ci: 1770 update ci workflows for best practices and standards round2 (#…

…1775)

.github/CODEOWNERS

@@ -1,2 +1,41 @@
 # Default code owners for entire repository
-*   @agadzhalov @thenswan @SimiHunjan
+*   @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+
+#########################
+#####  Core Files  ######
+#########################
+
+# NOTE: Must be placed last to ensure enforcement over all other rules
+
+# Protection Rules for Github Configuration Files and Actions Workflows
+/.github/                                       @hashgraph/release-engineering @hashgraph/release-engineering-managers
+/.github/workflows/                             @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+
+# Legacy Maven project files
+**/pom.xml                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+
+# Gradle project files and inline plugins
+/gradle/                                        @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+gradlew                                         @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+gradlew.bat                                     @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+**/build-logic/                                 @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+**/gradle.*                                     @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+**/*.gradle.*                                   @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+
+# Codacy Tool Configurations
+/config/                                        @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+.remarkrc                                       @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+
+# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval)
+/CODEOWNERS                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+
+# Protect the repository root files
+/README.md                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers  @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+**/LICENSE                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# CodeCov configuration
+**/codecov.yml                                  @hashgraph/release-engineering @hashgraph/release-engineering-managers  @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+
+# Git Ignore definitions
+**/.gitignore                                   @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors
+**/.gitignore.*                                 @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors

.github/workflows/build.yml

@@ -18,6 +18,7 @@ defaults:
 
 permissions:
   contents: read
+  packages: write
 
 env:
   LC_ALL: C.UTF-8
@@ -29,6 +30,11 @@ jobs:
     name: Code Compiles
     runs-on: [ self-hosted, Linux, medium, ephemeral ]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
@@ -52,6 +58,11 @@ jobs:
     needs:
       - compile
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -108,6 +119,11 @@ jobs:
     needs:
       - compile
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 

.github/workflows/pages.yml

@@ -10,6 +10,8 @@ defaults:
     shell: bash
 
 permissions:
+  contents: read
+  packages: write
   id-token: write
   pages: write
 
@@ -21,6 +23,11 @@ jobs:
     name: Publish
     runs-on: [ self-hosted, Linux, medium, ephemeral ]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 

.github/workflows/release-artifacts.yml

@@ -11,6 +11,7 @@ defaults:
 
 permissions:
   contents: read
+  packages: write
 
 env:
   LC_ALL: C.UTF-8
@@ -22,6 +23,11 @@ jobs:
     name: Validate Release
     runs-on: [ self-hosted, Linux, medium, ephemeral ]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
@@ -55,13 +61,19 @@ jobs:
     name: Publish to Maven Central
     runs-on: [ self-hosted, Linux, medium, ephemeral ]
     needs:
+      # This needs clause exists solely to provide a dependency on the previous step. This publish step will not occur
+      # until the validate-release step completes successfully.
       - validate-release
     steps:
+      -   name: Harden Runner
+          uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+          with:
+            egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install GnuPG Tools
-        if: ${{ inputs.dry-run-enabled != true }}
         run: |
           if ! command -v gpg2 >/dev/null 2>&1; then
             echo "::group::Updating APT Repository Indices"
@@ -74,7 +86,7 @@ jobs:
 
       - name: Import GPG key
         id: gpg_key
-        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+        uses: step-security/ghaction-import-gpg@a7c87df2279f2bf2e69ba8289dfbf35fe05a4e08 # v1.0.0
         with:
           gpg_private_key: ${{ secrets.GPG_KEY_CONTENTS }}
           passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }}