cicd/setup-java
1
0
Fork 0
mirror of https://github.com/actions/setup-java.git synced 2026-06-24 00:30:28 +03:00
Code Issues Packages Projects Releases Wiki Activity

chore: Harden workflows: least-privilege permissions + zizmor integration (#1039)

Browse Source 
* Harden workflows with least-privilege permissions and zizmor

Apply GitHub Actions security best practices to the action's own
workflows and integrate zizmor to catch regressions.

- Add explicit least-privilege `permissions:` to every workflow
  (contents: read for read-only workflows; default-deny `{}` with
  job-scoped grants for codeql, publish-immutable-actions and
  update-config-files).
- Set `persist-credentials: false` on all checkout steps that don't
  need the GITHUB_TOKEN afterwards.
- Move `${{ ... }}` expansions out of `run:` blocks into `env:` vars
  to avoid template injection.
- Pin the alpine container image (alpine:latest -> alpine:3.21).
- Add a zizmor CI workflow that uploads SARIF to code scanning, plus a
  `.github/zizmor.yml` pinning policy (ref-pin for actions/* and
  github/*, hash-pin for third-party actions).

zizmor now reports no findings (offline and online).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Fix indentation of if: in zizmor SARIF upload step

The `if:` key on the "Upload SARIF results to code scanning" step had no
indentation, producing invalid YAML ("Nested mappings are not allowed in
compact mappings"). This broke `npm run format-check` (prettier) in Basic
validation.

