From 1593e7eb432939abadff08bcf220e627e0d48e1f Mon Sep 17 00:00:00 2001 From: Esta Nagy Date: Sun, 28 Jul 2024 22:25:18 +0200 Subject: [PATCH] Bugfix/improve workflows (#1086) - Runs test workflow on every commit of the "main" branch - Limits permissions of draft release creation workflow - Limits permissions of release trigger workflow - Restricts permissions of CodeQL workflow - Runs CodeQL scanning on every build of the "main" branch - Switches to new Gradle wrapper validation action {patch} Signed-off-by: Esta Nagy --- .github/workflows/codeql-analysis.yml | 25 +++++-------------------- .github/workflows/gradle-ci.yml | 7 ------- .github/workflows/release-draft.yml | 5 +++++ .github/workflows/release-trigger.yml | 3 +++ 4 files changed, 13 insertions(+), 27 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 75fb6492..91089c21 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -15,22 +15,6 @@ name: "CodeQL" on: push: branches: [ main ] - paths-ignore: - - 'README.md' - - '**/README.md' - - 'CODE_OF_CONDUCT.md' - - 'CONTRIBUTING.md' - - 'pull_request_template.md' - - 'SECURITY.md' - - 'LICENSE' - - '.github/ISSUE_TEMPLATE/**' - - '.github/assets/**' - - '.github/workflows/**' - - '!.github/workflows/codeql-analysis.yml' - - '.github/pr-labeler.yml' - - 'renovate.json' - - '.whitesource' - - 'lowkey-vault-docker/src/docker/Dockerfile' pull_request: # The branches below must be a subset of the branches above branches: [ main ] @@ -53,9 +37,6 @@ on: - 'lowkey-vault-docker/src/docker/Dockerfile' permissions: - # required for all workflows - security-events: write - # only required for workflows in private repositories actions: read contents: read @@ -64,12 +45,16 @@ jobs: analyze: name: Analyze runs-on: ubuntu-latest + + permissions: + # required for all workflows + security-events: write steps: - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Validate Gradle wrapper - uses: gradle/wrapper-validation-action@f9c9c575b8b21b6485636a91ffecd10e558c62f6 # v3.5.0 + uses: gradle/actions/wrapper-validation@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3.5.0 - name: Set up JDK 17 uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 with: diff --git a/.github/workflows/gradle-ci.yml b/.github/workflows/gradle-ci.yml index 44668b91..2a5cbc85 100644 --- a/.github/workflows/gradle-ci.yml +++ b/.github/workflows/gradle-ci.yml @@ -6,13 +6,6 @@ name: JavaCI-PR on: push: branches: [ main ] - paths: - - 'gradle/libs.versions.toml' - - 'gradle/verification-metadata.xml' - - 'lowkey-vault-docker/src/docker/Dockerfile' - - 'gradle/wrapper/gradle-wrapper.properties' - - 'config/ossindex/exclusions.txt' - - '.github/workflows/gradle-ci.yml' pull_request: branches: [ main ] paths-ignore: diff --git a/.github/workflows/release-draft.yml b/.github/workflows/release-draft.yml index 02106fcc..aca0df40 100644 --- a/.github/workflows/release-draft.yml +++ b/.github/workflows/release-draft.yml @@ -4,10 +4,15 @@ on: tags: - v* +permissions: + contents: read + jobs: build: name: Draft release action runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Create release uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 diff --git a/.github/workflows/release-trigger.yml b/.github/workflows/release-trigger.yml index 766598b6..d909ff3f 100644 --- a/.github/workflows/release-trigger.yml +++ b/.github/workflows/release-trigger.yml @@ -13,6 +13,9 @@ on: # * is a special character in YAML, so we have to quote this string - cron: '0 4 10 * *' +permissions: + contents: read + jobs: build: name: Release trigger action