feat: update GitHub workflows with permissions and action versions

noraeb · noraeb · commit 50fba3c33225 · 2026-03-12T11:03:47.000+01:00
Signed-off-by: Nora Blomaard &lt;n.blomaard@gmail.com&gt;
diff --git a/.github/workflows/build-project.yml b/.github/workflows/build-project.yml
@@ -13,6 +13,9 @@ on:
       - 'main'
       - 'develop'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
@@ -21,31 +24,31 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Cache Docker Register
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ hashFiles('**/Dockerfile') }}
       - name: Cache Maven packages
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: Set up JDK 17
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: 'zulu'
           java-version: '17'
 
       - name: Create custom Maven Settings.xml
-        uses: whelk-io/maven-settings-xml-action@v22
+        uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d # v22
         with:
           output_file: custom_maven_settings.xml
           servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -17,48 +17,48 @@ jobs:
   release_please:
     runs-on: ubuntu-latest
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@c3fc4de07084f75a2b61a5b933069bda6edf3d5c # v4
         id: release
         with:
           target-branch: main
       - name: Checkout
         if: ${{ steps.release.outputs.release_created }}
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Cache Docker Register
         if: ${{ steps.release.outputs.release_created }}
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ hashFiles('**/Dockerfile') }}
       - name: Cache Maven packages
         if: ${{ steps.release.outputs.release_created }}
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2
 
       - name: Set up JDK 17
         if: ${{ steps.release.outputs.release_created }}
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: 'zulu'
           java-version: '17'
       - name: Set up Docker Buildx
         if: ${{ steps.release.outputs.release_created }}
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: Login to Docker Hub
         if: ${{ steps.release.outputs.release_created }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
 
       - name: Create custom Maven Settings.xml
         if: ${{ steps.release.outputs.release_created }}
-        uses: whelk-io/maven-settings-xml-action@v22
+        uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d # v22
         with:
           output_file: custom_maven_settings.xml
           servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml
@@ -6,12 +6,15 @@ name: REUSE Compliance Check
 
 on: push
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: REUSE Compliance Check
-        uses: fsfe/reuse-action@v6
+        uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6
 
diff --git a/.github/workflows/sonarcloud-analysis.yml b/.github/workflows/sonarcloud-analysis.yml
@@ -14,96 +14,98 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.workflow_run.conclusion == 'success'
     timeout-minutes: 15
+    permissions:
+      contents: read
+      actions: read
+      pull-requests: read
     steps:
     - name: echo event
       run: cat $GITHUB_EVENT_PATH
     - name: Download PR number artifact
-      if: github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
-      uses: dawidd6/action-download-artifact@v14
+      if: github.event.workflow_run.event == 'pull_request'
+      uses: dawidd6/action-download-artifact@5c98f0b039f36ef966fdb7dfa9779262785ecb05 # v14
       with:
         workflow: SonarCloud Build
         run_id: ${{ github.event.workflow_run.id }}
         name: PR_NUMBER
     - name: Read PR_NUMBER.txt
-      if: github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
+      if: github.event.workflow_run.event == 'pull_request'
       id: pr_number
-      uses: juliangruber/read-file-action@v1
+      uses: juliangruber/read-file-action@b549046febe0fe86f8cb4f93c24e284433f9ab58 # v1
       with:
         path: ./PR_NUMBER.txt
     - name: Request GitHub API for PR data
-      if: github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
-      uses: octokit/request-action@v2.x
+      if: github.event.workflow_run.event == 'pull_request'
+      uses: octokit/request-action@05a2312de9f8207044c4c9e41fe19703986acc13 # v2.x
       id: get_pr_data
       with:
         route: GET /repos/{full_name}/pulls/{number}
         number: ${{ steps.pr_number.outputs.content }}
         full_name: ${{ github.event.repository.full_name }}
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
-        repository: ${{ github.event.workflow_run.head_repository.full_name }}
-        ref: ${{ github.event.workflow_run.head_branch }}
         fetch-depth: 0
-    - name: Checkout base branch
-      if: github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
-      run: |
-        git remote add upstream ${{ github.event.repository.clone_url }}
-        git fetch upstream
-        git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
-        git checkout ${{ github.event.workflow_run.head_branch }}
-        git clean -ffdx && git reset --hard HEAD
+    - name: Download build artifacts
+      uses: dawidd6/action-download-artifact@5c98f0b039f36ef966fdb7dfa9779262785ecb05 # v14
+      with:
+        workflow: SonarCloud Build
+        run_id: ${{ github.event.workflow_run.id }}
+        name: build-artifacts
     - name: Cache SonarCloud packages
-      uses: actions/cache@v5
+      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
       with:
         path: ~/.sonar/cache
         key: ${{ runner.os }}-sonar
         restore-keys: ${{ runner.os }}-sonar
-    - name: Cache Maven packages
-      uses: actions/cache@v5
-      with:
-        path: ~/.m2
-        key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-        restore-keys: ${{ runner.os }}-m2
 
     - name: Set up JDK 17
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         distribution: 'zulu'
         java-version: '17'
+        cache: 'maven'
 
