From 788624fe4d749d7c0cf1351d7eaeb707cd8ec7b1 Mon Sep 17 00:00:00 2001 From: Dustin Kut Moy Cheung Date: Fri, 27 Mar 2026 10:07:56 -0400 Subject: [PATCH 1/3] Modify our github actions based on zizmor warnings --- .github/dependabot.yml | 4 ++++ .github/workflows/maven-ci.yml | 9 ++++++--- .github/workflows/maven-jib.yml | 5 ++++- .github/workflows/maven-release.yml | 8 +++++--- .github/workflows/maven-set-version.yml | 13 +++++++++---- .github/workflows/maven-snapshot.yml | 8 +++++--- .github/workflows/validate.yml | 15 +++++++++++++-- 7 files changed, 46 insertions(+), 16 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 61e6748..82a3e1d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,7 @@ updates: schedule: # Check for updates to GitHub Actions every week interval: "weekly" + # wait after a new release till we create a PR, to reduce risk of pulling + # a compromised new version + cooldown: + default-days: 7 diff --git a/.github/workflows/maven-ci.yml b/.github/workflows/maven-ci.yml index 9b9d770..5babb1b 100644 --- a/.github/workflows/maven-ci.yml +++ b/.github/workflows/maven-ci.yml @@ -40,19 +40,22 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: ${{ inputs.fetch_all_commits == true && '0' || '1' }} + persist-credentials: false - name: Set up JDK '${{ inputs.java_version }}' - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: '${{ inputs.java_version }}' distribution: 'temurin' cache: maven - name: Build Command invocation - run: '${{ inputs.build_command }}' + run: '${INPUTS_BUILD_COMMAND}' + env: + INPUTS_BUILD_COMMAND: ${{ inputs.build_command }} - name: Check for wrong code formatting run: | diff --git a/.github/workflows/maven-jib.yml b/.github/workflows/maven-jib.yml index 8af50f2..0853e13 100644 --- a/.github/workflows/maven-jib.yml +++ b/.github/workflows/maven-jib.yml @@ -1,4 +1,5 @@ name: Build the JIB image and upload to the container registry +permissions: {} on: workflow_dispatch: @@ -7,7 +8,9 @@ jobs: snapshot: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false ############################################################################### # WIP diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index c33082c..20cc158 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -58,10 +58,11 @@ jobs: FINAL_REF: ${{ github.event.inputs.ref_to_release || github.event.repository.default_branch }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: '${{ env.FINAL_REF }}' fetch-depth: ${{ inputs.fetch_all_commits == true && '0' || '1' }} + persist-credentials: false - name: Configure Git User run: | @@ -71,7 +72,7 @@ jobs: git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Set up JDK '${{ inputs.java_version }}' - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: '${{ inputs.java_version }}' distribution: 'temurin' @@ -83,11 +84,12 @@ jobs: gpg-passphrase: MAVEN_GPG_PASSPHRASE - name: Publish to Central - run: ${{ inputs.release_command }} + run: ${INPUTS_RELEASE_COMMAND} env: MAVEN_USERNAME: ${{ secrets.SONATYPE_USERNAME }} MAVEN_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + INPUTS_RELEASE_COMMAND: ${{ inputs.release_command }} - name: Push all the git commits and tags back to the repository run: git push && git push --tags diff --git a/.github/workflows/maven-set-version.yml b/.github/workflows/maven-set-version.yml index b56df4e..2007d05 100644 --- a/.github/workflows/maven-set-version.yml +++ b/.github/workflows/maven-set-version.yml @@ -47,9 +47,10 @@ jobs: FINAL_REF: ${{ github.event.inputs.ref_for_version || github.event.repository.default_branch }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: '${{ env.FINAL_REF }}' + persist-credentials: false - name: Configure Git User run: | @@ -60,7 +61,7 @@ jobs: - name: Set up JDK '${{ inputs.java_version }}' - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: '${{ inputs.java_version }}' distribution: 'temurin' @@ -68,10 +69,14 @@ jobs: - name: Update Version in pom.xml run: | - mvn -B versions:set -DnewVersion=${{ inputs.new_version }} -DgenerateBackupPoms=false + mvn -B versions:set -DnewVersion=${INPUTS_NEW_VERSION} -DgenerateBackupPoms=false + env: + INPUTS_NEW_VERSION: ${{ inputs.new_version }} - name: Push all the git commits and