-
Notifications
You must be signed in to change notification settings - Fork 81
Migrate to GitHub Actions #562
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -29,17 +29,18 @@ jobs: | |
|
|
||
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v2 | ||
| uses: github/codeql-action/init@v3 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| # If you wish to specify custom queries, you can do so here or in a config file. | ||
| # By default, queries listed here will override any specified in a config file. | ||
| # Prefix the list here with "+" to use these queries and those in the config file. | ||
| # queries: ./path/to/local/query, your-org/your-repo/queries@main | ||
|
|
||
| - uses: actions/checkout@v2 | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Set up JDK 8 | ||
| uses: actions/setup-java@v2 | ||
| uses: actions/setup-java@v4 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
||
| with: | ||
| distribution: 'zulu' | ||
| java-version: '8' | ||
|
|
@@ -49,4 +50,4 @@ jobs: | |
| run: ./mvnw clean compile assembly:single | ||
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v2 | ||
| uses: github/codeql-action/analyze@v3 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| name: CI | ||
|
|
||
| on: | ||
| push: | ||
| pull_request: | ||
|
|
||
| permissions: read-all | ||
|
|
||
| jobs: | ||
| lint: | ||
| name: Lint (OpenJDK 8) | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 5 | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up JDK 8 | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| java-version: '8' | ||
| distribution: 'temurin' | ||
|
|
||
| - name: Cache Maven packages | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: ~/.m2 | ||
| key: ${{ runner.os }}-m2-${{ github.ref }}-${{ hashFiles('**/pom.xml') }}-lint | ||
| restore-keys: | | ||
| ${{ runner.os }}-m2-${{ github.ref }}- | ||
| ${{ runner.os }}-m2- | ||
|
|
||
| - name: Run lint | ||
| run: ./mvnw verify -B -Dhttps.protocols=TLSv1.2 -DskipTests | ||
|
|
||
| test: | ||
| name: Test (OpenJDK ${{ matrix.java-version }}) | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 15 | ||
| strategy: | ||
| matrix: | ||
| java-version: | ||
| - 8 | ||
| - 11 | ||
| - 16 | ||
| - 17 | ||
| - 19 | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up JDK ${{ matrix.java-version }} | ||
| uses: actions/setup-java@v4 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
||
| with: | ||
| java-version: ${{ matrix.java-version }} | ||
| distribution: 'temurin' | ||
|
|
||
| - name: Cache Maven packages | ||
| uses: actions/cache@v4 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
||
| with: | ||
| path: ~/.m2 | ||
| key: ${{ runner.os }}-m2-${{ github.ref }}-${{ hashFiles('**/pom.xml') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-m2-${{ github.ref }}- | ||
| ${{ runner.os }}-m2- | ||
|
|
||
| - name: Set up Docker | ||
| uses: docker/setup-docker-action@v4 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
||
|
|
||
| - name: Run tests | ||
| run: ./mvnw test -B -Dhttps.protocols=TLSv1.2 -Dcheckstyle.skip=true -Dtests.log_level=info -Djdk.attach.allowAttachSelf=true | ||
|
|
||
| - name: Show test logs on failure | ||
| if: failure() | ||
| run: | | ||
| echo "Test failed. Showing surefire reports:" | ||
| for log in target/surefire-reports/*.txt; do | ||
| if [ -f "$log" ]; then | ||
| echo "$log ========================" | ||
| cat "$log" | ||
| fi | ||
| done | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (
@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity: