diff --git a/.github/workflows/apiary.yml b/.github/workflows/apiary.yml index 7f0a6f685e0..f1c603c99dc 100644 --- a/.github/workflows/apiary.yml +++ b/.github/workflows/apiary.yml @@ -10,13 +10,16 @@ on: paths: - apiary.apib +permissions: + contents: read + jobs: ubuntu: name: Ubuntu runs-on: ubuntu-latest steps: - name: Checkout master branch - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install drafter run: npm install drafter - name: Build diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bdc316a2bb2..fae0f2e497b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,6 +9,9 @@ on: schedule: - cron: "0 0 * * 0" +permissions: + contents: read + jobs: build: name: ${{ matrix.os }} with Java 21 @@ -19,22 +22,22 @@ jobs: os: [ubuntu-latest, ubuntu-24.04-arm, macos-latest, windows-latest] steps: - name: Checkout master branch - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'oracle' java-version: '21' - name: Cache Maven packages - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.m2 key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} restore-keys: ${{ runner.os }}-m2 - name: Checkout Universal ctags - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: universal-ctags/ctags path: ctags @@ -57,7 +60,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: ./dev/main - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: opengrok-${{ github.sha }}-${{ matrix.os }}.tar.gz path: distribution/target/opengrok-*.tar.gz diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 477eaa32470..a96f7fcc012 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -9,6 +9,9 @@ on: schedule: - cron: '41 17 * * 5' +permissions: + contents: read + jobs: analyze: name: Analyze @@ -21,19 +24,19 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'oracle' java-version: '21' - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4 diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index a38e1424acb..7face40a9e5 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -6,6 +6,9 @@ on: release: types: [created] +permissions: + contents: read + jobs: ubuntu: runs-on: ubuntu-latest @@ -14,8 +17,8 @@ jobs: shell: bash run: env - name: Checkout master branch - uses: actions/checkout@v6 - - uses: actions/setup-python@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.10' - name: Install dependencies diff --git a/.github/workflows/javadoc.yml b/.github/workflows/javadoc.yml index 681800fecf1..6e12a8c0d27 100644 --- a/.github/workflows/javadoc.yml +++ b/.github/workflows/javadoc.yml @@ -12,26 +12,29 @@ on: - .github/workflows/javadoc.yml - dev/javadoc.sh +permissions: + contents: write + jobs: ubuntu: runs-on: ubuntu-latest steps: - name: Checkout master branch - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'oracle' java-version: '21' - name: Cache Maven packages - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.m2 key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} restore-keys: ${{ runner.os }}-m2 - name: Checkout gh-pages branch if: github.repository == 'oracle/opengrok' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: gh-pages path: gh-pages diff --git a/.github/workflows/macaron-check-github-actions.yml b/.github/workflows/macaron-check-github-actions.yml new file mode 100644 index 00000000000..1768f5776e4 --- /dev/null +++ b/.github/workflows/macaron-check-github-actions.yml @@ -0,0 +1,42 @@ +# Copyright (c) 2026 - 2026, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +# Run Macaron's policies and generate Verification Summary Attestation reports. +# See https://github.com/oracle/macaron + +name: Macaron check-github-actions + +on: + pull_request: + paths: + - ".github/workflows/**" + - ".github/actions/**" + push: + branches: + - master + paths: + - ".github/workflows/**" + - ".github/actions/**" + workflow_dispatch: + schedule: + - cron: "17 4 * * 1" + +permissions: + contents: read + +jobs: + macaron-check-github-actions: + name: Macaron policy verification + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Check the GitHub Actions workflows in the repository for vulnerabilities. + uses: oracle/macaron@b31acfe389133a5587d9639063ec70cb84e7bc47 # v0.23.0 + with: + repo_path: ./ + policy_file: check-github-actions + policy_purl: pkg:github.com/oracle/opengrok@.* diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7396a0de135..a5a54eaf2b9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,9 @@ on: release: types: [created] +permissions: + contents: write + jobs: get_tag: name: Get tag name @@ -13,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout master branch - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get the tag name id: get_tag env: @@ -24,20 +27,20 @@ jobs: needs: get_tag steps: - name: Checkout master branch - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'oracle' java-version: '21' - name: Cache Maven packages - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.m2 key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} restore-keys: ${{ runner.os }}-m2 - name: Checkout Universal ctags - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: universal-ctags/ctags path: ctags @@ -54,7 +57,7 @@ jobs: run: dev/get_upload_url.sh - name: Upload release tarball id: upload-release-asset - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: