflow manually on the main branch is not allowed." exit 1 - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-go@v5 + persist-credentials: false + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: 'stable' - name: Install Librarian @@ -58,7 +62,7 @@ jobs: cd /usr/local sudo unzip -o /tmp/protoc.zip protoc --version - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: "17" distribution: "temurin" @@ -70,7 +74,7 @@ jobs: sudo apt-get update && sudo apt-get install -y maven fi mvn -version - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.12" cache: 'pip' @@ -108,7 +112,7 @@ jobs: fi - name: Create issue if previous step fails if: ${{ failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' }} - uses: googleapis/librarian/.github/actions/create-issue-on-failure@main + uses: googleapis/librarian/.github/actions/create-issue-on-failure@main # zizmor: ignore[unpinned-uses] with: title: "Librarian generate diff check failed on main branch" body: | diff --git a/.github/workflows/readme.yaml b/.github/workflows/readme.yaml index f301ad02fce1..df1ca84452de 100644 --- a/.github/workflows/readme.yaml +++ b/.github/workflows/readme.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -23,14 +26,16 @@ jobs: runs-on: ubuntu-latest if: github.repository_owner == 'googleapis' steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.11' architecture: 'x64' - run: python3 -m pip install --require-hashes -r .github/requirements.txt - run: python3 generate-readme.py - - uses: googleapis/code-suggester@v4 + - uses: googleapis/code-suggester@589b3ac11ac2575fd561afa45034907f301a375b # v4 env: ACCESS_TOKEN: ${{ secrets.YOSHI_CODE_BOT_TOKEN }} with: diff --git a/.github/workflows/release_tools_test.yaml b/.github/workflows/release_tools_test.yaml index 774a8cc8ec71..4c825327c696 100644 --- a/.github/workflows/release_tools_test.yaml +++ b/.github/workflows/release_tools_test.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,8 +25,10 @@ jobs: release-tool-unit-test: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.12' - name: Install dependency diff --git a/.github/workflows/repository_sanity.yaml b/.github/workflows/repository_sanity.yaml index 892f8e6e5fc4..b12a37577867 100644 --- a/.github/workflows/repository_sanity.yaml +++ b/.github/workflows/repository_sanity.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -21,7 +24,9 @@ jobs: # Generated files should not match .gitignore runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: checking any files matching gitignore # By default, GitHub Actions's bash has '-e' option to fail immediately # upon non-zero exit code. Not using it here to catch the exit code 1. @@ -44,8 +49,10 @@ jobs: # Ensure generate-readme.py runs fine runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 # These parameters should match ones in readme.yaml with: python-version: '3.11' @@ -56,7 +63,9 @@ jobs: group_id_check_for_maps_libraries: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Install Maps modules run: | IncludedNonCloudModules=$(find java-maps-* -name 'pom.xml' \ @@ -84,7 +93,9 @@ jobs: package_name_check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Ensure no new invalid package name in Java files shell: bash run: | diff --git a/.github/workflows/sdk-platform-java-analyze_dependency.yaml b/.github/workflows/sdk-platform-java-analyze_dependency.yaml index 6e4b8a45d53b..5f0449f75c57 100644 --- a/.github/workflows/sdk-platform-java-analyze_dependency.yaml +++ b/.github/workflows/sdk-platform-java-analyze_dependency.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: sdk-platform-java Run dependency analyzer on: workflow_dispatch: @@ -25,7 +28,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -37,14 +42,16 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 cache: maven - name: Set up Maven - uses: stCarolas/setup-maven@v4.5 + uses: stCarolas/setup-maven@07fbbe97d97ef44336b7382563d66743297e442f # v4.5 with: maven-version: 3.8.2 - name: Install dependency analyzer @@ -55,5 +62,9 @@ jobs: - name: Check dependency information shell: bash run: | - mvn exec:java -Ddep.system=${{ github.event.inputs.system }} -Ddep.name=${{ github.event.inputs.name }} -Ddep.version=${{ github.event.inputs.version }} + mvn exec:java -Ddep.system=${GITHUB_EVENT_INPUTS_SYSTEM} -Ddep.name=${GITHUB_EVENT_INPUTS_NAME} -Ddep.version=${GITHUB_EVENT_INPUTS_VERSION} working-directory: java-shared-dependencies/dependency-analyzer + env: + GITHUB_EVENT_INPUTS_SYSTEM: ${{ github.event.inputs.system }} + GITHUB_EVENT_INPUTS_NAME: ${{ github.event.inputs.name }} + GITHUB_EVENT_INPUTS_VERSION: ${{ github.event.inputs.version }} diff --git a/.github/workflows/sdk-platform-java-ci.yaml b/.github/workflows/sdk-platform-java-ci.yaml index 8d4e0f306f2d..63d4bf1a1681 100644 --- a/.github/workflows/sdk-platform-java-ci.yaml +++ b/.github/workflows/sdk-platform-java-ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -10,7 +13,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -28,8 +33,10 @@ jobs: matrix: java: [ 11, 17, 21, 25, 26 ] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: ${{ matrix.java }} distribution: temurin @@ -58,8 +65,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: distribution: temurin java-version: 11 @@ -74,8 +83,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -89,15 +100,17 @@ jobs: name: "sdk-platform-java units (8)" runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false # Java 8 tests uses JDK 17 to compile and JDK 8 to run tests. - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 8 distribution: temurin cache: maven - run: echo "JAVA8_HOME=${JAVA_HOME}" >> $GITHUB_ENV - - uses: actions/setup-java@v3 + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 17 distribution: temurin @@ -147,8 +160,10 @@ jobs: matrix: java: [ 11, 17, 21 ] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: ${{ matrix.java }} distribution: temurin @@ -175,8 +190,10 @@ jobs: matrix: java: [ 25, 26 ] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: ${{ matrix.java }} distribution: temurin @@ -201,8 +218,10 @@ jobs: matrix: java: [ 11, 17 ] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: ${{ matrix.java }} distribution: temurin @@ -240,8 +259,10 @@ jobs: name: "gapic-generator-java (8)" runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -252,7 +273,7 @@ jobs: env: BUILD_SUBDIR: sdk-platform-java JOB_TYPE: install - - uses: actions/setup-java@v3 + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 8 distribution: temurin @@ -290,8 +311,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -324,8 +347,10 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -346,10 +371,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -374,10 +400,11 @@ jobs: if: ${{ needs.filter.outputs.library == 'true' }} runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin diff --git a/.github/workflows/sdk-platform-java-dependency_compatibility_test.yaml b/.github/workflows/sdk-platform-java-dependency_compatibility_test.yaml index ea21d5ab901e..4a50aa11cf85 100644 --- a/.github/workflows/sdk-platform-java-dependency_compatibility_test.yaml +++ b/.github/workflows/sdk-platform-java-dependency_compatibility_test.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: sdk-platform-java Dependency Compatibility Test on: @@ -22,7 +25,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -39,9 +44,11 @@ jobs: contents: read steps: - name: Checkout sdk-platform-java - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: '21' distribution: 'temurin' @@ -50,7 +57,9 @@ jobs: # The normal workflow is not from `workflow_dispatch` and will use the default upper-bounds dependencies file - name: Determine Inputted Dependencies List if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.dependencies-list != '' }} - run: echo "DEPENDENCIES_LIST=${{ github.event.inputs.dependencies-list }}" >> $GITHUB_ENV + run: echo "DEPENDENCIES_LIST=${GITHUB_EVENT_INPUTS_DEPENDENCIES_LIST}" >> $GITHUB_ENV + env: + GITHUB_EVENT_INPUTS_DEPENDENCIES_LIST: ${{ github.event.inputs.dependencies-list }} - name: Install sdk-platform-java modules shell: bash @@ -63,8 +72,8 @@ jobs: - name: Perform Dependency Compatibility Unit Testing shell: bash run: | - if [[ -n "${{ env.DEPENDENCIES_LIST }}" ]]; then - .github/scripts/test_dependency_compatibility.sh -l ${{ env.DEPENDENCIES_LIST }} + if [[ -n "${DEPENDENCIES_LIST}" ]]; then + .github/scripts/test_dependency_compatibility.sh -l ${DEPENDENCIES_LIST} else .github/scripts/test_dependency_compatibility.sh fi @@ -78,7 +87,7 @@ jobs: run: | sudo mkdir -p /usr/src/showcase sudo chown -R ${USER} /usr/src/ - curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${{env.SHOWCASE_VERSION}}/gapic-showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz + curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${SHOWCASE_VERSION}/gapic-showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz cd /usr/src/showcase/ tar -xf showcase-* ./gapic-showcase run & @@ -90,8 +99,8 @@ jobs: shell: bash # Need to cd out of the directory to get the scripts as this step is run inside the java-showcase directory run: | - if [[ -n "${{ env.DEPENDENCIES_LIST }}" ]]; then - ../sdk-platform-java/.github/scripts/test_dependency_compatibility.sh -l ${{ env.DEPENDENCIES_LIST }} + if [[ -n "${DEPENDENCIES_LIST}" ]]; then + ../sdk-platform-java/.github/scripts/test_dependency_compatibility.sh -l ${DEPENDENCIES_LIST} else ../sdk-platform-java/.github/scripts/test_dependency_compatibility.sh -f ../sdk-platform-java/dependencies.txt fi diff --git a/.github/workflows/sdk-platform-java-downstream.yaml b/.github/workflows/sdk-platform-java-downstream.yaml index f865c2224dd8..3385ab481038 100644 --- a/.github/workflows/sdk-platform-java-downstream.yaml +++ b/.github/workflows/sdk-platform-java-downstream.