From 9cb282142f645885058e50d44bf9688ac5e7e524 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 26 Oct 2025 07:46:35 +0000 Subject: [PATCH 1/4] Initial plan From 689d54706de33f0b24bc07546808522f01d49ca7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 26 Oct 2025 07:51:02 +0000 Subject: [PATCH 2/4] Add GitHub Actions workflow for automatic site publishing Co-authored-by: slachiewicz <6705942+slachiewicz@users.noreply.github.com> --- .github/workflows/site.yml | 55 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/site.yml diff --git a/.github/workflows/site.yml b/.github/workflows/site.yml new file mode 100644 index 0000000..c6ded73 --- /dev/null +++ b/.github/workflows/site.yml @@ -0,0 +1,55 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: Site CI + +on: + push: + branches: + - '*' + - '!master' + pull_request: + branches: + - '*' + - '!master' + +jobs: + + site: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up JDK + uses: actions/setup-java@v4 + with: + java-version: '11' + distribution: 'temurin' + cache: 'maven' + + - name: Setup deploy + id: setup + if: github.event_name == 'push' && github.repository_owner == 'codehaus-plexus' && github.ref == 'refs/heads/source' + run: | + git config --global user.email "${{ github.event.head_commit.author.email }}" + git config --global user.name "${{ github.event.head_commit.author.name }}" + echo "deploy=-deploy -Dusername=git -Dpassword=${{ github.token }} -Dscmpublish.checkinComment='Site checkin for ${{ github.event.head_commit.id }}'" >> $GITHUB_OUTPUT + + - name: Build with Maven + run: mvn --show-version --errors --batch-mode --update-snapshots clean site${{ steps.setup.outputs.deploy }} From dcd3a8f38a39f74b133027bf3dc8a058991ce306 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 26 Oct 2025 07:52:07 +0000 Subject: [PATCH 3/4] Fix security issues in site workflow - use env vars for untrusted input Co-authored-by: slachiewicz <6705942+slachiewicz@users.noreply.github.com> --- .github/workflows/site.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/site.yml b/.github/workflows/site.yml index c6ded73..e6f3889 100644 --- a/.github/workflows/site.yml +++ b/.github/workflows/site.yml @@ -46,10 +46,14 @@ jobs: - name: Setup deploy id: setup if: github.event_name == 'push' && github.repository_owner == 'codehaus-plexus' && github.ref == 'refs/heads/source' + env: + COMMIT_EMAIL: ${{ github.event.head_commit.author.email }} + COMMIT_NAME: ${{ github.event.head_commit.author.name }} + COMMIT_ID: ${{ github.event.head_commit.id }} run: | - git config --global user.email "${{ github.event.head_commit.author.email }}" - git config --global user.name "${{ github.event.head_commit.author.name }}" - echo "deploy=-deploy -Dusername=git -Dpassword=${{ github.token }} -Dscmpublish.checkinComment='Site checkin for ${{ github.event.head_commit.id }}'" >> $GITHUB_OUTPUT + git config --global user.email "$COMMIT_EMAIL" + git config --global user.name "$COMMIT_NAME" + echo "deploy=-deploy -Dusername=git -Dpassword=${{ github.token }} -Dscmpublish.checkinComment='Site checkin for $COMMIT_ID'" >> "$GITHUB_OUTPUT" - name: Build with Maven run: mvn --show-version --errors --batch-mode --update-snapshots clean site${{ steps.setup.outputs.deploy }} From d2c34375802ea626305e4c327c536057a8ae686f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 26 Oct 2025 07:53:50 +0000 Subject: [PATCH 4/4] Add explicit permissions to site workflow Co-authored-by: slachiewicz <6705942+slachiewicz@users.noreply.github.com> --- .github/workflows/site.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/site.yml b/.github/workflows/site.yml index e6f3889..232c452 100644 --- a/.github/workflows/site.yml +++ b/.github/workflows/site.yml @@ -31,6 +31,8 @@ jobs: site: runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout