mirror of
https://github.com/actions/setup-java.git
synced 2026-06-24 00:30:28 +03:00
Bruno Borges
1d25252804
* Harden workflows with least-privilege permissions and zizmor
Apply GitHub Actions security best practices to the action's own
workflows and integrate zizmor to catch regressions.
- Add explicit least-privilege `permissions:` to every workflow
(contents: read for read-only workflows; default-deny `{}` with
job-scoped grants for codeql, publish-immutable-actions and
update-config-files).
- Set `persist-credentials: false` on all checkout steps that don't
need the GITHUB_TOKEN afterwards.
- Move `${{ ... }}` expansions out of `run:` blocks into `env:` vars
to avoid template injection.
- Pin the alpine container image (alpine:latest -> alpine:3.21).
- Add a zizmor CI workflow that uploads SARIF to code scanning, plus a
`.github/zizmor.yml` pinning policy (ref-pin for actions/* and
github/*, hash-pin for third-party actions).
zizmor now reports no findings (offline and online).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Fix indentation of if: in zizmor SARIF upload step
The `if:` key on the "Upload SARIF results to code scanning" step had no
indentation, producing invalid YAML ("Nested mappings are not allowed in
compact mappings"). This broke `npm run format-check` (prettier) in Basic
validation.
Indent `if:` to 8 spaces so it nests under the step alongside uses/with.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
225 lines
6.5 KiB
YAML
225 lines
6.5 KiB
YAML
name: Validate cache
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- releases/*
|
|
paths-ignore:
|
|
- '**.md'
|
|
pull_request:
|
|
paths-ignore:
|
|
- '**.md'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
|
|
jobs:
|
|
gradle-save:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [macos-15-intel, windows-latest, ubuntu-latest]
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v7
|
|
with:
|
|
persist-credentials: false
|
|
- name: Run setup-java with the cache for gradle
|
|
uses: ./
|
|
id: setup-java
|
|
with:
|
|
distribution: 'adopt'
|
|
java-version: '17'
|
|
cache: gradle
|
|
- name: Create files to cache
|
|
# Need to avoid using Gradle daemon to stabilize the save process on Windows
|
|
# https://github.com/actions/cache/issues/454#issuecomment-840493935
|
|
run: |
|
|
gradle downloadDependencies --no-daemon -p __tests__/cache/gradle1
|
|
if [ ! -d ~/.gradle/caches ]; then
|
|
echo "::error::The ~/.gradle/caches directory does not exist unexpectedly"
|
|
exit 1
|
|
fi
|
|
gradle-restore:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [macos-15-intel, windows-latest, ubuntu-latest]
|
|
needs: gradle-save
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v7
|
|
with:
|
|
persist-credentials: false
|
|
- name: Run setup-java with the cache for gradle
|
|
uses: ./
|
|
id: setup-java
|
|
with:
|
|
distribution: 'adopt'
|
|
java-version: '11'
|
|
cache: gradle
|
|
- name: Confirm that ~/.gradle/caches directory has been made
|
|
run: |
|
|
if [ ! -d ~/.gradle/caches ]; then
|
|
echo "::error::The ~/.gradle/caches directory does not exist unexpectedly"
|
|
exit 1
|
|
fi
|
|
ls ~/.gradle/caches/
|
|
maven-save:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [macos-15-intel, windows-latest, ubuntu-latest]
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v7
|
|
with:
|
|
persist-credentials: false
|
|
- name: Run setup-java with the cache for maven
|
|
uses: ./
|
|
id: setup-java
|
|
with:
|
|
distribution: 'adopt'
|
|
java-version: '11'
|
|
cache: maven
|
|
- name: Create files to cache
|
|
run: |
|
|
mvn verify -f __tests__/cache/maven/pom.xml
|
|
if [ ! -d ~/.m2/repository ]; then
|
|
echo "::error::The ~/.m2/repository directory does not exist unexpectedly"
|
|
exit 1
|
|
fi
|
|
maven-restore:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [macos-15-intel, windows-latest, ubuntu-latest]
|
|
needs: maven-save
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v7
|
|
with:
|
|
persist-credentials: false
|
|
- name: Run setup-java with the cache for maven
|
|
uses: ./
|
|
id: setup-java
|
|
with:
|
|
distribution: 'adopt'
|
|
java-version: '11'
|
|
cache: maven
|
|
- name: Confirm that ~/.m2/repository directory has been made
|
|
run: |
|
|
if [ ! -d ~/.m2/repository ]; then
|
|
echo "::error::The ~/.m2/repository directory does not exist unexpectedly"
|
|
exit 1
|
|
fi
|
|
ls ~/.m2/repository
|
|
sbt-save:
|
|
runs-on: ${{ matrix.os }}
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
working-directory: __tests__/cache/sbt
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [macos-15-intel, windows-latest, ubuntu-22.04]
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v7
|
|
with:
|
|
persist-credentials: false
|
|
- name: Run setup-java with the cache for sbt
|
|
uses: ./
|
|
id: setup-java
|
|
with:
|
|
distribution: 'adopt'
|
|
java-version: '11'
|
|
cache: sbt
|
|
- name: Setup SBT
|
|
if: matrix.os == 'macos-15-intel'
|
|
run: |
|
|
echo ""Installing SBT...""
