From 67bfd947eac389eecda595aaa7016eba975b62f0 Mon Sep 17 00:00:00 2001 From: Oleksandr Zhevedenko <720803+Net-burst@users.noreply.github.com> Date: Wed, 14 Jan 2026 20:34:20 -0500 Subject: [PATCH 1/4] CI: Update GitHub actions --- .github/workflows/code-path-changes.yml | 6 +- .github/workflows/codeql-analysis.yml | 82 +++++++++++-------- .github/workflows/cross-repo-issue.yml | 6 +- .github/workflows/docker-image-publish.yml | 19 +++-- .github/workflows/issue_prioritization.yml | 2 + .github/workflows/pr-functional-tests.yml | 25 ++---- .github/workflows/pr-java-ci.yml | 19 ++--- .../workflows/pr-module-functional-tests.yml | 25 ++---- .github/workflows/release-asset-publish.yml | 6 +- .github/workflows/release-drafter.yml | 4 +- .github/workflows/slack-stale-pr.yml | 6 +- .github/workflows/trivy-security-check.yml | 17 ++-- 12 files changed, 109 insertions(+), 108 deletions(-) diff --git a/.github/workflows/code-path-changes.yml b/.github/workflows/code-path-changes.yml index 23e0c19db6d..2841d4356ce 100644 --- a/.github/workflows/code-path-changes.yml +++ b/.github/workflows/code-path-changes.yml @@ -2,7 +2,7 @@ name: Notify Code Path Changes on: pull_request_target: - types: [opened, synchronize] + types: [ opened, synchronize ] paths: - '**' @@ -22,10 +22,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v3 + uses: actions/checkout@v5 - name: Set up Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@v6 with: node-version: '18' diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a86f0b144a5..a6852ae7c92 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,48 +1,60 @@ -name: "CodeQL" +name: CodeQL on: - push: - branches: [ "master" ] pull_request: - branches: [ "master" ] + branches: [ 'master' ] + schedule: + - cron: '0 3 * * 1' + +permissions: + security-events: write + packages: read + actions: read + contents: read jobs: analyze: - name: Analyze + name: Analyze (${{ matrix.language }}) runs-on: ubuntu-latest strategy: fail-fast: false matrix: - language: [ 'java' ] + include: + - language: actions + build-mode: none + - language: java-kotlin + build-mode: manual steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Set up JDK - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: 21 - - - name: Cache Maven packages - uses: actions/cache@v3 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- - - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: ${{ matrix.language }} - - - name: Build with Maven - run: mvn -B package --file extra/pom.xml - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 - with: - category: "/language:${{ matrix.language }}" + - name: Checkout repository + uses: actions/checkout@v5 + + - name: Set up JDK + uses: actions/setup-java@v5 + with: + distribution: 'temurin' + java-version: 21 + + - name: Cache Maven packages + uses: actions/cache@v5 + with: + path: ~/.m2/repository + key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} + restore-keys: | + ${{ runner.os }}-maven- + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Build with Maven + if: matrix.build-mode == 'manual' + run: mvn -B package --file extra/pom.xml + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: '/language:${{ matrix.language }}' diff --git a/.github/workflows/cross-repo-issue.yml b/.github/workflows/cross-repo-issue.yml index a2aa9471ecf..618e3efa09f 100644 --- a/.github/workflows/cross-repo-issue.yml +++ b/.github/workflows/cross-repo-issue.yml @@ -2,9 +2,9 @@ name: Cross-repo Issue Creation on: pull_request_target: - types: [closed] + types: [ closed ] branches: - - "master" + - 'master' jobs: cross-repo: @@ -12,7 +12,7 @@ jobs: steps: - name: Generate token id: generate_token - uses: tibdex/github-app-token@v1 + uses: tibdex/github-app-token@v2.1.0 with: app_id: ${{ secrets.XREPO_APP_ID }} private_key: ${{ secrets.XREPO_PEM }} diff --git a/.github/workflows/docker-image-publish.yml b/.github/workflows/docker-image-publish.yml index 39964eb69aa..e208d4d0f02 100644 --- a/.github/workflows/docker-image-publish.yml +++ b/.github/workflows/docker-image-publish.yml @@ -9,17 +9,18 @@ env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} +permissions: + contents: read + packages: write + jobs: build: name: Publish Docker image for new tag/release runs-on: ubuntu-latest - permissions: - contents: read - packages: write strategy: matrix: java: [ 21 ] - dockerfile-path: [Dockerfile, Dockerfile-modules] + dockerfile-path: [ Dockerfile, Dockerfile-modules ] include: - dockerfile-path: Dockerfile build-cmd: mvn clean package -Dcheckstyle.skip -Dmaven.test.skip=true @@ -30,10 +31,10 @@ jobs: package-name: ghcr.io/${{ github.repository }}-bundle steps: - name: Check out Repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Set up JDK - uses: actions/setup-java@v3 + uses: actions/setup-java@v5 with: distribution: 'temurin' cache: 'maven' @@ -56,13 +57,13 @@ jobs: images: ${{ matrix.package-name }} - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Build and push Docker image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: . file: ${{ matrix.dockerfile-path }} diff --git a/.github/workflows/issue_prioritization.yml b/.github/workflows/issue_prioritization.yml index fa56f9ee2ee..7b4df73b80b 100644 --- a/.github/workflows/issue_prioritization.yml +++ b/.github/workflows/issue_prioritization.yml @@ -1,9 +1,11 @@ name: Issue tracking + on: issues: types: - opened - pinned + jobs: track_issue: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-functional-tests.yml b/.github/workflows/pr-functional-tests.yml index 0cf032e3e23..2706024e903 100644 --- a/.github/workflows/pr-functional-tests.yml +++ b/.github/workflows/pr-functional-tests.yml @@ -11,6 +11,12 @@ on: types: - created +permissions: + contents: read + actions: read + checks: write + pull-requests: write + jobs: build: runs-on: ubuntu-latest @@ -20,10 +26,10 @@ jobs: java: [ 21 ] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Set up JDK - uses: actions/setup-java@v3 + uses: actions/setup-java@v5 with: distribution: 'temurin' cache: 'maven' @@ -39,18 +45,3 @@ jobs: -DdockerfileName=Dockerfile \ -Dcheckstyle.skip \ --file extra/pom.xml - - - name: Emitting run result of functional test - if: always() - uses: dorny/test-reporter@v2.1.1 - with: - name: 'Functional tests' - working-directory: 'target/failsafe-reports' - path: 'TEST-*.xml' - reporter: java-junit - use-actions-summary: 'true' - list-suites: 'failed' - list-tests: 'failed' - fail-on-error: true - fail-on-empty: true - token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-java-ci.yml b/.github/workflows/pr-java-ci.yml index 1a198dac001..64b086f8015 100644 --- a/.github/workflows/pr-java-ci.yml +++ b/.github/workflows/pr-java-ci.yml @@ -11,6 +11,12 @@ on: types: - created +permissions: + contents: read + actions: read + checks: write + pull-requests: write + jobs: build: runs-on: ubuntu-latest @@ -20,10 +26,10 @@ jobs: java: [ 21 ] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@v5 with: distribution: 'temurin' cache: 'maven' @@ -32,12 +38,3 @@ jobs: - name: Build with Maven run: mvn -B package --file extra/pom.xml - - - name: Publish JUnit Report - uses: mikepenz/action-junit-report@v5 - if: always() - with: - check_name: 'JUnit Test Report' - report_paths: '**/target/surefire-reports/TEST-*.xml' - fail_on_failure: true - annotate_only: