Skip to content

Zizmorify GitHub actions #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thescouser89 merged 3 commits into from
Mar 31, 2026
Merged

Zizmorify GitHub actions #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
788624f
Modify our github actions based on zizmor warnings
thescouser89 Mar 27, 2026
d800f12
Update actions based on actionlint output
thescouser89 Mar 27, 2026
09e2074
Remove github-action-validator and use ghaction actionlint
thescouser89 Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,7 @@ updates:
schedule:
# Check for updates to GitHub Actions every week
interval: "weekly"
# wait after a new release till we create a PR, to reduce risk of pulling
# a compromised new version
cooldown:
default-days: 7
9 changes: 6 additions & 3 deletions .github/workflows/maven-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,19 +40,22 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: ${{ inputs.fetch_all_commits == true && '0' || '1' }}
persist-credentials: false

- name: Set up JDK '${{ inputs.java_version }}'
uses: actions/setup-java@v5
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
java-version: '${{ inputs.java_version }}'
distribution: 'temurin'
cache: maven

- name: Build Command invocation
run: '${{ inputs.build_command }}'
run: '${INPUTS_BUILD_COMMAND}'
env:
INPUTS_BUILD_COMMAND: ${{ inputs.build_command }}

- name: Check for wrong code formatting
run: |
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/maven-jib.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
name: Build the JIB image and upload to the container registry
permissions: {}

on:
workflow_dispatch:
Expand All @@ -7,7 +8,9 @@ jobs:
snapshot:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

###############################################################################
# WIP
Expand Down
12 changes: 9 additions & 3 deletions .github/workflows/maven-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ on:
required: true
SONATYPE_PASSWORD:
required: true
GPG_PRIVATE_KEY:
required: true
GPG_PASSPHRASE:
required: true

# cancel in-progress runs of the same workflow
# to avoid unecessary runs when multiple commits pushed
Expand All @@ -58,10 +62,11 @@ jobs:
FINAL_REF: ${{ github.event.inputs.ref_to_release || github.event.repository.default_branch }}

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: '${{ env.FINAL_REF }}'
fetch-depth: ${{ inputs.fetch_all_commits == true && '0' || '1' }}
persist-credentials: false

- name: Configure Git User
run: |
Expand All @@ -71,7 +76,7 @@ jobs:
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"

- name: Set up JDK '${{ inputs.java_version }}'
uses: actions/setup-java@v5
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
java-version: '${{ inputs.java_version }}'
distribution: 'temurin'
Expand All @@ -83,11 +88,12 @@ jobs:
gpg-passphrase: MAVEN_GPG_PASSPHRASE

- name: Publish to Central
run: ${{ inputs.release_command }}
run: ${INPUTS_RELEASE_COMMAND}
env:
MAVEN_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
INPUTS_RELEASE_COMMAND: ${{ inputs.release_command }}

- name: Push all the git commits and tags back to the repository
run: git push && git push --tags
13 changes: 9 additions & 4 deletions .github/workflows/maven-set-version.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,10 @@ jobs:
FINAL_REF: ${{ github.event.inputs.ref_for_version || github.event.repository.default_branch }}

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: '${{ env.FINAL_REF }}'
persist-credentials: false

- name: Configure Git User
run: |
Expand All @@ -60,18 +61,22 @@ jobs:


- name: Set up JDK '${{ inputs.java_version }}'
uses: actions/setup-java@v5
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
java-version: '${{ inputs.java_version }}'
distribution: 'temurin'
cache: maven

- name: Update Version in pom.xml
run: |
mvn -B versions:set -DnewVersion=${{ inputs.new_version }} -DgenerateBackupPoms=false
mvn -B versions:set -DnewVersion="${INPUTS_NEW_VERSION}" -DgenerateBackupPoms=false
env:
INPUTS_NEW_VERSION: ${{ inputs.new_version }}

- name: Push all the git commits and tags back to the repository
run: |
git add -A
git commit -m "chore: Bump version to: ${{ inputs.new_version }}"
git commit -m "chore: Bump version to: ${INPUTS_NEW_VERSION}"
git push
env:
INPUTS_NEW_VERSION: ${{ inputs.new_version }}
8 changes: 5 additions & 3 deletions .github/workflows/maven-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,13 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: ${{ inputs.fetch_all_commits == true && '0' || '1' }}
persist-credentials: false

- name: Set up JDK '${{ inputs.java_version }}'
uses: actions/setup-java@v5
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
java-version: '${{ inputs.java_version }}' # java version to use
distribution: 'temurin'
Expand All @@ -78,10 +79,11 @@ jobs:
# Only run for snapshot version and not for commits with released versions
if: endsWith(steps.project-version.outputs.version, '-SNAPSHOT')
run: >
${{ inputs.snapshot_deploy_command }}
${INPUTS_SNAPSHOT_DEPLOY_COMMAND}
${{ inputs.quarkus_jib_image && '-Dquarkus.container-image.build=true -Dquarkus.container-image.push=true' || '' }}
env:
MAVEN_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
QUARKUS_CONTAINER_IMAGE_USERNAME: ${{ secrets.QUAY_DEVEL_USERNAME }}
QUARKUS_CONTAINER_IMAGE_PASSWORD: ${{ secrets.QUAY_DEVEL_PASSWORD }}
INPUTS_SNAPSHOT_DEPLOY_COMMAND: ${{ inputs.snapshot_deploy_command }}
12 changes: 9 additions & 3 deletions .github/workflows/validate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
name: Validate GitHub Actions Workflows
permissions: {}

on:
pull_request:
Expand All @@ -10,7 +11,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

- name: Validate GitHub Actions
uses: jazzsequence/github-action-validator@v1
- name: Run actionlint to lint our github action
uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 # v2.1.2

- name: Run zizmor 🌈
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2