diff --git a/.github/workflows/code-path-changes.yml b/.github/workflows/code-path-changes.yml index 23e0c19db6d..f818d867441 100644 --- a/.github/workflows/code-path-changes.yml +++ b/.github/workflows/code-path-changes.yml @@ -2,10 +2,13 @@ name: Notify Code Path Changes on: pull_request_target: - types: [opened, synchronize] + types: [ opened, synchronize ] paths: - '**' +permissions: + contents: read + env: OAUTH2_CLIENT_ID: ${{ secrets.OAUTH2_CLIENT_ID }} OAUTH2_CLIENT_SECRET: ${{ secrets.OAUTH2_CLIENT_SECRET }} @@ -14,18 +17,15 @@ env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -permissions: - contents: read - jobs: notify: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v3 + uses: actions/checkout@v5 - name: Set up Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@v6 with: node-version: '18' diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a86f0b144a5..a6852ae7c92 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,48 +1,60 @@ -name: "CodeQL" +name: CodeQL on: - push: - branches: [ "master" ] pull_request: - branches: [ "master" ] + branches: [ 'master' ] + schedule: + - cron: '0 3 * * 1' + +permissions: + security-events: write + packages: read + actions: read + contents: read jobs: analyze: - name: Analyze + name: Analyze (${{ matrix.language }}) runs-on: ubuntu-latest strategy: fail-fast: false matrix: - language: [ 'java' ] + include: + - language: actions + build-mode: none + - language: java-kotlin + build-mode: manual steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Set up JDK - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: 21 - - - name: Cache Maven packages - uses: actions/cache@v3 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- - - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: ${{ matrix.language }} - - - name: Build with Maven - run: mvn -B package --file extra/pom.xml - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 - with: - category: "/language:${{ matrix.language }}" + - name: Checkout repository + uses: actions/checkout@v5 + + - name: Set up JDK + uses: actions/setup-java@v5 + with: + distribution: 'temurin' + java-version: 21 + + - name: Cache Maven packages + uses: actions/cache@v5 + with: + path: ~/.m2/repository + key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} + restore-keys: | + ${{ runner.os }}-maven- + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Build with Maven + if: matrix.build-mode == 'manual' + run: mvn -B package --file extra/pom.xml + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: '/language:${{ matrix.language }}' diff --git a/.github/workflows/cross-repo-issue.yml b/.github/workflows/cross-repo-issue.yml index a2aa9471ecf..5d2e512d4c6 100644 --- a/.github/workflows/cross-repo-issue.yml +++ b/.github/workflows/cross-repo-issue.yml @@ -2,9 +2,12 @@ name: Cross-repo Issue Creation on: pull_request_target: - types: [closed] + types: [ closed ] branches: - - "master" + - 'master' + +permissions: + contents: read jobs: cross-repo: @@ -12,7 +15,7 @@ jobs: steps: - name: Generate token id: generate_token - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@v2.1.0 with: app_id: ${{ secrets.XREPO_APP_ID }} private_key: ${{ secrets.XREPO_PEM }} diff --git a/.github/workflows/docker-image-publish.yml b/.github/workflows/docker-image-publish.yml index 39964eb69aa..7f993ade73d 100644 --- a/.github/workflows/docker-image-publish.yml +++ b/.github/workflows/docker-image-publish.yml @@ -5,6 +5,10 @@ on: tags: - '*' +permissions: + contents: read + packages: write + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} @@ -13,13 +17,10 @@ jobs: build: name: Publish Docker image for new tag/release runs-on: ubuntu-latest - permissions: - contents: read - packages: write strategy: matrix: java: [ 21 ] - dockerfile-path: [Dockerfile, Dockerfile-modules] + dockerfile-path: [ Dockerfile, Dockerfile-modules ] include: - dockerfile-path: Dockerfile build-cmd: mvn clean package -Dcheckstyle.skip -Dmaven.test.skip=true @@ -30,10 +31,10 @@ jobs: package-name: ghcr.io/${{ github.repository }}-bundle steps: - name: Check out Repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Set up JDK - uses: actions/setup-java@v3 + uses: actions/setup-java@v5 with: distribution: 'temurin' cache: 'maven' @@ -56,13 +57,13 @@ jobs: images: ${{ matrix.package-name }} - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Build and push Docker image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: . file: ${{ matrix.dockerfile-path }} diff --git a/.github/workflows/issue_prioritization.yml b/.github/workflows/issue_prioritization.yml index fa56f9ee2ee..7b4df73b80b 100644 --- a/.github/workflows/issue_prioritization.yml +++ b/.github/workflows/issue_prioritization.yml @@ -1,9 +1,11 @@ name: Issue tracking + on: issues: types: - opened - pinned + jobs: track_issue: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-functional-tests.yml b/.github/workflows/pr-functional-tests.yml index 0cf032e3e23..d512022413a 100644 --- a/.github/workflows/pr-functional-tests.yml +++ b/.github/workflows/pr-functional-tests.yml @@ -11,6 +11,11 @@ on: types: - created +permissions: + contents: read + actions: read + checks: write + jobs: build: runs-on: ubuntu-latest @@ -20,10 +25,10 @@ jobs: java: [ 21 ] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Set up JDK - uses: actions/setup-java@v3 + uses: actions/setup-java@v5 with: distribution: 'temurin' cache: 'maven' @@ -42,7 +47,7 @@ jobs: - name: Emitting run result of functional test if: always() - uses: dorny/test-reporter@v2.1.1 + uses: dorny/test-reporter@v2.5.0 with: name: 'Functional tests' working-directory: 'target/failsafe-reports' diff --git a/.github/workflows/pr-java-ci.yml b/.github/workflows/pr-java-ci.yml index 1a198dac001..d69d222592f 100644 --- a/.github/workflows/pr-java-ci.yml +++ b/.github/workflows/pr-java-ci.yml @@ -11,6 +11,11 @@ on: types: - created +permissions: + contents: read + actions: read + checks: write + jobs: build: runs-on: ubuntu-latest @@ -20,10 +25,10 @@ jobs: java: [ 21 ] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@v5 with: distribution: 'temurin' cache: 'maven' @@ -32,12 +37,3 @@ jobs: - name: Build with Maven run: mvn -B package --file extra/pom.xml - - - name: Publish JUnit Report - uses: mikepenz/action-junit-report@v5 - if: always() - with: - check_name: 'JUnit Test Report' - report_paths: '**/target/surefire-reports/TEST-*.xml' - fail_on_failure: true - annotate_only: true diff --git a/.github/workflows/pr-module-functional-tests.yml b/.github/workflows/pr-module-functional-tests.yml index e61814093b0..c3b04858677 100644 --- a/.github/workflows/pr-module-functional-tests.yml +++ b/.github/workflows/pr-module-functional-tests.yml @@ -11,6 +11,11 @@ on: types: - created +permissions: + contents: read + actions: read + checks: write + jobs: build: runs-on: ubuntu-latest @@ -20,10 +25,10 @@ jobs: java: [ 21 ] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Set up JDK - uses: actions/setup-java@v3 + uses: actions/setup-java@v5 with: distribution: 'temurin' cache: 'maven' @@ -46,7 +51,7 @@ jobs: - name: Emitting run result of functional test if: always() - uses: dorny/test-reporter@v2.1.1 + uses: dorny/test-reporter@v2.5.0 with: name: 'Module functional tests' working-directory: 'target/failsafe-reports' diff --git a/.github/workflows/release-asset-publish.yml b/.github/workflows/release-asset-publish.yml index fb1057d8ee8..bfa938bebe9 100644 --- a/.github/workflows/release-asset-publish.yml +++ b/.github/workflows/release-asset-publish.yml @@ -2,7 +2,7 @@ name: Publish release .jar on: workflow_run: - workflows: [Publish release] + workflows: [ Publish release ] types: - completed @@ -14,9 +14,9 @@ jobs: matrix: java: [ 21 ] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Set up JDK - uses: actions/setup-java@v3 + uses: actions/setup-java@v5 with: distribution: 'temurin' cache: 'maven' diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index c1ee08ab668..75ea23441de 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -5,17 +5,22 @@ on: tags: - '*' +permissions: + contents: read + jobs: update_release_draft: name: Publish release with notes + permissions: + contents: write runs-on: ubuntu-latest steps: - name: Create and publish release - uses: release-drafter/release-drafter@v5 + uses: release-drafter/release-drafter@v6 with: config-name: release-drafter-config.yml publish: true - name: "v${{ github.ref_name }}" + name: 'v${{ github.ref_name }}' tag: ${{ github.ref_name }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/slack-stale-pr.yml b/.github/workflows/slack-stale-pr.yml deleted file mode 100644 index a610c3e7de9..00000000000 --- a/.github/workflows/slack-stale-pr.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Post Stale PRs To Slack - -on: - # run Monday 9am and on-demand - workflow_dispatch: - schedule: - - cron: '0 9 * * 1' - -jobs: - fetch-PRs: - runs-on: ubuntu-latest - steps: - - name: Fetch pull requests - id: local - uses: paritytech/stale-pr-finder@v0.3.0 - with: - GITHUB_TOKEN: ${{ github.token }} - days-stale: 14 - ignoredLabels: "blocked" - - name: Post to a Slack channel - id: slack - uses: slackapi/slack-github-action@v1.27.1 - with: - channel-id: ${{ secrets.SLACK_CHANNEL_ID }} - slack-message: "${{ steps.local.outputs.message }}" - env: - SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} diff --git a/.github/workflows/trivy-security-check.yml b/.github/workflows/trivy-security-check.yml index 044b7e39af6..b73eda3b40d 100644 --- a/.github/workflows/trivy-security-check.yml +++ b/.github/workflows/trivy-security-check.yml @@ -1,27 +1,35 @@ -name: Security Check +name: Trivy Security Scan on: pull_request: - branches: [master] + branches: [ 'master' ] + schedule: + - cron: '0 3 * * 1' + +permissions: + contents: read jobs: build: name: Trivy security check + permissions: + security-events: write runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'fs' + scan-ref: '.' ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'trivy-results.sarif'