true diff --git a/.github/workflows/pr-module-functional-tests.yml b/.github/workflows/pr-module-functional-tests.yml index e61814093b0..9c7c2b2ad8a 100644 --- a/.github/workflows/pr-module-functional-tests.yml +++ b/.github/workflows/pr-module-functional-tests.yml @@ -11,6 +11,12 @@ on: types: - created +permissions: + contents: read + actions: read + checks: write + pull-requests: write + jobs: build: runs-on: ubuntu-latest @@ -20,10 +26,10 @@ jobs: java: [ 21 ] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Set up JDK - uses: actions/setup-java@v3 + uses: actions/setup-java@v5 with: distribution: 'temurin' cache: 'maven' @@ -43,18 +49,3 @@ jobs: -DdockerfileName=Dockerfile-modules \ -Dcheckstyle.skip \ --file extra/pom.xml - - - name: Emitting run result of functional test - if: always() - uses: dorny/test-reporter@v2.1.1 - with: - name: 'Module functional tests' - working-directory: 'target/failsafe-reports' - path: 'TEST-*.xml' - reporter: java-junit - use-actions-summary: 'true' - list-suites: 'failed' - list-tests: 'failed' - fail-on-error: true - fail-on-empty: true - token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-asset-publish.yml b/.github/workflows/release-asset-publish.yml index fb1057d8ee8..bfa938bebe9 100644 --- a/.github/workflows/release-asset-publish.yml +++ b/.github/workflows/release-asset-publish.yml @@ -2,7 +2,7 @@ name: Publish release .jar on: workflow_run: - workflows: [Publish release] + workflows: [ Publish release ] types: - completed @@ -14,9 +14,9 @@ jobs: matrix: java: [ 21 ] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Set up JDK - uses: actions/setup-java@v3 + uses: actions/setup-java@v5 with: distribution: 'temurin' cache: 'maven' diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index c1ee08ab668..cb7686192cd 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -11,11 +11,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Create and publish release - uses: release-drafter/release-drafter@v5 + uses: release-drafter/release-drafter@v6 with: config-name: release-drafter-config.yml publish: true - name: "v${{ github.ref_name }}" + name: 'v${{ github.ref_name }}' tag: ${{ github.ref_name }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/slack-stale-pr.yml b/.github/workflows/slack-stale-pr.yml index a610c3e7de9..b6a044a2af3 100644 --- a/.github/workflows/slack-stale-pr.yml +++ b/.github/workflows/slack-stale-pr.yml @@ -4,7 +4,7 @@ on: # run Monday 9am and on-demand workflow_dispatch: schedule: - - cron: '0 9 * * 1' + - cron: '0 9 * * 1' jobs: fetch-PRs: @@ -16,12 +16,12 @@ jobs: with: GITHUB_TOKEN: ${{ github.token }} days-stale: 14 - ignoredLabels: "blocked" + ignoredLabels: 'blocked' - name: Post to a Slack channel id: slack uses: slackapi/slack-github-action@v1.27.1 with: channel-id: ${{ secrets.SLACK_CHANNEL_ID }} - slack-message: "${{ steps.local.outputs.message }}" + slack-message: ${{ steps.local.outputs.message }} env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} diff --git a/.github/workflows/trivy-security-check.yml b/.github/workflows/trivy-security-check.yml index 044b7e39af6..72cd56857d4 100644 --- a/.github/workflows/trivy-security-check.yml +++ b/.github/workflows/trivy-security-check.yml @@ -1,8 +1,14 @@ -name: Security Check +name: Trivy Security Scan on: pull_request: - branches: [master] + branches: [ 'master' ] + schedule: + - cron: '0 3 * * 1' + +permissions: + contents: read + security-events: write jobs: build: @@ -10,18 +16,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'fs' + scan-ref: '.' ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'trivy-results.sarif' From 9ad60a8e5210f12963d357c6c6b0c74ad497b2f3 Mon Sep 17 00:00:00 2001 From: Oleksandr Zhevedenko <720803+Net-burst@users.noreply.github.com> Date: Thu, 15 Jan 2026 10:17:39 -0500 Subject: [PATCH 2/4] Updates after review --- .github/workflows/code-path-changes.yml | 6 +++--- .github/workflows/cross-repo-issue.yml | 3 +++ .github/workflows/docker-image-publish.yml | 8 ++++---- .github/workflows/pr-functional-tests.yml | 15 +++++++++++++++ .github/workflows/pr-module-functional-tests.yml | 15 +++++++++++++++ .github/workflows/release-drafter.yml | 5 +++++ .github/workflows/slack-stale-pr.yml | 3 +++ .github/workflows/trivy-security-check.yml | 3 ++- 8 files changed, 50 insertions(+), 8 deletions(-) diff --git a/.github/workflows/code-path-changes.yml b/.github/workflows/code-path-changes.yml index 2841d4356ce..f818d867441 100644 --- a/.github/workflows/code-path-changes.yml +++ b/.github/workflows/code-path-changes.yml @@ -6,6 +6,9 @@ on: paths: - '**' +permissions: + contents: read + env: OAUTH2_CLIENT_ID: ${{ secrets.OAUTH2_CLIENT_ID }} OAUTH2_CLIENT_SECRET: ${{ secrets.OAUTH2_CLIENT_SECRET }} @@ -14,9 +17,6 @@ env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -permissions: - contents: read - jobs: notify: runs-on: ubuntu-latest diff --git a/.github/workflows/cross-repo-issue.yml b/.github/workflows/cross-repo-issue.yml index 618e3efa09f..5d2e512d4c6 100644 --- a/.github/workflows/cross-repo-issue.yml +++ b/.github/workflows/cross-repo-issue.yml @@ -6,6 +6,9 @@ on: branches: - 'master' +permissions: + contents: read + jobs: cross-repo: runs-on: ubuntu-latest diff --git a/.github/workflows/docker-image-publish.yml b/.github/workflows/docker-image-publish.yml index e208d4d0f02..7f993ade73d 100644 --- a/.github/workflows/docker-image-publish.yml +++ b/.github/workflows/docker-image-publish.yml @@ -5,14 +5,14 @@ on: tags: - '*' -env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} - permissions: contents: read packages: write +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + jobs: build: name: Publish Docker image for new tag/release diff --git a/.github/workflows/pr-functional-tests.yml b/.github/workflows/pr-functional-tests.yml index 2706024e903..6e93aef06c6 100644 --- a/.github/workflows/pr-functional-tests.yml +++ b/.github/workflows/pr-functional-tests.yml @@ -45,3 +45,18 @@ jobs: -DdockerfileName=Dockerfile \ -Dcheckstyle.skip \ --file extra/pom.xml + + - name: Emitting run result of functional test + if: always() + uses: dorny/test-reporter@v2.5.0 + with: + name: 'Functional tests' + working-directory: 'target/failsafe-reports' + path: 'TEST-*.xml' + reporter: java-junit + use-actions-summary: 'true' + list-suites: 'failed' + list-tests: 'failed' + fail-on-error: true + fail-on-empty: true + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-module-functional-tests.yml b/.github/workflows/pr-module-functional-tests.yml index 9c7c2b2ad8a..3f43fa6de72 100644 --- a/.github/workflows/pr-module-functional-tests.yml +++ b/.github/workflows/pr-module-functional-tests.yml @@ -49,3 +49,18 @@ jobs: -DdockerfileName=Dockerfile-modules \ -Dcheckstyle.skip \ --file extra/pom.xml + + - name: Emitting run result of functional test + if: always() + uses: dorny/test-reporter@v2.5.0 + with: + name: 'Module functional tests' + working-directory: 'target/failsafe-reports' + path: 'TEST-*.xml' + reporter: java-junit + use-actions-summary: 'true' + list-suites: 'failed' + list-tests: 'failed' + fail-on-error: true + fail-on-empty: true + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index cb7686192cd..75ea23441de 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -5,9 +5,14 @@ on: tags: - '*' +permissions: + contents: read + jobs: update_release_draft: name: Publish release with notes + permissions: + contents: write runs-on: ubuntu-latest steps: - name: Create and publish release diff --git a/.github/workflows/slack-stale-pr.yml b/.github/workflows/slack-stale-pr.yml index b6a044a2af3..2478583338e 100644 --- a/.github/workflows/slack-stale-pr.yml +++ b/.github/workflows/slack-stale-pr.yml @@ -6,6 +6,9 @@ on: schedule: - cron: '0 9 * * 1' +permissions: + contents: read + jobs: fetch-PRs: runs-on: ubuntu-latest diff --git a/.github/workflows/trivy-security-check.yml b/.github/workflows/trivy-security-check.yml index 72cd56857d4..b73eda3b40d 100644 --- a/.github/workflows/trivy-security-check.yml +++ b/.github/workflows/trivy-security-check.yml @@ -8,11 +8,12 @@ on: permissions: contents: read - security-events: write jobs: build: name: Trivy security check + permissions: + security-events: write runs-on: ubuntu-latest steps: - name: Checkout Code From 1b152e085a9f4a4f9dd0f84961472df2fa800356 Mon Sep 17 00:00:00 2001 From: Oleksandr Zhevedenko <720803+Net-burst@users.noreply.github.com> Date: Thu, 15 Jan 2026 10:51:32 -0500 Subject: [PATCH 3/4] Remove unneeded CI permission --- .github/workflows/pr-functional-tests.yml | 1 - .github/workflows/pr-java-ci.yml | 1 - .github/workflows/pr-module-functional-tests.yml | 1 - 3 files changed, 3 deletions(-) diff --git a/.github/workflows/pr-functional-tests.yml b/.github/workflows/pr-functional-tests.yml index 6e93aef06c6..d512022413a 100644 --- a/.github/workflows/pr-functional-tests.yml +++ b/.github/workflows/pr-functional-tests.yml @@ -15,7 +15,6 @@ permissions: contents: read actions: read checks: write - pull-requests: write jobs: build: diff --git a/.github/workflows/pr-java-ci.yml b/.github/workflows/pr-java-ci.yml index 64b086f8015..d69d222592f 100644 --- a/.github/workflows/pr-java-ci.yml +++ b/.github/workflows/pr-java-ci.yml @@ -15,7 +15,6 @@ permissions: contents: read actions: read checks: write - pull-requests: write jobs: build: diff --git a/.github/workflows/pr-module-functional-tests.yml b/.github/workflows/pr-module-functional-tests.yml index 3f43fa6de72..c3b04858677 100644 --- a/.github/workflows/pr-module-functional-tests.yml +++ b/.github/workflows/pr-module-functional-tests.yml @@ -15,7 +15,6 @@ permissions: contents: read actions: read checks: write - pull-requests: write jobs: build: From 0dba1c0db66b79fa1533605340220addd18414eb Mon Sep 17 00:00:00 2001 From: Oleksandr Zhevedenko <720803+Net-burst@users.noreply.github.com> Date: Thu, 15 Jan 2026 14:21:47 -0500 Subject: [PATCH 4/4] Remove Slack stale PR notifications to reduce Slack spam --- .github/workflows/slack-stale-pr.yml | 30 ---------------------------- 1 file changed, 30 deletions(-) delete mode 100644 .github/workflows/slack-stale-pr.yml diff --git a/.github/workflows/slack-stale-pr.yml b/.github/workflows/slack-stale-pr.yml deleted file mode 100644 index 2478583338e..00000000000 --- a/.github/workflows/slack-stale-pr.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Post Stale PRs To Slack - -on: - # run Monday 9am and on-demand - workflow_dispatch: - schedule: - - cron: '0 9 * * 1' - -permissions: - contents: read - -jobs: - fetch-PRs: - runs-on: ubuntu-latest - steps: - - name: Fetch pull requests - id: local - uses: paritytech/stale-pr-finder@v0.3.0 - with: - GITHUB_TOKEN: ${{ github.token }} - days-stale: 14 - ignoredLabels: 'blocked' - - name: Post to a Slack channel - id: slack - uses: slackapi/slack-github-action@v1.27.1 - with: - channel-id: ${{ secrets.SLACK_CHANNEL_ID }} - slack-message: ${{ steps.local.outputs.message }} - env: - SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}