tags back to the repository run: | git add -A - git commit -m "chore: Bump version to: ${{ inputs.new_version }}" + git commit -m "chore: Bump version to: ${INPUTS_NEW_VERSION}" git push + env: + INPUTS_NEW_VERSION: ${{ inputs.new_version }} diff --git a/.github/workflows/maven-snapshot.yml b/.github/workflows/maven-snapshot.yml index bc66c29..ff0454f 100644 --- a/.github/workflows/maven-snapshot.yml +++ b/.github/workflows/maven-snapshot.yml @@ -56,12 +56,13 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: ${{ inputs.fetch_all_commits == true && '0' || '1' }} + persist-credentials: false - name: Set up JDK '${{ inputs.java_version }}' - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: '${{ inputs.java_version }}' # java version to use distribution: 'temurin' @@ -78,10 +79,11 @@ jobs: # Only run for snapshot version and not for commits with released versions if: endsWith(steps.project-version.outputs.version, '-SNAPSHOT') run: > - ${{ inputs.snapshot_deploy_command }} + ${INPUTS_SNAPSHOT_DEPLOY_COMMAND} ${{ inputs.quarkus_jib_image && '-Dquarkus.container-image.build=true -Dquarkus.container-image.push=true' || '' }} env: MAVEN_USERNAME: ${{ secrets.SONATYPE_USERNAME }} MAVEN_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} QUARKUS_CONTAINER_IMAGE_USERNAME: ${{ secrets.QUAY_DEVEL_USERNAME }} QUARKUS_CONTAINER_IMAGE_PASSWORD: ${{ secrets.QUAY_DEVEL_PASSWORD }} + INPUTS_SNAPSHOT_DEPLOY_COMMAND: ${{ inputs.snapshot_deploy_command }} diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 8507c50..7ff3211 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -1,4 +1,5 @@ name: Validate GitHub Actions Workflows +permissions: {} on: pull_request: @@ -10,7 +11,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Validate GitHub Actions - uses: jazzsequence/github-action-validator@v1 + uses: jazzsequence/github-action-validator@8dce06e551e2b2a09f6e8c72e76fa4b60da5c8f1 # v1.0.1 + + - name: Run actionlint # https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions + run: | + bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) + ./actionlint + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 From d800f12d66265145e11d2656c0c089b325b35bcf Mon Sep 17 00:00:00 2001 From: Dustin Kut Moy Cheung Date: Fri, 27 Mar 2026 10:13:34 -0400 Subject: [PATCH 2/3] Update actions based on actionlint output --- .github/workflows/maven-release.yml | 4 ++++ .github/workflows/maven-set-version.yml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 20cc158..4f7fc45 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -38,6 +38,10 @@ on: required: true SONATYPE_PASSWORD: required: true + GPG_PRIVATE_KEY: + required: true + GPG_PASSPHRASE: + required: true # cancel in-progress runs of the same workflow # to avoid unecessary runs when multiple commits pushed diff --git a/.github/workflows/maven-set-version.yml b/.github/workflows/maven-set-version.yml index 2007d05..651bb86 100644 --- a/.github/workflows/maven-set-version.yml +++ b/.github/workflows/maven-set-version.yml @@ -69,7 +69,7 @@ jobs: - name: Update Version in pom.xml run: | - mvn -B versions:set -DnewVersion=${INPUTS_NEW_VERSION} -DgenerateBackupPoms=false + mvn -B versions:set -DnewVersion="${INPUTS_NEW_VERSION}" -DgenerateBackupPoms=false env: INPUTS_NEW_VERSION: ${{ inputs.new_version }} From 09e2074b12f31d89a5e6e94d06e4585d5500db5b Mon Sep 17 00:00:00 2001 From: Dustin Kut Moy Cheung Date: Mon, 30 Mar 2026 13:39:27 -0400 Subject: [PATCH 3/3] Remove github-action-validator and use ghaction actionlint --- .github/workflows/validate.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 7ff3211..8d4b640 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -15,13 +15,8 @@ jobs: with: persist-credentials: false - - name: Validate GitHub Actions - uses: jazzsequence/github-action-validator@8dce06e551e2b2a09f6e8c72e76fa4b60da5c8f1 # v1.0.1 - - - name: Run actionlint # https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions - run: | - bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) - ./actionlint + - name: Run actionlint to lint our github action + uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 # v2.1.2 - name: Run zizmor 🌈 uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2