Skip to content

remove .gitignore from leading apps and add mta.yaml back#505

Merged
vibhutikumar07 merged 1 commit into
workflowHardeningfrom
repoHardening
Jun 4, 2026
Merged

remove .gitignore from leading apps and add mta.yaml back#505
vibhutikumar07 merged 1 commit into
workflowHardeningfrom
repoHardening

Conversation

@vibhutikumar07

Copy link
Copy Markdown
Contributor

Describe your changes

Any documentation

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Checklist before requesting a review

  • I follow Java Development Guidelines for SAP
  • I have tested the functionality on my cloud environment.
  • I have provided sufficient automated/ unit tests for the code.
  • I have increased or maintained the test coverage.
  • I have ran integration tests on my cloud environment.
  • I have validated blackduck portal for any vulnerability after my commit.

Upload Screenshots/lists of the scenarios tested

  • I have Uploaded Screenshots or added lists of the scenarios tested in description

@vibhutikumar07 vibhutikumar07 merged commit 6c66e29 into workflowHardening Jun 4, 2026
7 of 8 checks passed
vibhutikumar07 added a commit that referenced this pull request Jun 5, 2026
* Harden GitHub Actions workflows — environment, secret masking & log protection

Security changes applied to all 19 workflow files:

1. environment: dev — All jobs now pull secrets from the protected "dev"
   environment instead of repo-level secrets, adding an extra access
   control layer. Jobs with existing environment (maven-central) are
   kept as-is.

2. Secrets moved from inline ${{ secrets.X }} to env: blocks — Prevents
   secret values from appearing in the process argument list (visible via
   ps/audit logs). Shell commands now reference $ENV_VAR instead.

3. set +x in every sensitive step — Disables bash debug-trace mode before
   any secret variable is assigned, preventing accidental log exposure if
   debug mode is ever enabled upstream.

4. ::add-mask:: for all runtime-fetched and copied secret variables —
   Registers CF credentials, clientSecret/clientID (fetched from XSUAA
   at runtime), usernames and passwords with GitHub's log scrubber so
   any accidental echo or error trace is redacted as *** in logs.

* Update pom.xml

* remove .gitignore from leading apps and add mta.yaml back (#505)

Co-authored-by: Yashmeet . <yashmeet@sap.com>

* Update multiTenancyDeployLocal.yml

* Update pom.xml

* modified workflow

* Added retry logic

* Added Retry logic

* modified workflow

* updated sdm version

* Updated sdm version in pom

---------

Co-authored-by: Yashmeet . <yashmeet@sap.com>
vibhutikumar07 added a commit that referenced this pull request Jun 5, 2026
…apps from SDM plugin (#504)

* Move leading app to SDM plugin & workflow files update to read these apps from SDM plugin

* remove .gitignore from leading apps and add mta.yaml back

* Update action.yml for new app path

* Workflow Security Hardening (#506)

* Harden GitHub Actions workflows — environment, secret masking & log protection

Security changes applied to all 19 workflow files:

1. environment: dev — All jobs now pull secrets from the protected "dev"
   environment instead of repo-level secrets, adding an extra access
   control layer. Jobs with existing environment (maven-central) are
   kept as-is.

2. Secrets moved from inline ${{ secrets.X }} to env: blocks — Prevents
   secret values from appearing in the process argument list (visible via
   ps/audit logs). Shell commands now reference $ENV_VAR instead.

3. set +x in every sensitive step — Disables bash debug-trace mode before
   any secret variable is assigned, preventing accidental log exposure if
   debug mode is ever enabled upstream.

4. ::add-mask:: for all runtime-fetched and copied secret variables —
   Registers CF credentials, clientSecret/clientID (fetched from XSUAA
   at runtime), usernames and passwords with GitHub's log scrubber so
   any accidental echo or error trace is redacted as *** in logs.

* Update pom.xml

* remove .gitignore from leading apps and add mta.yaml back (#505)

Co-authored-by: Yashmeet . <yashmeet@sap.com>

* Update multiTenancyDeployLocal.yml

* Update pom.xml

* modified workflow

* Added retry logic

* Added Retry logic

* modified workflow

* updated sdm version

* Updated sdm version in pom

---------

Co-authored-by: Yashmeet . <yashmeet@sap.com>

* Update blackduck.yml

* updated the workflow to use the pr environment & also added codeowner

* updated the workflow

* modified workflow

---------

Co-authored-by: vibhutikumar <160819926+vibhutikumar07@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants