From 311b7683e257ce15c74e09aa31776eb1d73c426d Mon Sep 17 00:00:00 2001 From: Jonah Jeleniewski Date: Mon, 5 May 2025 10:00:29 +1000 Subject: [PATCH 1/2] Specify permissions explicitly in workflows Prompted by CodeQL alerts for `actions/missing-workflow-permissions`. --- .github/workflows/build.yml | 3 +++ .github/workflows/format.yml | 3 +++ .github/workflows/release.yml | 3 +++ .github/workflows/sonar.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index df3d24235..bbc7fd9ac 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,6 +12,9 @@ on: - 'LICENSE.txt' - 'NOTICE.txt' +permissions: + contents: read + jobs: install: runs-on: ubuntu-latest diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 0c8c562ed..868ccea4a 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -10,6 +10,9 @@ on: paths: - '**.java' +permissions: + contents: read + jobs: check-format: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bba8748fe..f27de1e44 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,9 @@ on: tags: - v* +permissions: + contents: write + jobs: publish: runs-on: ubuntu-latest diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml index 8f2a41f66..84329a1f2 100644 --- a/.github/workflows/sonar.yml +++ b/.github/workflows/sonar.yml @@ -5,6 +5,9 @@ on: branches: - 'master' +permissions: + contents: read + jobs: scan: runs-on: ubuntu-latest From bc1ed36638f9084e67009f18c9a5ccaeabbd95df Mon Sep 17 00:00:00 2001 From: Jonah Jeleniewski Date: Mon, 5 May 2025 10:55:38 +1000 Subject: [PATCH 2/2] Pin mutable actions to a specific commit instead of using tags Prompted by CodeQL alerts for `actions/unpinned-tag`. --- .github/workflows/format.yml | 4 ++-- .github/workflows/release.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 868ccea4a..d9108a3ed 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: axel-op/googlejavaformat-action@v3 + - uses: axel-op/googlejavaformat-action@c1134ebd196c4cbffb077f9476585b0be8b6afcd # v4.0.0 with: - version: v1.19.2 + release-name: v1.19.2 args: "--set-exit-if-changed --dry-run" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f27de1e44..442f36988 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -36,12 +36,12 @@ jobs: run: echo "version-without-v=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT" - name: Get changelog release info id: changelog - uses: release-flow/keep-a-changelog-action@v3 + uses: release-flow/keep-a-changelog-action@74931dec7ecdbfc8e38ac9ae7e8dd84c08db2f32 # v3.0.0 with: command: query version: ${{ steps.get-version.outputs.version-without-v }} - name: Create GitHub Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2 with: name: ${{ steps.changelog.outputs.version }} body: ${{ steps.changelog.outputs.release-notes }}