     - name: Set Common Sonar Variables
       id: sonar_env
+      # Use $GITHUB_OUTPUT; the legacy ##[set-output] syntax is deprecated and disabled.
       run: |
-        echo "##[set-output name=sonar_opts;]$(echo -Dsonar.host.url=https://sonarcloud.io \
-          -Dsonar.projectKey=com-pas_compas-scl-auto-alignment \
-          -Dsonar.organization=com-pas )"
+        echo "sonar_opts=-Dsonar.host.url=https://sonarcloud.io -Dsonar.projectKey=com-pas_compas-scl-auto-alignment -Dsonar.organization=com-pas" >> "$GITHUB_OUTPUT"
     - name: Create custom Maven Settings.xml
-      uses: whelk-io/maven-settings-xml-action@v22
+      uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d # v22
       with:
         output_file: custom_maven_settings.xml
         servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
     - name: Build and analyze (Pull Request)
-      if: ${{ github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target') }}
+      if: ${{ github.event.workflow_run.event == 'pull_request' }}
+      # Pass user-controlled PR metadata through env vars to prevent shell/argument injection.
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        SONAR_PR_BRANCH: ${{ fromJson(steps.get_pr_data.outputs.data).head.ref }}
+        SONAR_PR_KEY: ${{ fromJson(steps.get_pr_data.outputs.data).number }}
+        SONAR_PR_BASE: ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
+        SONAR_SCM_REVISION: ${{ github.event.workflow_run.head_sha }}
       run: |
         ./mvnw -B -s custom_maven_settings.xml -Psonar \
           ${{ steps.sonar_env.outputs.sonar_opts }} \
-          -Dsonar.pullrequest.branch=${{ fromJson(steps.get_pr_data.outputs.data).head.ref }} \
-          -Dsonar.pullrequest.key=${{ fromJson(steps.get_pr_data.outputs.data).number }} \
-          -Dsonar.pullrequest.base=${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} \
-          -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \
-          clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+          "-Dsonar.pullrequest.branch=$SONAR_PR_BRANCH" \
+          "-Dsonar.pullrequest.key=$SONAR_PR_KEY" \
+          "-Dsonar.pullrequest.base=$SONAR_PR_BASE" \
+          "-Dsonar.scm.revision=$SONAR_SCM_REVISION" \
+          org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
     - name: Build and analyze (Push)
       if: ${{ github.event.workflow_run.event == 'push' }}
+      # Pass user-controlled branch/revision values through env vars to prevent injection.
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        SONAR_SCM_REVISION: ${{ github.event.workflow_run.head_sha }}
+        SONAR_BRANCH_NAME: ${{ github.event.workflow_run.head_branch }}
       run: |
         ./mvnw -B -s custom_maven_settings.xml -Psonar \
           ${{ steps.sonar_env.outputs.sonar_opts }} \
-          -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \
-          -Dsonar.branch.name=${{ github.event.workflow_run.head_branch }} \
-          clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+          "-Dsonar.scm.revision=$SONAR_SCM_REVISION" \
+          "-Dsonar.branch.name=$SONAR_BRANCH_NAME" \
+          org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
diff --git a/.github/workflows/sonarcloud-build.yml b/.github/workflows/sonarcloud-build.yml
@@ -12,66 +12,60 @@ on:
     branches:
       - 'main'
       - 'develop'
-  pull_request_target:
-    branches:
-      - 'main'
-      - 'develop'
 
 jobs:
   precheck-build:
     name: Pre Check Build
     runs-on: ubuntu-latest
     timeout-minutes: 30
-
-    if: ${{ (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }}
+    permissions:
+      contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
       - name: Cache SonarCloud packages
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
-      - name: Cache Maven packages
-        uses: actions/cache@v5
-        with:
-          path: ~/.m2
-          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: 'zulu'
           java-version: '17'
+          cache: 'maven'
 
       - name: Create custom Maven Settings.xml
-        uses: whelk-io/maven-settings-xml-action@v22
+        uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d # v22
         with:
           output_file: custom_maven_settings.xml
           servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
-      - name: Build and analyze (Pull Request)
-        if: ${{ github.event_name == 'pull_request' || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          ./mvnw -B -s custom_maven_settings.xml clean verify
-      - name: Build and analyze (Push)
-        if: ${{ github.event_name == 'push' }}
+      - name: Build
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           ./mvnw -B -s custom_maven_settings.xml clean verify
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        with:
+          name: build-artifacts
+          path: |
+            service/src/
+            app/src/
+            service/target/
+            app/target/
+          retention-days: 1
       - name: Save PR number to file
-        if: ${{ github.event_name == 'pull_request' || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }}
+        if: ${{ github.event_name == 'pull_request' }}
         run: echo ${{ github.event.pull_request.number }} > PR_NUMBER.txt
       - name: Archive PR number
-        if: ${{ github.event_name == 'pull_request' || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }}
-        uses: actions/upload-artifact@v6
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: PR_NUMBER
           path: PR_NUMBER.txt