Indent `if:` to 8 spaces so it nests under the step alongside uses/with.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This commit is contained in:
Bruno Borges
2026-06-23 13:10:17 -04:00
committed by GitHub
parent 668c1ea991
commit 1d25252804
13 changed files with 215 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/basic-validation.yml
+3
View File
@@ -11,6 +11,9 @@ on:
paths-ignore: paths-ignore:
- '**.md' - '**.md'
permissions:
contents: read
jobs: jobs:
call-basic-validation: call-basic-validation:
name: Basic validation name: Basic validation
.github/workflows/check-dist.yml
+3
View File
@@ -11,6 +11,9 @@ on:
- '**.md' - '**.md'
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
call-check-dist: call-check-dist:
name: Check dist/ name: Check dist/
.github/workflows/codeql-analysis.yml
+2
View File
@@ -8,6 +8,8 @@ on:
schedule: schedule:
- cron: '0 3 * * 0' - cron: '0 3 * * 0'
permissions: {}
jobs: jobs:
call-codeQL-analysis: call-codeQL-analysis:
permissions: permissions:
.github/workflows/e2e-cache-dependency-path.yml
+9
View File
@@ -11,6 +11,9 @@ on:
paths-ignore: paths-ignore:
- '**.md' - '**.md'
permissions:
contents: read
defaults: defaults:
run: run:
shell: bash shell: bash
@@ -25,6 +28,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Run setup-java with the cache for gradle - name: Run setup-java with the cache for gradle
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -52,6 +57,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Run setup-java with the cache for gradle - name: Run setup-java with the cache for gradle
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -77,6 +84,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Run setup-java with the cache for gradle - name: Run setup-java with the cache for gradle
uses: ./ uses: ./
id: setup-java id: setup-java
.github/workflows/e2e-cache.yml
+15
View File
@@ -11,6 +11,9 @@ on:
paths-ignore: paths-ignore:
- '**.md' - '**.md'
permissions:
contents: read
defaults: defaults:
run: run:
shell: bash shell: bash
@@ -25,6 +28,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Run setup-java with the cache for gradle - name: Run setup-java with the cache for gradle
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -51,6 +56,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Run setup-java with the cache for gradle - name: Run setup-java with the cache for gradle
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -74,6 +81,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Run setup-java with the cache for maven - name: Run setup-java with the cache for maven
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -98,6 +107,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Run setup-java with the cache for maven - name: Run setup-java with the cache for maven
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -125,6 +136,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Run setup-java with the cache for sbt - name: Run setup-java with the cache for sbt
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -175,6 +188,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Run setup-java with the cache for sbt - name: Run setup-java with the cache for sbt
uses: ./ uses: ./
id: setup-java id: setup-java
.github/workflows/e2e-local-file.yml
+18 -3
View File
@@ -11,6 +11,9 @@ on:
paths-ignore: paths-ignore:
- '**.md' - '**.md'
permissions:
contents: read
jobs: jobs:
setup-java-local-file-adopt: setup-java-local-file-adopt:
name: Validate installation from local file Adopt name: Validate installation from local file Adopt
@@ -22,6 +25,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Download Adopt OpenJDK file - name: Download Adopt OpenJDK file
run: | run: |
if ($IsLinux) { if ($IsLinux) {
@@ -46,7 +51,9 @@ jobs:
java-version: '11.0.0-ea' java-version: '11.0.0-ea'
architecture: x64 architecture: x64
- name: Verify Java version - name: Verify Java version
run: bash __tests__/verify-java.sh "11.0.10" "${{ steps.setup-java.outputs.path }}" env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "11.0.10" "$JAVA_PATH"
shell: bash shell: bash
setup-java-local-file-zulu: setup-java-local-file-zulu:
@@ -59,6 +66,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Download Zulu OpenJDK file - name: Download Zulu OpenJDK file
run: | run: |
if ($IsLinux) { if ($IsLinux) {
@@ -83,7 +92,9 @@ jobs:
java-version: '11.0.0-ea' java-version: '11.0.0-ea'
architecture: x64 architecture: x64
- name: Verify Java version - name: Verify Java version
run: bash __tests__/verify-java.sh "11.0" "${{ steps.setup-java.outputs.path }}" env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "11.0" "$JAVA_PATH"
shell: bash shell: bash
setup-java-local-file-temurin: setup-java-local-file-temurin:
@@ -96,6 +107,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Download Eclipse Temurin file - name: Download Eclipse Temurin file
run: | run: |
if ($IsLinux) { if ($IsLinux) {
@@ -120,5 +133,7 @@ jobs:
java-version: '11.0.0-ea' java-version: '11.0.0-ea'
architecture: x64 architecture: x64
- name: Verify Java version - name: Verify Java version
run: bash __tests__/verify-java.sh "11.0.12" "${{ steps.setup-java.outputs.path }}" env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "11.0.12" "$JAVA_PATH"
shell: bash shell: bash
.github/workflows/e2e-publishing.yml
+11
View File
@@ -11,6 +11,9 @@ on:
paths-ignore: paths-ignore:
- '**.md' - '**.md'
permissions:
contents: read
defaults: defaults:
run: run:
shell: pwsh shell: pwsh
@@ -26,6 +29,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java - name: setup-java
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -61,6 +66,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Create fake settings.xml - name: Create fake settings.xml
