Upgrade GitHub actions & pin to commit hash (#2598)
* Upgrade GitHub actions & pin to commit hash The only exception is `google/oss-fuzz` which does not seem to have releases or Git tags, so pinning might not make sense there. Also adds `actions/setup-java` to the `codeql-analysis` workflow to explicitly specify the JDK version to use (and to use the caching of that action) instead of relying on the default JDK of the runner image. * Enable Dependabot for GitHub actions --------- Co-authored-by: Éamonn McManus <emcmanus@google.com>
This commit is contained in:
parent
46ab704221
commit
87a391363e
|
@ -4,3 +4,8 @@ updates:
|
|||
directory: "/"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
|
||||
- package-ecosystem: "github-actions"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "weekly"
|
||||
|
|
|
@ -19,9 +19,9 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: "Set up JDK ${{ matrix.java }}"
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
|
||||
with:
|
||||
distribution: 'temurin'
|
||||
java-version: ${{ matrix.java }}
|
||||
|
@ -35,9 +35,9 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: "Set up GraalVM"
|
||||
uses: graalvm/setup-graalvm@v1
|
||||
uses: graalvm/setup-graalvm@b8dc5fccfbc65b21dd26e8341e7b21c86547f61b # v1.1.5.1
|
||||
with:
|
||||
java-version: '17'
|
||||
distribution: 'graalvm'
|
||||
|
@ -54,9 +54,9 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: "Set up JDK 17"
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
|
||||
with:
|
||||
distribution: 'temurin'
|
||||
java-version: 17
|
||||
|
|
|
@ -14,10 +14,10 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
|
||||
with:
|
||||
distribution: 'temurin'
|
||||
java-version: '11'
|
||||
|
|
|
@ -10,13 +10,13 @@ jobs:
|
|||
|
||||
steps:
|
||||
- name: Checkout old version
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.base.sha }}
|
||||
path: 'gson-old-japicmp'
|
||||
|
||||
- name: Set up JDK 11
|
||||
uses: actions/setup-java@v3
|
||||
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
|
||||
with:
|
||||
distribution: 'temurin'
|
||||
java-version: '11'
|
||||
|
@ -31,7 +31,7 @@ jobs:
|
|||
mvn --batch-mode --no-transfer-progress install -DskipTests
|
||||
|
||||
- name: Checkout new version
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
|
||||
- name: Check API compatibility
|
||||
id: check-compatibility
|
||||
|
@ -39,7 +39,7 @@ jobs:
|
|||
mvn --batch-mode --fail-at-end --no-transfer-progress package japicmp:cmp -DskipTests
|
||||
|
||||
- name: Upload API differences artifacts
|
||||
uses: actions/upload-artifact@v3
|
||||
uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0
|
||||
# Run on workflow success (in that case differences report might include added methods and classes)
|
||||
# or when API compatibility check failed
|
||||
if: success() || ( failure() && steps.check-compatibility.outcome == 'failure' )
|
||||
|
|
|
@ -18,7 +18,7 @@ jobs:
|
|||
fuzz-seconds: 600
|
||||
dry-run: false
|
||||
- name: Upload Crash
|
||||
uses: actions/upload-artifact@v1
|
||||
uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0
|
||||
if: failure() && steps.build.outcome == 'success'
|
||||
with:
|
||||
name: artifacts
|
||||
|
|
|
@ -25,24 +25,23 @@ jobs:
|
|||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
|
||||
- name: Set up JDK 17
|
||||
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
|
||||
with:
|
||||
distribution: 'temurin'
|
||||
java-version: '17'
|
||||
cache: 'maven'
|
||||
|
||||
# Initializes the CodeQL tools for scanning
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v2
|
||||
uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
# Run all security queries and maintainability and reliability queries
|
||||
queries: +security-and-quality
|
||||
|
||||
- name: Cache local Maven repository
|
||||
uses: actions/cache@v3
|
||||
with:
|
||||
path: ~/.m2/repository
|
||||
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
|
||||
restore-keys: |
|
||||
${{ runner.os }}-maven-
|
||||
|
||||
# Only compile main sources, but ignore test sources because findings for them might not
|
||||
# be that relevant (though GitHub security view also allows filtering by source type)
|
||||
# Can replace this with github/codeql-action/autobuild action to run complete build
|
||||
|
@ -51,4 +50,4 @@ jobs:
|
|||
mvn compile --batch-mode --no-transfer-progress
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v2
|
||||
uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
|
||||
|
|
Loading…
Reference in New Issue