Merge branch 'main' into dependabot/maven/org.assertj-assertj-core-3.27.2

Author: sthulb

.github/workflows/build-docs.yml

@@ -18,6 +18,9 @@ on:
       - 'mkdocs.yml'
       - 'Makefile'
 
+permissions:
+  contents: read
+
 jobs:
   docs:
     runs-on: ubuntu-latest

.github/workflows/dispatch_analytics.yml

@@ -7,22 +7,23 @@ on:
     - cron: '0 * * * *'
 
 permissions:
-  id-token: write
-  actions: read
-  checks: read
   contents: read
-  deployments: read
-  issues: read
-  discussions: read
-  packages: read
-  pages: read
-  pull-requests: read
-  repository-projects: read
-  security-events: read
-  statuses: read
 
 jobs:
   dispatch_token:
+    permissions:
+      id-token: write
+      actions: read
+      checks: read
+      deployments: read
+      issues: read
+      discussions: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: read
+      statuses: read
     concurrency:
       group: analytics
     runs-on: ubuntu-latest

.github/workflows/docs.yml

@@ -7,14 +7,14 @@ on:
   workflow_dispatch: {}
 
 permissions:
-  id-token: write
-  contents: write
-  pages: write
+  contents: read
 
 jobs:
   docs:
     runs-on: ubuntu-latest
     environment: Docs
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Set up Python

.github/workflows/openssf_scorecard.yml

@@ -0,0 +1,48 @@
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  schedule:
+    - cron: "0 9 * * *"
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    # environment: scorecard
+    permissions:
+      security-events: write  # update code-scanning dashboard
+      id-token: write  # confirm org+repo identity before publish results
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true  # publish to OSSF Scorecard REST API
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}  # read-only fine-grained token to read branch protection settings
+
+      - name: "Upload results"
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
+        with:
+          sarif_file: results.sarif

.github/workflows/osv.yml

@@ -0,0 +1,26 @@
+name: OSV-Scanner
+
+# Change "main" to your default branch if you use a different name, i.e. "master"
+on:
+  pull_request:
+    branches: [main]
+  merge_group:
+    branches: [main]
+  workflow_dispatch: {}
+
+  schedule:
+    - cron: "30 12 * * 1"
+  # Change "main" to your default branch if you use a different name, i.e. "master"
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  scan-pr:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@764c91816374ff2d8fc2095dab36eecd42d61638"

.github/workflows/pr_artifacts_size.yml

@@ -23,6 +23,10 @@ on:
       - 'powertools-validation/**'
       - 'pom.xml'
       - '.github/workflows/pr_artifacts_size.yml'
+
+permissions:
+  contents: read
+
 jobs:
   codecheck:
     runs-on: ubuntu-latest

.github/workflows/pr_build.yml

@@ -45,6 +45,10 @@ on:
       - 'pom.xml'
       - 'examples/pom.xml'
       - '.github/workflows/**'
+
+permissions:
+  contents: read
+
 jobs:
   build-corretto:
     runs-on: ubuntu-latest
@@ -58,7 +62,6 @@ jobs:
       AWS_REGION: eu-west-1
     permissions:
       id-token: write # needed to interact with GitHub's OIDC Token endpoint.
-      contents: read
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Setup java
@@ -69,14 +72,30 @@ jobs:
           cache: 'maven'
       - name: Build with Maven
         run: mvn -B install --file pom.xml
+      - name: Build Gradle Setup
+        if: ${{ matrix.java == '8' }} # Gradle example can only be built on Java 8
+        working-directory: examples/powertools-examples-core/gradle
+        run: |
+          curl -L -o gradle/wrapper/gradle.zip https:$(cat gradle/wrapper/gradle-wrapper.properties  | grep distributionUrl | cut -d ':' -f 2)
+          unzip gradle/wrapper/gradle.zip -d gradle/wrapper/gradle
+          ./gradle/wrapper/gradle/gradle-8.2.1/bin/gradle wrapper
       - name: Build Gradle Example - Java
         if: ${{ matrix.java == '8' }} # Gradle example can only be built on Java 8
         working-directory: examples/powertools-examples-core/gradle
         run: ./gradlew build
+
+      - name: Build Gradle Setup (Kotlin)
+        if: ${{ matrix.java == '8' }} # Gradle example can only be built on Java 8
+        working-directory: examples/powertools-examples-core/kotlin
+        run: |
+          curl -L -o gradle/wrapper/gradle.zip https:$(cat gradle/wrapper/gradle-wrapper.properties  | grep distributionUrl | cut -d ':' -f 2)
+          unzip gradle/wrapper/gradle.zip -d gradle/wrapper/gradle
+          ./gradle/wrapper/gradle/gradle-8.2.1/bin/gradle wrapper
       - name: Build Gradle Example - Kotlin
         if: ${{ matrix.java == '8' }} # Gradle example can only be built on Java 8
         working-directory: examples/powertools-examples-core/kotlin
         run: ./gradlew build
+        
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # v3.1.1
         if: ${{ matrix.java == '11' }} # publish results once

.github/workflows/pr_build_v2.yml

@@ -41,6 +41,10 @@ on:
       - 'pom.xml'
       - 'examples/pom.xml'
       - '.github/workflows/**'
+
+permissions:
+  contents: read
+
 jobs:
   build-corretto:
     runs-on: ubuntu-latest
@@ -54,7 +58,6 @@ jobs:
       AWS_REGION: eu-west-1
     permissions:
       id-token: write # needed to interact with GitHub's OIDC Token endpoint.
-      contents: read
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Setup java

.github/workflows/pr_iac_lint.yml

@@ -11,6 +11,10 @@ on:
       - v2
     paths:
       - 'examples/**'
+
+permissions:
+  contents: read
+
 jobs:
   linter:
     runs-on: ubuntu-latest

.github/workflows/publish.yml

@@ -4,9 +4,18 @@ on:
     types:
       - published
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
+    environment: Release
+    permissions:
+      id-token: write
+      issues: write
+      contents: write
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Set up Maven Central Repository