From dae59ec100cfa488211e8ef5912c3a13acf91720 Mon Sep 17 00:00:00 2001 From: Kichura <68134602+Kichura@users.noreply.github.com> Date: Sat, 29 Nov 2025 22:52:42 +0100 Subject: [PATCH] Mitigate security vulnerabilities in CI. --- .github/dependabot.yml | 2 ++ .github/workflows/build.yml | 16 ++++++++-------- .github/workflows/publish.yml | 11 +++++++---- .github/workflows/update-gradle-wrapper.yml | 9 +++++++-- 4 files changed, 24 insertions(+), 14 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5ace4600a..6b6ee1292 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,8 @@ version: 2 updates: - package-ecosystem: "github-actions" + cooldown: + default-days: 7 directory: "/" schedule: interval: "weekly" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bdee3e337..7a7905a00 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,22 +1,22 @@ -name: Java CI with Gradle - -on: [push, pull_request] +name: Build +on: [pull_request, push, workflow_dispatch] +permissions: + contents: read jobs: build: + # Only run on PRs if the source branch is on a different repo. We do not need to run everything twice. if: ${{ github.event_name != 'pull_request' || github.repository != github.event.pull_request.head.repo.full_name }} - runs-on: ubuntu-24.04 - steps: - name: Checkout Repository - uses: actions/checkout@v6 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0 with: persist-credentials: false - name: Set up Gradle - uses: gradle/actions/setup-gradle@v5 + uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # 5.0.0 - name: Set up JDK 17 - uses: actions/setup-java@v5 + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # 5.0.0 with: distribution: 'temurin' java-version: 17 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 3448ffe68..43ee46f08 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -6,24 +6,27 @@ on: - dev workflow_dispatch: +permissions: + contents: read + jobs: publish: if: github.repository_owner == 'ViaVersion' runs-on: ubuntu-24.04 steps: - name: Checkout Repository - uses: actions/checkout@v6 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0 with: persist-credentials: false - name: Set up Gradle - uses: gradle/actions/setup-gradle@v5 + uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # 5.0.0 - name: Set up JDK 17 - uses: actions/setup-java@v5 + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # 5.0.0 with: distribution: 'temurin' java-version: 17 check-latest: true - - name: Build + - name: Build with Gradle run: ./gradlew build --refresh-dependencies - name: Publish to Hangar env: diff --git a/.github/workflows/update-gradle-wrapper.yml b/.github/workflows/update-gradle-wrapper.yml index 18610063c..d2f62010f 100644 --- a/.github/workflows/update-gradle-wrapper.yml +++ b/.github/workflows/update-gradle-wrapper.yml @@ -4,13 +4,18 @@ on: schedule: - cron: "0 0 * * 0" +permissions: + contents: write + pull-requests: write + jobs: update-gradle-wrapper: runs-on: ubuntu-24.04 steps: - name: Checkout Repository - uses: actions/checkout@v6 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0 with: + fetch-depth: 0 persist-credentials: false - name: Update Gradle Wrapper - uses: gradle-update/update-gradle-wrapper-action@v2 + uses: gradle-update/update-gradle-wrapper-action@512b1875f3b6270828abfe77b247d5895a2da1e5 # 2.1.0 \ No newline at end of file