-
Notifications
You must be signed in to change notification settings - Fork 193
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[StepSecurity] ci: Harden GitHub Actions
resolve: #2466 Signed-off-by: StepSecurity Bot <[email protected]>
- Loading branch information
1 parent
f70e161
commit 820049f
Showing
6 changed files
with
32 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,6 +2,9 @@ on: | |
| pull_request_target: | ||
| types: ["labeled", "closed"] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| backport: | ||
| name: Backport PR | ||
|
|
@@ -18,7 +21,7 @@ jobs: | |
| contents: write | ||
| steps: | ||
| - name: Backport Action | ||
| uses: sqren/[email protected] | ||
| uses: sqren/backport-github-action@e325a2d70df7264afa24c92b1d5feb2278ff63af # v8.9.7 | ||
| with: | ||
| github_token: ${{ secrets.GITHUB_TOKEN }} | ||
| auto_backport_label_prefix: backport-to- | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -23,9 +23,9 @@ jobs: | |
| matrix: | ||
| os: [ubuntu-latest, windows-latest, macos-latest] | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | ||
| - name: Set up Java | ||
| uses: actions/setup-java@v3 | ||
| uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0 | ||
| with: | ||
| java-version: | | ||
| 8 | ||
|
|
@@ -34,14 +34,14 @@ jobs: | |
| 17 | ||
| distribution: 'temurin' | ||
| - name: Cache local Maven repository | ||
| uses: actions/cache@v3 | ||
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | ||
| with: | ||
| path: ~/.m2/repository | ||
| key: ${{ runner.os }}-tycho4m39-${{ matrix.os }}-${{ hashFiles('**/pom.xml', '**/*.target') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-tycho4m39-${{ matrix.os }}- | ||
| - name: Set up Maven | ||
| uses: stCarolas/[email protected] | ||
| uses: stCarolas/setup-maven@07fbbe97d97ef44336b7382563d66743297e442f # v4.5 | ||
| with: | ||
| maven-version: 3.9.2 | ||
| - name: Build Tycho | ||
|
|
@@ -51,7 +51,7 @@ jobs: | |
| cp .github/toolchains.xml ~/.m2/toolchains.xml | ||
| mvn -U -V -e -B -ntp clean install --file pom.xml -DtrimStackTrace=false -Pits -fae | ||
| - name: Upload Test Results | ||
| uses: actions/upload-artifact@v3 | ||
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | ||
| if: always() | ||
| with: | ||
| name: test-results-${{ matrix.os }} | ||
|
|
@@ -63,7 +63,7 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Upload | ||
| uses: actions/upload-artifact@v3 | ||
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | ||
| with: | ||
| name: Event File | ||
| path: ${{ github.event_path }} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,6 +7,9 @@ on: | |
| branches: | ||
| - 'master' | ||
| - 'tycho-*' | ||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Publish site-docs | ||
|
|
@@ -18,31 +21,31 @@ jobs: | |
| repository-projects: write | ||
| steps: | ||
| - name: Inject slug/short variables | ||
| uses: rlespinasse/[email protected] | ||
| uses: rlespinasse/github-slug-action@102b1a064a9b145e56556e22b18b19c624538d94 # v4.4.1 | ||
| - name: Checkout tycho code | ||
| uses: actions/checkout@v3 | ||
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | ||
| with: | ||
| path: 'tycho' | ||
| - name: Checkout page | ||
| uses: actions/checkout@v3 | ||
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | ||
| with: | ||
| path: 'page' | ||
| token: ${{ secrets.TYCHO_SITE_PAT }} | ||
| repository: 'eclipse-tycho/eclipse-tycho.github.io' | ||
| - name: Set up Java | ||
| uses: actions/setup-java@v3 | ||
| uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0 | ||
| with: | ||
| java-version: 17 | ||
| distribution: 'temurin' | ||
| - name: Cache local Maven repository | ||
| uses: actions/cache@v3 | ||
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | ||
| with: | ||
| path: ~/.m2/repository | ||