run: | run: |
$xmlDirectory = Join-Path $HOME ".m2" $xmlDirectory = Join-Path $HOME ".m2"
@@ -97,6 +104,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Create fake settings.xml - name: Create fake settings.xml
run: | run: |
$xmlDirectory = Join-Path $HOME ".m2" $xmlDirectory = Join-Path $HOME ".m2"
@@ -134,6 +143,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java - name: setup-java
uses: ./ uses: ./
id: setup-java id: setup-java
.github/workflows/e2e-versions.yml
+83 -16
View File
@@ -13,6 +13,10 @@ on:
schedule: schedule:
- cron: '0 */12 * * *' - cron: '0 */12 * * *'
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
setup-java-major-versions: setup-java-major-versions:
name: ${{ matrix.distribution }} ${{ matrix.version }} (jdk-x64) - ${{ matrix.os }} name: ${{ matrix.distribution }} ${{ matrix.version }} (jdk-x64) - ${{ matrix.os }}
@@ -74,6 +78,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java - name: setup-java
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -83,14 +89,17 @@ jobs:
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Verify Java - name: Verify Java
run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash shell: bash
setup-java-alpine-linux: setup-java-alpine-linux:
name: ${{ matrix.distribution }} ${{ matrix.version }} (jdk-x64) - alpine-linux - ${{ matrix.os }} name: ${{ matrix.distribution }} ${{ matrix.version }} (jdk-x64) - alpine-linux - ${{ matrix.os }}
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
container: container:
image: alpine:latest image: alpine:3.21
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@@ -100,6 +109,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Install bash - name: Install bash
run: apk add --no-cache bash run: apk add --no-cache bash
- name: setup-java - name: setup-java
@@ -109,7 +120,10 @@ jobs:
java-version: ${{ matrix.version }} java-version: ${{ matrix.version }}
distribution: ${{ matrix.distribution }} distribution: ${{ matrix.distribution }}
- name: Verify Java - name: Verify Java
run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash shell: bash
setup-java-major-minor-versions: setup-java-major-minor-versions:
@@ -150,6 +164,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java - name: setup-java
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -157,10 +173,12 @@ jobs:
java-version: ${{ matrix.version }} java-version: ${{ matrix.version }}
distribution: ${{ matrix.distribution }} distribution: ${{ matrix.distribution }}
- name: Verify Java - name: Verify Java
run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}"
shell: bash
env: env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash
setup-java-check-latest: setup-java-check-latest:
name: ${{ matrix.distribution }} ${{ matrix.version }} - check-latest flag - ${{ matrix.os }} name: ${{ matrix.distribution }} ${{ matrix.version }} - check-latest flag - ${{ matrix.os }}
@@ -185,6 +203,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java - name: setup-java
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -195,7 +215,9 @@ jobs:
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Verify Java - name: Verify Java
run: bash __tests__/verify-java.sh "11" "${{ steps.setup-java.outputs.path }}" env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "11" "$JAVA_PATH"
shell: bash shell: bash
setup-java-multiple-jdks: setup-java-multiple-jdks:
@@ -221,6 +243,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java - name: setup-java
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -245,7 +269,9 @@ jobs:
} }
shell: pwsh shell: pwsh
- name: Verify Java - name: Verify Java
run: bash __tests__/verify-java.sh "17" "${{ steps.setup-java.outputs.path }}" env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "17" "$JAVA_PATH"
shell: bash shell: bash
setup-java-ea-versions-zulu: setup-java-ea-versions-zulu:
@@ -260,6 +286,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java - name: setup-java
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -267,7 +295,10 @@ jobs:
java-version: ${{ matrix.version }} java-version: ${{ matrix.version }}
distribution: zulu distribution: zulu
- name: Verify Java - name: Verify Java
run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash shell: bash
setup-java-ea-versions-temurin: setup-java-ea-versions-temurin:
@@ -282,6 +313,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java - name: setup-java
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -289,7 +322,10 @@ jobs:
java-version: ${{ matrix.version }} java-version: ${{ matrix.version }}
distribution: temurin distribution: temurin
- name: Verify Java - name: Verify Java
run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash shell: bash
setup-java-ea-versions-sapmachine: setup-java-ea-versions-sapmachine:
@@ -304,6 +340,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java - name: setup-java
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -311,7 +349,10 @@ jobs:
java-version: ${{ matrix.version }} java-version: ${{ matrix.version }}
distribution: sapmachine distribution: sapmachine
- name: Verify Java - name: Verify Java
run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash shell: bash
setup-java-custom-package-type: setup-java-custom-package-type:
@@ -391,6 +432,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java - name: setup-java
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -401,7 +444,10 @@ jobs:
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Verify Java - name: Verify Java
run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash shell: bash
# Only Liberica and Zulu provide x86 # Only Liberica and Zulu provide x86
@@ -419,6 +465,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java - name: setup-java
uses: ./ uses: ./
