diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index 4e499308eb..b09e33d8d8 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -1,10 +1,12 @@ name: actionlint -permissions: read-all +permissions: {} on: [ push, pull_request ] jobs: actionlint: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Harden Runner uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 @@ -14,11 +16,47 @@ jobs: allowed-endpoints: > api.github.com:443 github.com:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: actionlint + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - name: Run actionlint uses: reviewdog/action-actionlint@abd537417cf4991e1ba8e21a67b1119f4f53b8e0 # v1.64.1 env: SHELLCHECK_OPTS: -e SC2001 -e SC2035 -e SC2046 -e SC2061 -e SC2086 -e SC2156 with: reporter: github-check github_token: ${{ secrets.GITHUB_TOKEN }} + + zizmor: + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - name: Install uv + uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1 + - name: Run zizmor + run: uvx zizmor --pedantic --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload SARIF file for GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 + with: + sarif_file: results.sarif + category: zizmor diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml index 0c6af7f8ba..81a67cc689 100644 --- a/.github/workflows/analysis.yml +++ b/.github/workflows/analysis.yml @@ -1,5 +1,5 @@ name: analysis -permissions: read-all +permissions: {} on: [ push, pull_request ] env: @@ -22,6 +22,8 @@ env: jobs: forbiddenApis: runs-on: ubuntu-latest + permissions: + contents: read env: JAVA_VERSION: 23 steps: @@ -31,7 +33,10 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }} - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Forbidden Apis uses: ./.github/actions/run-gradle with: @@ -41,6 +46,8 @@ jobs: pmd: runs-on: ubuntu-latest + permissions: + contents: read env: JAVA_VERSION: 23 steps: @@ -50,7 +57,10 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }} - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Pmd uses: ./.github/actions/run-gradle with: @@ -60,6 +70,8 @@ jobs: spotbugs: runs-on: ubuntu-latest + permissions: + contents: read env: JAVA_VERSION: 23 steps: @@ -69,7 +81,10 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }} - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Spotbugs uses: ./.github/actions/run-gradle with: diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml index f611201797..6240bfea63 100644 --- a/.github/workflows/benchmarks.yml +++ b/.github/workflows/benchmarks.yml @@ -1,5 +1,5 @@ name: benchmarks -permissions: read-all +permissions: {} on: [ push, pull_request ] env: @@ -9,6 +9,8 @@ env: jobs: benchmarks: runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: java: [ 11, 21, 25, GraalVM ] @@ -39,7 +41,10 @@ jobs: raw.githubusercontent.com:443 services.gradle.org:443 www.graalvm.org:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Compute JMH Benchmark uses: ./.github/actions/run-gradle with: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 033d0ac6b7..990db381ce 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,9 +1,9 @@ name: build +permissions: {} on: pull_request: {} push: branches: [master, v2.dev, v3.dev] -permissions: read-all env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} @@ -45,6 +45,8 @@ jobs: name: Compile timeout-minutes: 15 runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: java: [ 11, 23, 25, GraalVM ] @@ -59,6 +61,8 @@ jobs: allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }} - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Compile uses: ./.github/actions/run-gradle with: @@ -75,6 +79,8 @@ jobs: timeout-minutes: 60 runs-on: ubuntu-latest needs: compile + permissions: + contents: read strategy: matrix: suite: @@ -173,6 +179,8 @@ jobs: allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }} - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Run tests (${{ env.JAVA_VERSION }}) uses: ./.github/actions/run-gradle with: @@ -182,7 +190,7 @@ jobs: - name: Format Test Artifact Name if: always() && (env.JAVA_VERSION == env.PUBLISH_JDK) run: | - RAW_NAME=${{ matrix.suite }}-${{ env.JAVA_VERSION }} + RAW_NAME=${{ matrix.suite }}-${JAVA_VERSION} ARTIFACT_NAME=$(echo $RAW_NAME | sed 's/:/-/g') echo "ARTIFACT_NAME=$ARTIFACT_NAME" >> $GITHUB_ENV - name: Compress test results @@ -207,6 +215,8 @@ jobs: runs-on: ubuntu-latest needs: tests if: (github.event_name == 'push') && (github.event.repository.fork == false) + permissions: + contents: read steps: - name: Harden Runner uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 @@ -232,6 +242,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Download Tests Results uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - name: Decompress @@ -284,6 +295,7 @@ jobs: needs: tests if: github.event_name == 'push' permissions: + contents: read checks: write steps: - name: Harden Runner @@ -315,7 +327,7 @@ jobs: COLOR: 31c653 STATUS: ${{ fromJSON(steps.test-results.outputs.json).formatted.stats.runs }} continue-on-error: true - run: curl -s -f https://badgen.net/badge/${{env.LABEL}}/${{env.STATUS}}/${{env.COLOR}} > badge.svg + run: curl -s -f https://badgen.net/badge/${LABEL}/${STATUS}/${COLOR} > badge.svg - name: Upload badge to Gist uses: popsiclestick/gist-sync-action@88f8633178625914f2a01abf1a765f7272a580fa # v1.2.0 if: > @@ -338,6 +350,7 @@ jobs: && github.event.repository.fork == false && endsWith(github.ref, github.event.repository.default_branch) permissions: + contents: read id-token: write steps: - name: Harden Runner @@ -353,7 +366,10 @@ jobs: jspecify.dev:443 lightbend.github.io:443 oauth2.sigstore.dev:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Publish Snapshot uses: ./.github/actions/run-gradle env: diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index ce8c55e457..fae52c7d1a 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -1,5 +1,5 @@ name: Codacy -permissions: read-all +permissions: {} on: [ push, pull_request ] jobs: @@ -28,8 +28,10 @@ jobs: raw.githubusercontent.com:443 registry-1.docker.io:443 *.blob.core.windows.net:443 - - name: Checkout code + - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Run Codacy Analysis uses: codacy/codacy-analysis-cli-action@97bf5df3c09e75f5bcd72695998f96ebd701846e # v4.4.5 continue-on-error: true @@ -47,7 +49,7 @@ jobs: if: steps.check_files.outputs.files_exists == 'true' run: jq -c '.runs |= unique_by({tool, invocations, results})' < results.sarif > codacy.sarif - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2 + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 if: steps.check_files.outputs.files_exists == 'true' continue-on-error: true with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ca0eed365c..781a5e5c6b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,5 +1,5 @@ -name: "CodeQL" -permissions: read-all +name: CodeQL +permissions: {} on: push: @@ -47,8 +47,10 @@ jobs: repo1.maven.org:443 uploads.github.com:443 services.gradle.org:443 - - name: Checkout repository + - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Setup Gradle uses: ./.github/actions/run-gradle if: ${{ matrix.language == 'java' }} @@ -56,13 +58,13 @@ jobs: java: ${{ env.JAVA_VERSION }} cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} - name: Initialize CodeQL (Actions) - uses: github/codeql-action/init@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2 + uses: github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 if: ${{ matrix.language == 'actions' }} with: languages: actions dependency-caching: true - name: Initialize CodeQL (Java) - uses: github/codeql-action/init@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2 + uses: github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 if: ${{ matrix.language == 'java' }} with: queries: > @@ -80,6 +82,6 @@ jobs: config: | threat-models: local - name: Autobuild - uses: github/codeql-action/autobuild@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2 + uses: github/codeql-action/autobuild@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2 + uses: github/codeql-action/analyze@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 12615a4926..3acba5581d 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -1,10 +1,10 @@ name: Dependency Check +permissions: {} on: push: pull_request: schedule: - cron: '0 0 * * 4' -permissions: read-all env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} @@ -45,7 +45,10 @@ jobs: raw.githubusercontent.com:443 services.gradle.org:443 www.cisa.gov:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Run dependency-check uses: ./.github/actions/run-gradle continue-on-error: true @@ -61,7 +64,7 @@ jobs: with: files: build/reports/dependency-check-report.sarif - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2 + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 if: steps.check_files.outputs.files_exists == 'true' with: sarif_file: build/reports/dependency-check-report.sarif diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index e5306c673c..673f5179db 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,5 +1,5 @@ name: Dependency Review -permissions: read-all +permissions: {} on: [pull_request] jobs: @@ -18,8 +18,10 @@ jobs: api.deps.dev:443 api.github.com:443 github.com:443 - - name: Checkout Repository + - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Dependency Review uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 with: diff --git a/.github/workflows/dependency-submission-pr-retreive.yml b/.github/workflows/dependency-submission-pr-retrieve.yml similarity index 98% rename from .github/workflows/dependency-submission-pr-retreive.yml rename to .github/workflows/dependency-submission-pr-retrieve.yml index ab334f60c1..c801327f7a 100644 --- a/.github/workflows/dependency-submission-pr-retreive.yml +++ b/.github/workflows/dependency-submission-pr-retrieve.yml @@ -1,5 +1,5 @@ name: Retrieve and submit dependency graph -permissions: read-all +permissions: {} on: workflow_run: workflows: ['Generate and save dependency graph'] diff --git a/.github/workflows/dependency-submission-pr-submit.yml b/.github/workflows/dependency-submission-pr-submit.yml index 2040aae50a..bc6bf41af4 100644 --- a/.github/workflows/dependency-submission-pr-submit.yml +++ b/.github/workflows/dependency-submission-pr-submit.yml @@ -1,5 +1,5 @@ name: Generate and save dependency graph -permissions: read-all +permissions: {} on: [ pull_request ] env: @@ -31,7 +31,10 @@ jobs: repo.maven.apache.org:443 repo1.maven.org:443 services.gradle.org:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up JDK ${{ env.JAVA_VERSION }} uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 with: diff --git a/.github/workflows/dependency-submission.yml b/.github/workflows/dependency-submission.yml index 91e7e8190f..86ed32f4e2 100644 --- a/.github/workflows/dependency-submission.yml +++ b/.github/workflows/dependency-submission.yml @@ -1,5 +1,5 @@ name: Dependency Submission -permissions: read-all +permissions: {} on: [ push ] env: @@ -31,7 +31,10 @@ jobs: repo.maven.apache.org:443 repo1.maven.org:443 services.gradle.org:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up JDK ${{ env.JAVA_VERSION }} uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 with: diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml index 81b5fe58a8..2f8d26bda4 100644 --- a/.github/workflows/devskim.yml +++ b/.github/workflows/devskim.yml @@ -1,5 +1,5 @@ name: DevSkim -permissions: read-all +permissions: {} on: push: @@ -26,11 +26,13 @@ jobs: allowed-endpoints: > api.github.com:443 github.com:443 - - name: Checkout code + - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Run DevSkim scanner uses: microsoft/DevSkim-Action@914fa647b406c387000300b2f09bb28691be2b6d # v1.0.14 - name: Upload DevSkim scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2 + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 with: sarif_file: devskim-results.sarif diff --git a/.github/workflows/examples.yml b/.github/workflows/examples.yml index 12523f8e3d..6cf80b5770 100644 --- a/.github/workflows/examples.yml +++ b/.github/workflows/examples.yml @@ -1,5 +1,5 @@ name: examples -permissions: read-all +permissions: {} on: [ push, pull_request ] env: @@ -9,6 +9,8 @@ env: jobs: examples: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Harden Runner uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 @@ -32,7 +34,10 @@ jobs: repo1.maven.org:443 services.gradle.org:443 www.graalvm.org:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Setup Gradle uses: ./.github/actions/run-gradle with: diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index e1213dd384..c819c28f9f 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -1,9 +1,9 @@ name: gitleaks +permissions: {} on: pull_request: {} push: branches: [master, v3.dev] -permissions: read-all env: ALLOWED_ENDPOINTS: > @@ -15,6 +15,8 @@ jobs: scan: name: gitleaks runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Harden Runner uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 @@ -26,6 +28,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Run gitleaks uses: gitleaks/gitleaks-action@83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3 # v2.3.7 env: diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml index eca4be02c4..feccdcdda0 100644 --- a/.github/workflows/gradle-wrapper-validation.yml +++ b/.github/workflows/gradle-wrapper-validation.yml @@ -1,11 +1,13 @@ name: Validate Gradle Wrapper on: [push, pull_request] -permissions: read-all +permissions: {} jobs: validation: name: Validation runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Harden Runner uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 @@ -17,5 +19,8 @@ jobs: downloads.gradle-dn.com:443 github.com:443 services.gradle.org:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 diff --git a/.github/workflows/qodana.yml b/.github/workflows/qodana.yml index 5c6b25958e..ce133ffc12 100644 --- a/.github/workflows/qodana.yml +++ b/.github/workflows/qodana.yml @@ -1,5 +1,5 @@ name: Qodana -permissions: read-all +permissions: {} on: [ push, pull_request ] env: @@ -56,6 +56,8 @@ jobs: services.gradle.org:443 - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Build uses: ./.github/actions/run-gradle with: @@ -70,6 +72,6 @@ jobs: upload-result: true github-token: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file for GitHub Advanced Security Dashboard - uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2 + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 with: sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 813a9c553a..5c98db8bf6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,7 +2,7 @@ name: release on: release: types: [created] -permissions: read-all +permissions: {} env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} @@ -13,6 +13,7 @@ jobs: runs-on: ubuntu-latest if: github.event.repository.fork == false permissions: + contents: read id-token: write steps: - name: Harden Runner @@ -20,7 +21,10 @@ jobs: with: disable-sudo: true egress-policy: audit - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Releasing uses: ./.github/actions/run-gradle env: diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index 9cf58e87a0..4ed378dbc8 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -1,4 +1,5 @@ name: Scorecards +permissions: {} on: branch_protection_rule: schedule: @@ -6,8 +7,6 @@ on: push: branches: [ master ] -permissions: read-all - jobs: analysis: name: Scorecards analysis @@ -20,7 +19,7 @@ jobs: if: github.event.repository.fork == false steps: - name: Harden Runner - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: disable-sudo: true egress-policy: block @@ -40,7 +39,7 @@ jobs: sigstore-tuf-root.storage.googleapis.com:443 