| key: ${{ runner.os }}-maven-site-${{ hashFiles('**/pom.xml', '**/*.target') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-maven-site- | ||
| - name: Set up Maven | ||
| uses: stCarolas/[email protected] | ||
| uses: stCarolas/setup-maven@07fbbe97d97ef44336b7382563d66743297e442f # v4.5 | ||
| with: | ||
| maven-version: 3.9.2 | ||
| - name: Build site-doc | ||
|
|
@@ -51,7 +54,7 @@ jobs: | |
| run: | | ||
| mvn -U -V -e -B -ntp clean install site site:stage --file tycho/pom.xml -T1C -DskipTests | ||
| - name: Upload site-doc | ||
| uses: actions/upload-artifact@v3 | ||
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | ||
| with: | ||
| name: site-docs-${{ env.GITHUB_REF_NAME }} | ||
| if-no-files-found: error | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -15,19 +15,19 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout tycho code | ||
| uses: actions/checkout@v3 | ||
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | ||
| with: | ||
| path: 'tycho' | ||
| - name: Checkout platform code | ||
| uses: actions/checkout@v3 | ||
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | ||
| with: | ||
| path: 'platform' | ||
| submodules: 'recursive' | ||
| lfs: true | ||
| repository: 'eclipse-platform/eclipse.platform.releng.aggregator' | ||
| fetch-depth: 0 | ||
| - name: Set up Java | ||
| uses: actions/setup-java@v3 | ||
| uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0 | ||
| with: | ||
| java-version: | | ||
| 8 | ||
|
|
@@ -36,14 +36,14 @@ jobs: | |
| 17 | ||
| distribution: 'temurin' | ||
| - name: Cache local Maven repository | ||
| uses: actions/cache@v3 | ||
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | ||
| with: | ||
| path: ~/.m2/repository | ||
| key: ${{ runner.os }}-maven-verify-platform-${{ hashFiles('**/pom.xml', '**/*.target') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-maven-verify-platform- | ||
| - name: Set up Maven | ||
| uses: stCarolas/[email protected] | ||
| uses: stCarolas/setup-maven@07fbbe97d97ef44336b7382563d66743297e442f # v4.5 | ||
| with: | ||
| maven-version: 3.9.2 | ||
| - name: Build Tycho | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -15,19 +15,19 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout tycho code | ||
| uses: actions/checkout@v3 | ||
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | ||
| with: | ||
| path: 'tycho' | ||
| - name: Checkout platform code | ||
| uses: actions/checkout@v3 | ||
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | ||
| with: | ||
| path: 'platform' | ||
| submodules: 'recursive' | ||
| lfs: true | ||
| repository: 'eclipse-platform/eclipse.platform' | ||
| fetch-depth: 0 | ||
| - name: Set up Java | ||
| uses: actions/setup-java@v3 | ||
| uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0 | ||
| with: | ||
| java-version: | | ||
| 8 | ||
|
|
@@ -36,14 +36,14 @@ jobs: | |
| 17 | ||
| distribution: 'temurin' | ||
| - name: Cache local Maven repository | ||
| uses: actions/cache@v3 | ||
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | ||
| with: | ||
| path: ~/.m2/repository | ||
| key: ${{ runner.os }}-maven-verify-platform-individual-${{ hashFiles('**/pom.xml', '**/*.target') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-maven-verify-platform-individual- | ||
| - name: Set up Maven | ||
| uses: stCarolas/[email protected] | ||
| uses: stCarolas/setup-maven@07fbbe97d97ef44336b7382563d66743297e442f # v4.5 | ||
| with: | ||
| maven-version: 3.9.2 | ||
| - name: Build Tycho | ||
|
|
@@ -58,7 +58,7 @@ jobs: | |
| --global-toolchains ${{ github.workspace }}/tycho/.github/toolchains.xml | ||
| clean install | ||
| - name: Run Platform Build | ||
| uses: GabrielBB/xvfb-action@v1 | ||
| uses: GabrielBB/xvfb-action@86d97bde4a65fe9b290c0b3fb92c2c4ed0e5302d # v1.6 | ||
| env: | ||
| JAVA_HOME: ${{ env.JAVA_HOME_17_X64 }} | ||
| with: | ||
|
|
||