id: setup-java id: setup-java
@@ -427,7 +475,10 @@ jobs:
java-version: ${{ matrix.version }} java-version: ${{ matrix.version }}
architecture: 'x86' architecture: 'x86'
- name: Verify Java - name: Verify Java
run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash shell: bash
setup-java-version-both-version-inputs-presents: setup-java-version-both-version-inputs-presents:
@@ -442,6 +493,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Create .java-version file - name: Create .java-version file
shell: bash shell: bash
run: echo "17" > .java-version run: echo "17" > .java-version
@@ -456,7 +509,9 @@ jobs:
java-version: 11 java-version: 11
java-version-file: ${{matrix.java-version-file }} java-version-file: ${{matrix.java-version-file }}
- name: Verify Java - name: Verify Java
run: bash __tests__/verify-java.sh "11" "${{ steps.setup-java.outputs.path }}" env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "11" "$JAVA_PATH"
shell: bash shell: bash
setup-java-version-from-file-major-notation: setup-java-version-from-file-major-notation:
@@ -471,6 +526,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Create .java-version file - name: Create .java-version file
shell: bash shell: bash
run: echo "11" > .java-version run: echo "11" > .java-version
@@ -484,7 +541,9 @@ jobs:
distribution: ${{ matrix.distribution }} distribution: ${{ matrix.distribution }}
java-version-file: ${{matrix.java-version-file }} java-version-file: ${{matrix.java-version-file }}
- name: Verify Java - name: Verify Java
run: bash __tests__/verify-java.sh "11" "${{ steps.setup-java.outputs.path }}" env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "11" "$JAVA_PATH"
shell: bash shell: bash
setup-java-version-from-file-major-minor-patch-notation: setup-java-version-from-file-major-minor-patch-notation:
@@ -499,6 +558,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Create .java-version file - name: Create .java-version file
shell: bash shell: bash
run: echo "17.0.10" > .java-version run: echo "17.0.10" > .java-version
@@ -512,7 +573,9 @@ jobs:
distribution: ${{ matrix.distribution }} distribution: ${{ matrix.distribution }}
java-version-file: ${{matrix.java-version-file }} java-version-file: ${{matrix.java-version-file }}
- name: Verify Java - name: Verify Java
run: bash __tests__/verify-java.sh "17.0.10" "${{ steps.setup-java.outputs.path }}" env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "17.0.10" "$JAVA_PATH"
shell: bash shell: bash
setup-java-version-from-file-major-minor-patch-with-dist: setup-java-version-from-file-major-minor-patch-with-dist:
@@ -527,6 +590,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Create .java-version file - name: Create .java-version file
shell: bash shell: bash
run: echo "openjdk64-17.0.10" > .java-version run: echo "openjdk64-17.0.10" > .java-version
@@ -543,5 +608,7 @@ jobs:
distribution: ${{ matrix.distribution }} distribution: ${{ matrix.distribution }}
java-version-file: ${{matrix.java-version-file }} java-version-file: ${{matrix.java-version-file }}
- name: Verify Java - name: Verify Java
run: bash __tests__/verify-java.sh "17.0.10" "${{ steps.setup-java.outputs.path }}" env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "17.0.10" "$JAVA_PATH"
shell: bash shell: bash
.github/workflows/licensed.yml
+3
View File
@@ -9,6 +9,9 @@ on:
- main - main
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
call-licensed: call-licensed:
name: Licensed name: Licensed
.github/workflows/publish-immutable-actions.yml
+4
View File
@@ -5,6 +5,8 @@ on:
types: [released] types: [released]
workflow_dispatch: workflow_dispatch:
permissions: {}
jobs: jobs:
publish: publish:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -16,6 +18,8 @@ jobs:
steps: steps:
- name: Checking out - name: Checking out
uses: actions/checkout@v7 uses: actions/checkout@v7
with:
persist-credentials: false
- name: Publish - name: Publish
id: publish id: publish
uses: actions/publish-immutable-action@v0.0.4 uses: actions/publish-immutable-action@v0.0.4
.github/workflows/update-config-files.yml
+5
View File
@@ -5,7 +5,12 @@ on:
- cron: '0 3 * * 0' - cron: '0 3 * * 0'
workflow_dispatch: workflow_dispatch:
permissions: {}
jobs: jobs:
call-update-configuration-files: call-update-configuration-files:
name: Update configuration files name: Update configuration files
permissions:
contents: write # to push the branch with updated configuration files
pull-requests: write # to open/update the configuration update PR
uses: actions/reusable-workflows/.github/workflows/update-config-files.yml@main uses: actions/reusable-workflows/.github/workflows/update-config-files.yml@main
.github/workflows/zizmor.yml
+48
View File
@@ -0,0 +1,48 @@
name: Security analysis with zizmor
on:
push:
branches:
- main
- releases/*
paths-ignore:
- '**.md'
pull_request:
paths-ignore:
- '**.md'
workflow_dispatch:
permissions: {}
jobs:
zizmor:
name: Analyze workflows with zizmor
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write # to upload SARIF results to code scanning
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install zizmor
run: pip install zizmor
- name: Run zizmor
run: zizmor --format sarif .github/workflows/ > zizmor.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF results to code scanning
if: always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: zizmor.sarif
category: zizmor
.github/zizmor.yml
+11
View File
@@ -0,0 +1,11 @@
# Configuration for zizmor (https://docs.zizmor.sh)
rules:
unpinned-uses:
config:
# First-party GitHub-maintained actions are trusted and referenced by
# major-version tags (the convention used across the actions org).
# Any third-party action must be pinned to a full commit SHA.
policies:
actions/*: ref-pin
github/*: ref-pin
'*': hash-pin