tuf-repo-cdn.sigstore.dev:443 www.bestpractices.dev:443 - - name: Checkout code + - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -58,6 +57,6 @@ jobs: path: results.sarif retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2 + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 with: sarif_file: results.sarif diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 0e38e281e2..0e10a9d2c7 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,5 +1,5 @@ name: Semgrep -permissions: read-all +permissions: {} on: pull_request: {} push: @@ -17,7 +17,10 @@ jobs: # Incompatible with Harden Runner image: returntocorp/semgrep steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - run: semgrep scan --sarif --output=results.sarif env: SEMGREP_RULES: >- @@ -31,7 +34,7 @@ jobs: with: files: results.sarif - name: Upload SARIF file for GitHub Advanced Security Dashboard - uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2 + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 if: steps.check_files.outputs.files_exists == 'true' continue-on-error: true with: diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 863c4ad24e..8ffdbc5b38 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -1,8 +1,8 @@ name: snyk +permissions: {} on: push: branches: [master, v2.dev, v3.dev] -permissions: read-all env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} @@ -24,8 +24,10 @@ jobs: FORCE_COLOR: 2 if: github.event.repository.fork == false steps: - - name: Checkout repository + - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Setup Gradle uses: ./.github/actions/run-gradle with: @@ -42,7 +44,7 @@ jobs: with: files: snyk.sarif - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2 + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 if: steps.check_files.outputs.files_exists == 'true' with: sarif_file: snyk.sarif diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml index 28797ce34d..685617d0b5 100644 --- a/.github/workflows/spelling.yml +++ b/.github/workflows/spelling.yml @@ -1,10 +1,12 @@ name: spelling -permissions: read-all +permissions: {} on: [ push, pull_request ] jobs: misspell: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Harden Runner uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 @@ -14,7 +16,10 @@ jobs: allowed-endpoints: > api.github.com:443 github.com:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Misspell uses: reviewdog/action-misspell@18ffb61effb93b47e332f185216be7e49592e7e1 # v1.26.1 with: @@ -32,6 +37,9 @@ jobs: allowed-endpoints: > github.com:443 objects.githubusercontent.com:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Typos uses: crate-ci/typos@685eb3d55be2f85191e8c84acb9f44d7756f84ab # v1.29.4 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 53713dc8a0..5212451559 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,5 +1,5 @@ name: trivy -permissions: read-all +permissions: {} on: [ push, pull_request ] jobs: @@ -23,7 +23,10 @@ jobs: mirror.gcr.io:443 objects.githubusercontent.com:443 pkg-containers.githubusercontent.com:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 continue-on-error: true @@ -37,7 +40,7 @@ jobs: with: files: results.sarif - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2 + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 if: steps.check_files.outputs.files_exists == 'true' with: sarif_file: results.sarif diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000000..4f8bac1822 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,6 @@ +# Configuration for the zizmor static analysis tool +# https://woodruffw.github.io/zizmor/configuration/ +rules: + dangerous-triggers: + ignore: + - dependency-submission-pr-retrieve.yml diff --git a/caffeine/src/test/java/com/github/benmanes/caffeine/cache/ExpireAfterVarTest.java b/caffeine/src/test/java/com/github/benmanes/caffeine/cache/ExpireAfterVarTest.java index 11390bbcb1..4309ef55bb 100644 --- a/caffeine/src/test/java/com/github/benmanes/caffeine/cache/ExpireAfterVarTest.java +++ b/caffeine/src/test/java/com/github/benmanes/caffeine/cache/ExpireAfterVarTest.java @@ -260,7 +260,6 @@ public void getAll_present_expired(LoadingCache cache, CacheContext co verifyNoMoreInteractions(context.expiry()); } - @Test(dataProvider = "caches") @CacheSpec(population = Population.EMPTY, expiry = CacheExpiry.MOCKITO, loader = {Loader.IDENTITY, Loader.BULK_IDENTITY}) diff --git a/caffeine/src/test/java/com/github/benmanes/caffeine/cache/issues/Issue193Test.java b/caffeine/src/test/java/com/github/benmanes/caffeine/cache/issues/Issue193Test.java index 825a53b85a..1da229530c 100644 --- a/caffeine/src/test/java/com/github/benmanes/caffeine/cache/issues/Issue193Test.java +++ b/caffeine/src/test/java/com/github/benmanes/caffeine/cache/issues/Issue193Test.java @@ -61,7 +61,6 @@ public final class Issue193Test { return f; }; - /** This ensures that any outstanding async loading is completed as well */ private long loadGet(AsyncLoadingCache cache, String key) { CompletableFuture future = cache.get(key); diff --git a/examples/coalescing-bulkloader-reactor/gradle/libs.versions.toml b/examples/coalescing-bulkloader-reactor/gradle/libs.versions.toml index cb23a217b4..199ea7c0c2 100644 --- a/examples/coalescing-bulkloader-reactor/gradle/libs.versions.toml +++ b/examples/coalescing-bulkloader-reactor/gradle/libs.versions.toml @@ -3,7 +3,7 @@ caffeine = "3.2.0" junit = "5.11.4" reactor = "3.7.2" truth = "1.4.4" -versions = "0.51.0" +versions = "0.52.0" [libraries] caffeine = { module = "com.github.ben-manes.caffeine:caffeine", version.ref = "caffeine" } diff --git a/examples/coalescing-bulkloader-reactor/gradle/wrapper/gradle-wrapper.properties b/examples/coalescing-bulkloader-reactor/gradle/wrapper/gradle-wrapper.properties index e926ac106f..304dce7831 100644 --- a/examples/coalescing-bulkloader-reactor/gradle/wrapper/gradle-wrapper.properties +++ b/examples/coalescing-bulkloader-reactor/gradle/wrapper/gradle-wrapper.properties @@ -1,4 +1,4 @@ -distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists zipStoreBase=GRADLE_USER_HOME diff --git a/examples/coalescing-bulkloader-reactor/settings.gradle.kts b/examples/coalescing-bulkloader-reactor/settings.gradle.kts index 78ef9ea336..a31fef5155 100644 --- a/examples/coalescing-bulkloader-reactor/settings.gradle.kts +++ b/examples/coalescing-bulkloader-reactor/settings.gradle.kts @@ -1,6 +1,6 @@ plugins { - id("com.gradle.develocity") version "3.19" - id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.2" + id("com.gradle.develocity") version "3.19.1" + id("com.gradle.common-custom-user-data-gradle-plugin") version "2.1" id("org.gradle.toolchains.foojay-resolver-convention") version "0.9.0" } diff --git a/examples/graal-native/gradle/libs.versions.toml b/examples/graal-native/gradle/libs.versions.toml index c6f81db169..73ed2a7bcc 100644 --- a/examples/graal-native/gradle/libs.versions.toml +++ b/examples/graal-native/gradle/libs.versions.toml @@ -3,7 +3,7 @@ caffeine = "3.2.0" graal = "0.10.4" junit = "5.11.4" truth = "1.4.4" -versions = "0.51.0" +versions = "0.52.0" [libraries] caffeine = { module = "com.github.ben-manes.caffeine:caffeine", version.ref = "caffeine" } diff --git a/examples/graal-native/gradle/wrapper/gradle-wrapper.properties b/examples/graal-native/gradle/wrapper/gradle-wrapper.properties index e926ac106f..304dce7831 100644 --- a/examples/graal-native/gradle/wrapper/gradle-wrapper.properties +++ b/examples/graal-native/gradle/wrapper/gradle-wrapper.properties @@ -1,4 +1,4 @@ -distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists zipStoreBase=GRADLE_USER_HOME diff --git a/examples/graal-native/settings.gradle.kts b/examples/graal-native/settings.gradle.kts index 28406a0f2a..ab73351470 100644 --- a/examples/graal-native/settings.gradle.kts +++ b/examples/graal-native/settings.gradle.kts @@ -5,8 +5,8 @@ pluginManagement { } } plugins { - id("com.gradle.develocity") version "3.19" - id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.2" + id("com.gradle.develocity") version "3.19.1" + id("com.gradle.common-custom-user-data-gradle-plugin") version "2.1" id("org.gradle.toolchains.foojay-resolver-convention") version "0.9.0" } diff --git a/examples/hibernate/gradle/libs.versions.toml b/examples/hibernate/gradle/libs.versions.toml index b223c29ad2..4711f35f67 100644 --- a/examples/hibernate/gradle/libs.versions.toml +++ b/examples/hibernate/gradle/libs.versions.toml @@ -5,7 +5,7 @@ hibernate = "7.0.0.Beta3" junit = "5.11.4" log4j2 = "3.0.0-beta2" truth = "1.4.4" -versions = "0.51.0" +versions = "0.52.0" [libraries] caffeine = { module = "com.github.ben-manes.caffeine:jcache", version.ref = "caffeine" } diff --git a/examples/hibernate/gradle/wrapper/gradle-wrapper.properties b/examples/hibernate/gradle/wrapper/gradle-wrapper.properties index e926ac106f..304dce7831 100644 --- a/examples/hibernate/gradle/wrapper/gradle-wrapper.properties +++ b/examples/hibernate/gradle/wrapper/gradle-wrapper.properties @@ -1,4 +1,4 @@ -distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists zipStoreBase=GRADLE_USER_HOME diff --git a/examples/hibernate/settings.gradle.kts b/examples/hibernate/settings.gradle.kts index f82406bd98..e08dffa389 100644 --- a/examples/hibernate/settings.gradle.kts +++ b/examples/hibernate/settings.gradle.kts @@ -1,6 +1,6 @@ plugins { - id("com.gradle.develocity") version "3.19" - id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.2" + id("com.gradle.develocity") version "3.19.1" + id("com.gradle.common-custom-user-data-gradle-plugin") version "2.1" id("org.gradle.toolchains.foojay-resolver-convention") version "0.9.0" } diff --git a/examples/indexable/gradle/libs.versions.toml b/examples/indexable/gradle/libs.versions.toml index efbd314c95..2813b5f239 100644 --- a/examples/indexable/gradle/libs.versions.toml +++ b/examples/indexable/gradle/libs.versions.toml @@ -3,7 +3,7 @@ caffeine = "3.2.0" guava = "33.4.0-jre" junit-jupiter = "5.11.4" truth = "1.4.4" -versions = "0.51.0" +versions = "0.52.0" [libraries] caffeine = { module = "com.github.ben-manes.caffeine:caffeine", version.ref = "caffeine" } diff --git a/examples/indexable/gradle/wrapper/gradle-wrapper.properties b/examples/indexable/gradle/wrapper/gradle-wrapper.properties index e926ac106f..304dce7831 100644 --- a/examples/indexable/gradle/wrapper/gradle-wrapper.properties +++ b/examples/indexable/gradle/wrapper/gradle-wrapper.properties @@ -1,4 +1,4 @@ -distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists zipStoreBase=GRADLE_USER_HOME diff --git a/examples/indexable/settings.gradle.kts b/examples/indexable/settings.gradle.kts index 571662f93d..7b903964be 100644 --- a/examples/indexable/settings.gradle.kts +++ b/examples/indexable/settings.gradle.kts @@ -1,6 +1,6 @@ plugins { - id("com.gradle.develocity") version "3.19" - id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.2" + id("com.gradle.develocity") version "3.19.1" + id("com.gradle.common-custom-user-data-gradle-plugin") version "2.1" id("org.gradle.toolchains.foojay-resolver-convention") version "0.9.0" } diff --git a/examples/resilience-failsafe/gradle/libs.versions.toml b/examples/resilience-failsafe/gradle/libs.versions.toml index 7ae352b669..8f79d63c5b 100644 --- a/examples/resilience-failsafe/gradle/libs.versions.toml +++ b/examples/resilience-failsafe/gradle/libs.versions.toml @@ -3,7 +3,7 @@ caffeine = "3.2.0" failsafe = "3.3.2" junit = "5.11.4" truth = "1.4.4" -versions = "0.51.0" +versions = "0.52.0" [libraries] caffeine = { module = "com.github.ben-manes.caffeine:caffeine", version.ref = "caffeine" } diff --git a/examples/resilience-failsafe/gradle/wrapper/gradle-wrapper.properties b/examples/resilience-failsafe/gradle/wrapper/gradle-wrapper.properties index e926ac106f..304dce7831 100644 --- a/examples/resilience-failsafe/gradle/wrapper/gradle-wrapper.properties +++ b/examples/resilience-failsafe/gradle/wrapper/gradle-wrapper.properties @@ -1,4 +1,4 @@ -distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists zipStoreBase=GRADLE_USER_HOME diff --git a/examples/resilience-failsafe/settings.gradle.kts b/examples/resilience-failsafe/settings.gradle.kts index 93043dbbe0..267c73dc98 100644 --- a/examples/resilience-failsafe/settings.gradle.kts +++ b/examples/resilience-failsafe/settings.gradle.kts @@ -1,6 +1,6 @@ plugins { - id("com.gradle.develocity") version "3.19" - id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.2" + id("com.gradle.develocity") version "3.19.1" + id("com.gradle.common-custom-user-data-gradle-plugin") version "2.1" id("org.gradle.toolchains.foojay-resolver-convention") version "0.9.0" } diff --git a/examples/write-behind-rxjava/gradle/libs.versions.toml b/examples/write-behind-rxjava/gradle/libs.versions.toml index c463307eba..c1e822f1e8 100644 --- a/examples/write-behind-rxjava/gradle/libs.versions.toml +++ b/examples/write-behind-rxjava/gradle/libs.versions.toml @@ -3,7 +3,7 @@ awaitility = "4.2.2" caffeine = "3.2.0" junit = "5.11.4" rxjava = "3.1.10" -versions = "0.51.0" +versions = "0.52.0" [libraries] awaitility = { module = "org.awaitility:awaitility", version.ref = "awaitility" } diff --git a/examples/write-behind-rxjava/gradle/wrapper/gradle-wrapper.properties b/examples/write-behind-rxjava/gradle/wrapper/gradle-wrapper.properties index e926ac106f..304dce7831 100644 --- a/examples/write-behind-rxjava/gradle/wrapper/gradle-wrapper.properties +++ b/examples/write-behind-rxjava/gradle/wrapper/gradle-wrapper.properties @@ -1,4 +1,4 @@ -distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists zipStoreBase=GRADLE_USER_HOME diff --git a/examples/write-behind-rxjava/settings.gradle.kts b/examples/write-behind-rxjava/settings.gradle.kts index 5fe9123026..96d1869955 100644 --- a/examples/write-behind-rxjava/settings.gradle.kts +++ b/examples/write-behind-rxjava/settings.gradle.kts @@ -1,6 +1,6 @@ plugins { - id("com.gradle.develocity") version "3.19" - id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.2" + id("com.gradle.develocity") version "3.19.1" + id("com.gradle.common-custom-user-data-gradle-plugin") version "2.1" id("org.gradle.toolchains.foojay-resolver-convention") version "0.9.0" } diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index f5872f432c..ce5c5efd21 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -93,7 +93,7 @@ tcache = "2.0.1" testng = "7.10.2" truth = "1.4.4" univocity-parsers = "2.9.1" -versions = "0.51.0" +versions = "0.52.0" xz = "1.10" ycsb = "0.17.0" zero-allocation-hashing = "0.27ea0" diff --git a/gradle/plugins/settings.gradle.kts b/gradle/plugins/settings.gradle.kts index e4aa6a8197..26ddfee4ce 100644 --- a/gradle/plugins/settings.gradle.kts +++ b/gradle/plugins/settings.gradle.kts @@ -1,6 +1,6 @@ plugins { - id("com.gradle.develocity") version "3.19" - id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.2" + id("com.gradle.develocity") version "3.19.1" + id("com.gradle.common-custom-user-data-gradle-plugin") version "2.1" id("org.gradle.toolchains.foojay-resolver-convention") version "0.9.0" } diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index e926ac106f..304dce7831 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,4 +1,4 @@ -distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists zipStoreBase=GRADLE_USER_HOME diff --git a/settings.gradle.kts b/settings.gradle.kts index 451101b3ab..1fc36e27f3 100644 --- a/settings.gradle.kts +++ b/settings.gradle.kts @@ -2,8 +2,8 @@ pluginManagement { includeBuild("gradle/plugins") } plugins { - id("com.gradle.develocity") version "3.19" - id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.2" + id("com.gradle.develocity") version "3.19.1" + id("com.gradle.common-custom-user-data-gradle-plugin") version "2.1" id("org.gradle.toolchains.foojay-resolver-convention") version "0.9.0" }