|
|
brew install sbt
|
|
- name: Create files to cache
|
|
run: sbt update
|
|
|
|
- name: Check files to cache on macos-latest
|
|
if: matrix.os == 'macos-15-intel'
|
|
run: |
|
|
if [ ! -d ~/Library/Caches/Coursier ]; then
|
|
echo "::error::The ~/Library/Caches/Coursier directory does not exist unexpectedly"
|
|
exit 1
|
|
fi
|
|
- name: Check files to cache on windows-latest
|
|
if: matrix.os == 'windows-latest'
|
|
run: |
|
|
if [ ! -d ~/AppData/Local/Coursier/Cache ]; then
|
|
echo "::error::The ~/AppData/Local/Coursier/Cache directory does not exist unexpectedly"
|
|
exit 1
|
|
fi
|
|
- name: Check files to cache on ubuntu-latest
|
|
if: matrix.os == 'ubuntu-latest'
|
|
run: |
|
|
if [ ! -d ~/.cache/coursier ]; then
|
|
echo "::error::The ~/.cache/coursier directory does not exist unexpectedly"
|
|
exit 1
|
|
fi
|
|
sbt-restore:
|
|
runs-on: ${{ matrix.os }}
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
working-directory: __tests__/cache/sbt
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [macos-15-intel, windows-latest, ubuntu-22.04]
|
|
needs: sbt-save
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v7
|
|
with:
|
|
persist-credentials: false
|
|
- name: Run setup-java with the cache for sbt
|
|
uses: ./
|
|
id: setup-java
|
|
with:
|
|
distribution: 'adopt'
|
|
java-version: '11'
|
|
cache: sbt
|
|
|
|
- name: Confirm that ~/Library/Caches/Coursier directory has been made
|
|
if: matrix.os == 'macos-15-intel'
|
|
run: |
|
|
if [ ! -d ~/Library/Caches/Coursier ]; then
|
|
echo "::error::The ~/Library/Caches/Coursier directory does not exist unexpectedly"
|
|
exit 1
|
|
fi
|
|
ls ~/Library/Caches/Coursier
|
|
- name: Confirm that ~/AppData/Local/Coursier/Cache directory has been made
|
|
if: matrix.os == 'windows-latest'
|
|
run: |
|
|
if [ ! -d ~/AppData/Local/Coursier/Cache ]; then
|
|
echo "::error::The ~/AppData/Local/Coursier/Cache directory does not exist unexpectedly"
|
|
exit 1
|
|
fi
|
|
ls ~/AppData/Local/Coursier/Cache
|
|
- name: Confirm that ~/.cache/coursier directory has been made
|
|
if: matrix.os == 'ubuntu-latest'
|
|
run: |
|
|
if [ ! -d ~/.cache/coursier ]; then
|
|
echo "::error::The ~/.cache/coursier directory does not exist unexpectedly"
|
|
exit 1
|
|
fi
|
|
ls ~/.cache/coursier
|