Merge pull request #892 from bobcallaway/zizmor

address CI issues reported by zizmor

Author: loosebazooka

.github/workflows/ci.yaml

@@ -37,6 +37,8 @@ jobs:
       id-token: write
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
     - name: Set up JDK ${{ matrix.java-version }}
       uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
       with:
@@ -59,6 +61,7 @@ jobs:
       run: ./gradlew build
 
     - name: Ensure sigstore-java self signing still works
+      if: ${{ !github.event.pull_request.head.repo.fork }}
       run: ./gradlew sigstore-java:publishToMavenLocal -Prelease -PskipPgpSigning
 
     - name: Test sigstore-java/sandbox

.github/workflows/cifuzz.yaml

@@ -19,7 +19,7 @@ jobs:
         dry-run: false
         language: jvm
     - name: Upload Crash
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       if: failure() && steps.build.outcome == 'success'
       with:
         name: artifacts

.github/workflows/conformance.yml

@@ -19,6 +19,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up JDK ${{ matrix.java-version }}
         uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0

.github/workflows/examples.yaml

@@ -22,6 +22,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     - name: Setup Java
       uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
@@ -47,4 +49,6 @@ jobs:
 
     - name: run examples against development version
       working-directory: examples/hello-world
-      run: ./test.sh -Dsigstore.version=${{ steps.dev_version.outputs.version }}
+      env:
+        VERSION: ${{ steps.dev_version.outputs.version }}
+      run: ./test.sh -Dsigstore.version=${VERSION}

.github/workflows/gradle-wrapper-validation.yaml

@@ -7,5 +7,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      # allstar complains if we don't use tags here (https://github.com/ossf/scorecard/issues/2477)
-      - uses: gradle/wrapper-validation-action@v3
+        with:
+          persist-credentials: false
+      - uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2

.github/workflows/release-sigstore-gradle-plugin-from-tag.yaml

@@ -10,17 +10,23 @@ jobs:
     steps:
       - name: checkout tag
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: process tag
         id: version
+        env:
+          TAG: ${{ github.ref_name }}
         run: |
-          TAG=${{ github.ref_name }}
           echo "version=${TAG#"v"}" >> $GITHUB_OUTPUT
       - name: verify tag matches gradle version
+        env:
+          TAG_VERSION: ${{ steps.version.outputs.version }}
+          REF: ${{ github.ref }}
         run: |
           set -Eeo pipefail
           version=$(grep "^version=" gradle.properties | cut -d'=' -f2)
-          if [[ ! "$version" == "${{ steps.version.outputs.version }}" ]]; then
-            echo "tagged version ${{ github.ref }} (as ${{ steps.version.outputs.version }}) does not match gradle.properties $version"
+          if [[ ! "$version" == "${TAG_VERSION}" ]]; then
+            echo "tagged version ${REF} (as ${TAG_VERSION}) does not match gradle.properties $version"
             exit 1
           fi
 
@@ -38,6 +44,8 @@ jobs:
     steps:
       - name: Checkout tag
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up JDK 11
         uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0

.github/workflows/release-sigstore-java-from-tag.yaml

@@ -11,17 +11,23 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: process tag
         id: version
+        env:
+          TAG: ${{ github.ref_name }}
         run: |
-          TAG=${{ github.ref_name }}
           echo "version=${TAG#"v"}" >> $GITHUB_OUTPUT
       - name: verify tag matches gradle version
+        env:
+          TAG_VERSION: ${{ steps.version.outputs.version }}
+          REF: ${{ github.ref }}
         run: |
           set -Eeo pipefail
           version=$(grep "^version=" gradle.properties | cut -d'=' -f2)
-          if [[ ! "$version" == "${{ steps.version.outputs.version }}" ]]; then
-            echo "tagged version ${{ github.ref }} (as ${{ steps.version.outputs.version }}) does not match gradle.properties $version"
+          if [[ ! "$version" == "${TAG_VERSION}" ]]; then
+            echo "tagged version ${REF} (as ${TAG_VERSION}) does not match gradle.properties $version"
             exit 1
           fi
 
@@ -39,6 +45,8 @@ jobs:
     steps:
       - name: checkout tag
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up JDK 11
         uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
@@ -65,7 +73,8 @@ jobs:
       contents: write
     steps:
       - name: Create release
-        uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0
-        with:
-          tag_name: ${{ github.ref_name }}
-          body: "See [CHANGELOG.md](https://github.com/${{ github.repository }}/blob/main/CHANGELOG.md) for more details."
+        env:
+          REF_NAME: ${{ github.ref_name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release create -t "${REF_NAME}" ${REF_NAME} -n "See [CHANGELOG.md](https://github.com/${{ github.repository }}/blob/main/CHANGELOG.md) for more details."

.github/workflows/tuf-conformance.yml

@@ -19,6 +19,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up JDK ${{ matrix.java-version }}
         uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
@@ -35,7 +37,7 @@ jobs:
       - name: Unpack tuf distribution
         run: tar -xvf ${{ github.workspace }}/tuf-cli/build/distributions/tuf-cli-*.tar --strip-components 1
 
-      - uses: theupdateframework/tuf-conformance@v2
+      - uses: theupdateframework/tuf-conformance@dee4e23533d7a12a6394d96b59b3ea0aa940f9bf # v2.2.0
         with:
           entrypoint: ${{ github.workspace }}/bin/tuf-cli
           artifact-name: test repositories for tuf-cli java ${{ matrix.java-version }}

examples/hello-world/test.sh

@@ -6,7 +6,7 @@ export ORG_GRADLE_PROJECT_signingKey=$MAVEN_GPG_KEY
 export ORG_GRADLE_PROJECT_signingPassword=$MAVEN_GPG_PASSPHRASE
 set -x
 # gradle
-./gradlew clean publishMavenPublicationToExamplesRepository $@
+./gradlew clean publishMavenPublicationToExamplesRepository --stacktrace $@
 test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json
 test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.module.sigstore.json
 test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json