From c3a40c7de7155418ab84fb08e59c236a632f601e Mon Sep 17 00:00:00 2001 From: Ladislav Sulak Date: Mon, 22 Dec 2025 16:54:35 +0100 Subject: [PATCH 1/3] #404: addressing Aquasec findings --- .github/workflows/assign_issue_to_project.yml | 2 +- .github/workflows/build.yml | 12 ++++++------ .github/workflows/dependent_items.yml | 2 +- .github/workflows/format_check.yml | 4 ++-- .github/workflows/jacoco_report.yml | 12 ++++++------ .github/workflows/license_check.yml | 4 ++-- .../workflows/release-notes-presence-check.yml | 4 ++-- .github/workflows/release_draft.yml | 15 ++++++++------- .github/workflows/release_publish.yml | 12 ++++++------ .github/workflows/test_filenames_check.yml | 4 ++-- 10 files changed, 36 insertions(+), 35 deletions(-) diff --git a/.github/workflows/assign_issue_to_project.yml b/.github/workflows/assign_issue_to_project.yml index 2010447c0..ef278192e 100644 --- a/.github/workflows/assign_issue_to_project.yml +++ b/.github/workflows/assign_issue_to_project.yml @@ -24,7 +24,7 @@ jobs: name: Add issue to project runs-on: ubuntu-latest steps: - - uses: actions/add-to-project@v0.5.0 + - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e with: project-url: https://github.com/orgs/AbsaOSS/projects/7 github-token: ${{ secrets.PAT_REPO_PROJECT_DISCUSS }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fc228eca3..eef73dc63 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -28,14 +28,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: fetch-depth: 1 persist-credentials: false - - uses: coursier/cache-action@v6 + - uses: coursier/cache-action@bebeeb0e6f48ebad66d3783946588ecf43114433 - name: Setup Scala - uses: olafurpg/setup-scala@v14 + uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c with: java-version: "adopt@1.8" @@ -63,14 +63,14 @@ jobs: - 5432:5432 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: fetch-depth: 1 persist-credentials: false - - uses: coursier/cache-action@v6 + - uses: coursier/cache-action@bebeeb0e6f48ebad66d3783946588ecf43114433 - name: Setup Scala - uses: olafurpg/setup-scala@v14 + uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c with: java-version: "adopt@1.11.0-11" diff --git a/.github/workflows/dependent_items.yml b/.github/workflows/dependent_items.yml index bb35a2e95..c19a751d1 100644 --- a/.github/workflows/dependent_items.yml +++ b/.github/workflows/dependent_items.yml @@ -44,7 +44,7 @@ jobs: name: Dependent Items Check runs-on: ubuntu-latest steps: - - uses: z0al/dependent-issues@v1.5.2 + - uses: z0al/dependent-issues@950226e7ca8fc43dc209a7febf67c655af3bdb43 env: # (Required) The token to use to make API calls to GitHub. GITHUB_TOKEN: ${{ secrets.PAT_REPO_PROJECT_DISCUSS }} diff --git a/.github/workflows/format_check.yml b/.github/workflows/format_check.yml index 12090ccfe..03e433f20 100644 --- a/.github/workflows/format_check.yml +++ b/.github/workflows/format_check.yml @@ -27,14 +27,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: persist-credentials: false fetch-depth: 0 ref: ${{ github.event.pull_request.head.ref }} - name: Setup Scala - uses: olafurpg/setup-scala@v10 + uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c with: java-version: "adopt@1.8" diff --git a/.github/workflows/jacoco_report.yml b/.github/workflows/jacoco_report.yml index 6c8893d93..abc316820 100644 --- a/.github/workflows/jacoco_report.yml +++ b/.github/workflows/jacoco_report.yml @@ -46,12 +46,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: persist-credentials: false - name: Setup Scala - uses: olafurpg/setup-scala@v14 + uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c with: java-version: 'adopt@1.8' @@ -62,7 +62,7 @@ jobs: - name: Check coverage thresholds and add reports in PR comments id: jacoco - uses: MoranaApps/jacoco-report@v2 + uses: MoranaApps/jacoco-report@54bfe284d1119dc917dddba80517c54c5bcf3627 with: token: '${{ secrets.GITHUB_TOKEN }}' paths: | @@ -99,12 +99,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: persist-credentials: false - name: Setup Scala - uses: olafurpg/setup-scala@v14 + uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c with: java-version: "adopt@1.11.0-11" @@ -118,7 +118,7 @@ jobs: - name: Check coverage thresholds and add reports in PR comments id: jacoco - uses: MoranaApps/jacoco-report@v2 + uses: MoranaApps/jacoco-report@54bfe284d1119dc917dddba80517c54c5bcf3627 with: token: '${{ secrets.GITHUB_TOKEN }}' paths: | diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml index 3113d4886..8749ca4ba 100644 --- a/.github/workflows/license_check.yml +++ b/.github/workflows/license_check.yml @@ -27,11 +27,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: persist-credentials: false - name: Setup Scala - uses: olafurpg/setup-scala@v10 + uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c with: java-version: "adopt@1.8" - run: sbt headerCheck diff --git a/.github/workflows/release-notes-presence-check.yml b/.github/workflows/release-notes-presence-check.yml index 4b9452e0c..0ff5065f3 100644 --- a/.github/workflows/release-notes-presence-check.yml +++ b/.github/workflows/release-notes-presence-check.yml @@ -31,12 +31,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/setup-python@v5.1.1 + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 with: python-version: '3.11' - name: Check presence of release notes in PR description - uses: AbsaOSS/release-notes-presence-check@v0.2.1 + uses: AbsaOSS/release-notes-presence-check@8e586b26a5e27f899ee8590a5d988fd4780a3dbf env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/release_draft.yml b/.github/workflows/release_draft.yml index 8d41c32af..9232f8bb6 100644 --- a/.github/workflows/release_draft.yml +++ b/.github/workflows/release_draft.yml @@ -29,18 +29,19 @@ jobs: release-draft: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: fetch-depth: 0 persist-credentials: false - - uses: actions/setup-python@v5.1.1 + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 with: python-version: '3.11' - name: Check format of received tag id: check-version-tag - uses: AbsaOSS/version-tag-check@v0.3.0 + uses: AbsaOSS/version-tag-check@36496be76eab24e1f14d45d3b8292311a2aebaaa env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -50,7 +51,7 @@ jobs: - name: Check format of received from tag if: ${{ github.event.inputs.from-tag-name }} id: check-version-from-tag - uses: AbsaOSS/version-tag-check@v0.3.0 + uses: AbsaOSS/version-tag-check@36496be76eab24e1f14d45d3b8292311a2aebaaa env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -60,7 +61,7 @@ jobs: - name: Generate release notes id: generate_release_notes - uses: AbsaOSS/generate-release-notes@v1 + uses: AbsaOSS/generate-release-notes@b90223510d1704301a36a36f0d86a72a0e72f0cf env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -90,7 +91,7 @@ jobs: hierarchy: true - name: Create and Push Tag - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | const tag = core.getInput('tag-name') @@ -109,7 +110,7 @@ jobs: tag-name: ${{ github.event.inputs.tag-name }} - name: Create draft release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/release_publish.yml b/.github/workflows/release_publish.yml index 9319cbc09..810dbf686 100644 --- a/.github/workflows/release_publish.yml +++ b/.github/workflows/release_publish.yml @@ -25,14 +25,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: persist-credentials: false fetch-depth: 0 - - uses: coursier/cache-action@v6 + - uses: coursier/cache-action@bebeeb0e6f48ebad66d3783946588ecf43114433 - name: Setup Scala - uses: olafurpg/setup-scala@v14 + uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c with: java-version: "adopt@1.8" @@ -50,14 +50,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: persist-credentials: false fetch-depth: 0 - - uses: coursier/cache-action@v6 + - uses: coursier/cache-action@bebeeb0e6f48ebad66d3783946588ecf43114433 - name: Setup Scala - uses: olafurpg/setup-scala@v14 + uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c with: java-version: "adopt@1.11.0-11" - name: Run sbt assembly (produces jar) diff --git a/.github/workflows/test_filenames_check.yml b/.github/workflows/test_filenames_check.yml index b5c805c55..bfc937196 100644 --- a/.github/workflows/test_filenames_check.yml +++ b/.github/workflows/test_filenames_check.yml @@ -27,13 +27,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: persist-credentials: false - name: Filename Inspector id: scan-test-files - uses: AbsaOSS/filename-inspector@v0.1.0 + uses: AbsaOSS/filename-inspector@355108975e656fac9faaa04209b6df3f9997c8fa with: name-patterns: '*UnitTests.*,*IntegrationTests.*,*CompatibilityTests.*' paths: '**/src/test/scala/**' From 1ce879cacf94940a88b9b881ec99159ff5324755 Mon Sep 17 00:00:00 2001 From: Ladislav Sulak Date: Mon, 29 Dec 2025 11:36:18 +0100 Subject: [PATCH 2/3] Aquasec related automation we implement in each repo as our standard (just PR generation, not auto merge, frequency: each Sunday) --- .github/workflows/dependabot.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/dependabot.yml diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml new file mode 100644 index 000000000..dc34bf2c0 --- /dev/null +++ b/.github/workflows/dependabot.yml @@ -0,0 +1,31 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + target-branch: "master" + schedule: + interval: "weekly" + day: "sunday" + labels: + - "auto update" + - "infrastructure" + - "no RN" + open-pull-requests-limit: 3 + commit-message: + prefix: "chore" + include: "scope" + + - package-ecosystem: "sbt" + directory: "/" + target-branch: "master" + schedule: + interval: "weekly" + day: "sunday" + labels: + - "auto update" + - "dependencies" + - "no RN" + open-pull-requests-limit: 3 + commit-message: + prefix: "chore" + include: "scope" From 715a70544ebac44060ae050d2e1a723b86ad788b Mon Sep 17 00:00:00 2001 From: Ladislav Sulak Date: Mon, 29 Dec 2025 12:53:03 +0100 Subject: [PATCH 3/3] fixing the location for Dependabot - this is the standard, it's not a workflow per se but something GH runs internally --- .github/{workflows => }/dependabot.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{workflows => }/dependabot.yml (100%) diff --git a/.github/workflows/dependabot.yml b/.github/dependabot.yml similarity index 100% rename from .github/workflows/dependabot.yml rename to .github/dependabot.yml