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: # Changes to these directories do not directly affect the downstream libraries @@ -16,7 +19,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -38,8 +43,10 @@ jobs: - java-firestore - java-pubsub steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 17 distribution: temurin @@ -60,8 +67,10 @@ jobs: strategy: fail-fast: false steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 17 distribution: temurin diff --git a/.github/workflows/sdk-platform-java-downstream_unmanaged_dependency_check.yaml b/.github/workflows/sdk-platform-java-downstream_unmanaged_dependency_check.yaml index 9be00dc15b8f..a7f40fa01d25 100644 --- a/.github/workflows/sdk-platform-java-downstream_unmanaged_dependency_check.yaml +++ b/.github/workflows/sdk-platform-java-downstream_unmanaged_dependency_check.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -13,7 +16,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -34,21 +39,23 @@ jobs: - java-pubsub steps: - name: Checkout sdk-platform-java - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: path: google-cloud-java + persist-credentials: false - name: Checkout the downstream repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: googleapis/${{ matrix.repo }} path: ${{ matrix.repo }} + persist-credentials: false - name: Check the environment shell: bash run: | set -euxo pipefail pwd ls -alt - - uses: actions/setup-java@v3 + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 11 distribution: temurin diff --git a/.github/workflows/sdk-platform-java-nightly.yaml b/.github/workflows/sdk-platform-java-nightly.yaml index 91efdc0ed3c5..dd1b7adfa4bb 100644 --- a/.github/workflows/sdk-platform-java-nightly.yaml +++ b/.github/workflows/sdk-platform-java-nightly.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: sdk-platform-java Nightly on: workflow_dispatch: @@ -16,8 +19,10 @@ jobs: runs-on: ${{ matrix.os }} steps: - run: git config --global core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: java-version: ${{ matrix.java }} distribution: temurin @@ -49,8 +54,10 @@ jobs: runs-on: ${{ matrix.os }} steps: - run: git config --global core.longpaths true - - uses: actions/checkout@v4 - - uses: actions/setup-java@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: java-version: 11 distribution: temurin @@ -62,7 +69,7 @@ jobs: env: BUILD_SUBDIR: sdk-platform-java JOB_TYPE: install - - uses: actions/setup-java@v5 + - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: java-version: 8 distribution: temurin diff --git a/.github/workflows/sdk-platform-java-shared_dependencies.yaml b/.github/workflows/sdk-platform-java-shared_dependencies.yaml index d40df3c0ad5a..a54851711157 100644 --- a/.github/workflows/sdk-platform-java-shared_dependencies.yaml +++ b/.github/workflows/sdk-platform-java-shared_dependencies.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -16,7 +19,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -29,8 +34,10 @@ jobs: name: Shared Dependencies BOM upper-bound check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/sdk-platform-java-sonar.yaml b/.github/workflows/sdk-platform-java-sonar.yaml index f9010c073b78..925ad6208901 100644 --- a/.github/workflows/sdk-platform-java-sonar.yaml +++ b/.github/workflows/sdk-platform-java-sonar.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: sdk-platform-java SonarCloud Build on: push: @@ -13,7 +16,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -27,22 +32,23 @@ jobs: name: Build runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + persist-credentials: false - name: Set up JDK 17 - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 17 distribution: temurin - name: Cache SonarCloud packages - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar restore-keys: ${{ runner.os }}-sonar - name: Cache Maven packages - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: ~/.m2 key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} @@ -64,7 +70,7 @@ jobs: run: | sudo mkdir -p /usr/src/showcase sudo chown -R ${USER} /usr/src/ - curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${{env.SHOWCASE_VERSION}}/gapic-showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz + curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${SHOWCASE_VERSION}/gapic-showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz cd /usr/src/showcase/ tar -xf showcase-* ./gapic-showcase run & diff --git a/.github/workflows/showcase-version-check.yaml b/.github/workflows/showcase-version-check.yaml index 9e7dea307cd1..2af9445d58cf 100644 --- a/.github/workflows/showcase-version-check.yaml +++ b/.github/workflows/showcase-version-check.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2026 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -30,7 +33,9 @@ jobs: permissions: issues: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Extract showcase version from pom.xml id: extract_version shell: bash @@ -38,7 +43,7 @@ jobs: version=$(awk -F'[<>]' '/gapic-showcase.version/{print $3; exit}' java-showcase/gapic-showcase/pom.xml) echo "version=$version" >> "$GITHUB_OUTPUT" - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: '1.24' - name: Extract showcase commit from librarian.yaml diff --git a/.github/workflows/showcase.yaml b/.github/workflows/showcase.yaml index bb9901619966..1fe522b6796e 100644 --- a/.github/workflows/showcase.yaml +++ b/.github/workflows/showcase.