From 019a6117fb99131f74f92ecf462169613234abbf Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 19 Sep 2023 14:05:12 -0700 Subject: [PATCH] Apply best practices for workflows (#580) Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 6 +++++ .github/workflows/codeql-analysis.yml | 11 +++++--- ...n-java-performance-regression-detector.yml | 25 +++++++++++-------- .github/workflows/ion-test-driver.yml | 18 ++++++++----- .github/workflows/main.yml | 12 ++++----- .github/workflows/prepare-release.yml | 4 +-- .../workflows/publish-release-artifacts.yml | 9 ++++--- .../workflows/test-inspect-version-action.yml | 2 +- 8 files changed, 54 insertions(+), 33 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..253bcb76ba --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2bbcd37d60..0f4b2e1654 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -15,6 +15,9 @@ on: schedule: - cron: '0 22 * * 3' +permissions: + contents: read + jobs: analyze: name: Analyze @@ -34,11 +37,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -49,7 +52,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -63,4 +66,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8 diff --git a/.github/workflows/ion-java-performance-regression-detector.yml b/.github/workflows/ion-java-performance-regression-detector.yml index f90e2f4701..8671351bc2 100644 --- a/.github/workflows/ion-java-performance-regression-detector.yml +++ b/.github/workflows/ion-java-performance-regression-detector.yml @@ -8,6 +8,9 @@ on: paths: - 'src/*' +permissions: + contents: read + jobs: detect-regression: name: Detect Regression @@ -15,13 +18,13 @@ jobs: steps: - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 with: distribution: 'corretto' java-version: 11 - name: Checkout ion-java from the new commit. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: ref: ${{ github.event.pull_request.head.sha }} path: ion-java-new @@ -30,7 +33,7 @@ jobs: run: cd ion-java-new && git submodule init && git submodule update && ./gradlew clean publishToMavenLocal - name: Checkout ion-java-benchmark-cli - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: amazon-ion/ion-java-benchmark-cli ref: master @@ -40,7 +43,7 @@ jobs: run: cd ion-java-benchmark-cli && mvn clean install - name: Checkout ion-data-generator - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: amazon-ion/ion-data-generator ref: main @@ -63,7 +66,7 @@ jobs: java -jar ion-data-generator/target/ion-data-generator-1.0-SNAPSHOT.jar generate -S 50000 --input-ion-schema ion-data-generator/tst/com/amazon/ion/workflow/realWorldDataSchema03.isl testData/realWorldData03.10n - name: Upload test Ion Data to artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: test Ion Data path: testData @@ -74,7 +77,7 @@ jobs: cd ion-java-benchmark-cli && java -jar target/ion-java-benchmark-cli-0.0.1-SNAPSHOT-jar-with-dependencies.jar run-suite --test-ion-data /home/runner/work/ion-java/ion-java/testData --benchmark-options-combinations tst/com/amazon/ion/benchmark/optionsCombinations.ion /home/runner/work/ion-java/ion-java/benchmarkResults - name: Upload benchmark results to artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: Benchmark result path: benchmarkResults @@ -83,7 +86,7 @@ jobs: run : rm -r /home/runner/.m2 - name: Checkout the current commit - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: amazon-ion/ion-java ref: master @@ -104,13 +107,13 @@ jobs: mkdir -p testData - name: Download test Ion Data from artifacts - uses: actions/download-artifact@v2 + uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1 with: name: test Ion Data path: testData - name: Download benchmark results of ion-java from the new commit from artifacts - uses: actions/download-artifact@v2 + uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1 with: name: Benchmark result path: benchmarkResults @@ -119,7 +122,7 @@ jobs: run: cd ion-java-benchmark-cli && java -jar target/ion-java-benchmark-cli-0.0.1-SNAPSHOT-jar-with-dependencies.jar run-suite --test-ion-data /home/runner/work/ion-java/ion-java/testData --benchmark-options-combinations tst/com/amazon/ion/benchmark/optionsCombinations.ion /home/runner/work/ion-java/ion-java/benchmarkResults - name: Upload new benchmark results directory to artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: Benchmark result path: benchmarkResults @@ -133,7 +136,7 @@ jobs: if [ "$result" = "true" ]; then echo "No regression detected!" >> $GITHUB_STEP_SUMMARY; fi - name: Upload comparison reports to the benchmark results directory - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: Benchmark result path: benchmarkResults diff --git a/.github/workflows/ion-test-driver.yml b/.github/workflows/ion-test-driver.yml index ef3e7d8ff5..2a69dd6cc3 100644 --- a/.github/workflows/ion-test-driver.yml +++ b/.github/workflows/ion-test-driver.yml @@ -5,19 +5,22 @@ on: paths: - 'src/*' +permissions: + contents: read + jobs: ion-test-driver: runs-on: ubuntu-latest steps: - name: Checkout ion-java - uses: actions/checkout@master + uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master with: repository: amazon-ion/ion-java ref: master path: ion-java - name: Checkout ion-test-driver - uses: actions/checkout@master + uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master with: repository: amazon-ion/ion-test-driver ref: master @@ -42,7 +45,7 @@ jobs: --replace ion-java,https://github.com/amazon-ion/ion-java.git,$main - name: Upload result - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: ion-test-driver-result.ion path: output/results/ion-test-driver-results.ion @@ -57,7 +60,7 @@ jobs: ion-java,$main ion-java,$cur output/results/ion-test-driver-results.ion - name: Upload analysis report - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: analysis-report.ion path: result.ion @@ -70,13 +73,16 @@ jobs: run: echo 'Implementation behavior changed, Refer to the analysis report in the previous step for the reason.' && exit 1 open-issue: + permissions: + contents: read # for JasonEtco/create-an-issue to read template files + issues: write # for JasonEtco/create-an-issue to create new issues runs-on: ubuntu-latest needs: ion-test-driver if: ${{ failure() }} steps: - - uses: actions/checkout@master + - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master - name: Open an issue - uses: JasonEtco/create-an-issue@v2 + uses: JasonEtco/create-an-issue@e27dddc79c92bc6e4562f268fffa5ed752639abd # v2.9.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_WORKFLOW_URL: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1ff898f74d..95e5ce74d4 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -17,24 +17,24 @@ jobs: upload_reports: true - java: 17 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 with: submodules: recursive - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 # v1.1.0 - name: Use java ${{ matrix.java }} - uses: actions/setup-java@v3 + uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 with: distribution: 'corretto' java-version: ${{ matrix.java }} - - uses: gradle/gradle-build-action@v2 + - uses: gradle/gradle-build-action@ef76a971e2fa3f867b617efd72f2fbd72cf6f8bc # v2.8.0 with: arguments: build - run: ./ion-test-driver-run version - if: ${{ matrix.upload_reports }} - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 with: files: build/reports/jacoco/test/jacocoTestReport.xml - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: spotbugs-report path: build/reports/spotbugs/ @@ -46,7 +46,7 @@ jobs: # https://github.com/amazon-ion/ion-java/blob/master/.github/actions/inspect-version/action.yml runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Get Project Version run: | echo "PROJECT_VERSION=v$(> $GITHUB_ENV diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index ae915348b8..71c5b93aa4 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -43,7 +43,7 @@ jobs: outputs: should_create_draft: ${{ steps.inspect.outputs.is_valid_to_release }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Get project version run: | echo "PROJECT_VERSION=$(> $GITHUB_ENV @@ -64,7 +64,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Create a draft release shell: bash env: diff --git a/.github/workflows/publish-release-artifacts.yml b/.github/workflows/publish-release-artifacts.yml index 1d5a52fad9..b55e48c39a 100644 --- a/.github/workflows/publish-release-artifacts.yml +++ b/.github/workflows/publish-release-artifacts.yml @@ -21,12 +21,15 @@ on: release: types: [published] +permissions: + contents: read + jobs: check-tag: # First, a sanity check to ensure that the library version matches the release version runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Validate project version matches tag shell: bash run: | @@ -45,10 +48,10 @@ jobs: steps: # TODO: replace with artifact upload/download -- make sure there's no race condition with other builds also # uploading an artifact. - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - - uses: gradle/gradle-build-action@v2 + - uses: gradle/gradle-build-action@ef76a971e2fa3f867b617efd72f2fbd72cf6f8bc # v2.8.0 with: arguments: build cyclonedxBom - name: Upload Jar to GitHub release diff --git a/.github/workflows/test-inspect-version-action.yml b/.github/workflows/test-inspect-version-action.yml index e7d5bf4bcf..ed223dfdb6 100644 --- a/.github/workflows/test-inspect-version-action.yml +++ b/.github/workflows/test-inspect-version-action.yml @@ -52,7 +52,7 @@ jobs: expected: action_failure steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Invoke Action id: inspect continue-on-error: ${{ matrix.expected == 'action_failure' }}