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -10,7 +13,9 @@ jobs: outputs: library: ${{ steps.filter.outputs.library }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: @@ -27,8 +32,10 @@ jobs: name: "showcase (8)" runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 11 distribution: temurin @@ -39,7 +46,7 @@ jobs: env: BUILD_SUBDIR: sdk-platform-java JOB_TYPE: install - - uses: actions/setup-java@v3 + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 8 distribution: temurin @@ -51,7 +58,7 @@ jobs: run: | sudo mkdir -p /usr/src/showcase sudo chown -R ${USER} /usr/src/ - curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${{env.SHOWCASE_VERSION}}/gapic-showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz + curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${SHOWCASE_VERSION}/gapic-showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz cd /usr/src/showcase/ tar -xf showcase-* ./gapic-showcase run & @@ -103,8 +110,10 @@ jobs: matrix: java: [ 11, 17, 21, 25, 26 ] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: ${{ matrix.java }} distribution: temurin @@ -129,7 +138,7 @@ jobs: run: | sudo mkdir -p /usr/src/showcase sudo chown -R ${USER} /usr/src/ - curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${{env.SHOWCASE_VERSION}}/gapic-showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${{env.SHOWCASE_VERSION}}-linux-amd64.tar.gz + curl --location https://github.com/googleapis/gapic-showcase/releases/download/v${SHOWCASE_VERSION}/gapic-showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz --output /usr/src/showcase/showcase-${SHOWCASE_VERSION}-linux-amd64.tar.gz cd /usr/src/showcase/ tar -xf showcase-* ./gapic-showcase run & @@ -182,10 +191,11 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout @ target branch - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.base_ref }} - - uses: actions/setup-java@v4 + persist-credentials: false + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin @@ -203,7 +213,9 @@ jobs: echo "SHOWCASE_CLIENT_VERSION=$SHOWCASE_CLIENT_VERSION" >> "$GITHUB_ENV" working-directory: java-showcase - name: Checkout sdk-platform-java @ PR merge commit - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false - name: Install sdk-platform-java @ PR merge commit shell: bash run: .kokoro/build.sh diff --git a/.github/workflows/unmanaged_dependency_check.yaml b/.github/workflows/unmanaged_dependency_check.yaml index 34e6a4f72ea1..d433e4e8bd2a 100644 --- a/.github/workflows/unmanaged_dependency_check.yaml +++ b/.github/workflows/unmanaged_dependency_check.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: name: sdk-platform-java Unmanaged dependency check @@ -5,8 +8,10 @@ jobs: unmanaged_dependency_check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: distribution: temurin java-version: 11 diff --git a/.github/workflows/update_librarian_googleapis.yaml b/.github/workflows/update_librarian_googleapis.yaml index e8143025db43..5e1d66ecda98 100644 --- a/.github/workflows/update_librarian_googleapis.yaml +++ b/.github/workflows/update_librarian_googleapis.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2026 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -28,7 +31,7 @@ jobs: working-directory: google-cloud-java steps: - name: Checkout google-cloud-java - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: repository: googleapis/google-cloud-java path: google-cloud-java @@ -54,7 +57,7 @@ jobs: fi fi - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: '>=1.20.2' - name: Get librarian version @@ -96,7 +99,7 @@ jobs: cd /usr/local sudo unzip -o /tmp/protoc.zip protoc --version - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 if: steps.detect_librarian.outputs.has_changes == 'true' with: java-version: "17" @@ -110,7 +113,7 @@ jobs: sudo apt-get update && sudo apt-get install -y maven fi mvn -version - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 if: steps.detect_librarian.outputs.has_changes == 'true' with: python-version: "3.12" diff --git a/.github/workflows/versions.yaml b/.github/workflows/versions.yaml index 80593baecb6f..efc3cb008a54 100644 --- a/.github/workflows/versions.yaml +++ b/.github/workflows/versions.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -23,7 +26,9 @@ jobs: unmanaged-versions-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false - run: ./generation/check_non_release_please_versions.sh # For Release Please pull requests, the artifacts being published must not @@ -39,5 +44,7 @@ jobs: steps: - run: sudo apt-get update -y - run: sudo apt-get install libxml2-utils - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false - run: ./generation/check_existing_release_versions.sh