diff --git a/.github/dependabot.yml b/.github/dependabot.yml index daec3189..f9824423 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,8 @@ updates: directory: "/" schedule: interval: "daily" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8c6d2872..12ebe5dc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,9 +19,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: "Set up JDK ${{ matrix.java }}" - uses: actions/setup-java@v3 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 with: distribution: 'temurin' java-version: ${{ matrix.java }} @@ -35,9 +35,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: "Set up GraalVM" - uses: graalvm/setup-graalvm@v1 + uses: graalvm/setup-graalvm@b8dc5fccfbc65b21dd26e8341e7b21c86547f61b # v1.1.5.1 with: java-version: '17' distribution: 'graalvm' @@ -54,9 +54,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: "Set up JDK 17" - uses: actions/setup-java@v3 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 with: distribution: 'temurin' java-version: 17 diff --git a/.github/workflows/check-android-compatibility.yml b/.github/workflows/check-android-compatibility.yml index e71956fa..72afb932 100644 --- a/.github/workflows/check-android-compatibility.yml +++ b/.github/workflows/check-android-compatibility.yml @@ -14,10 +14,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 with: distribution: 'temurin' java-version: '11' diff --git a/.github/workflows/check-api-compatibility.yml b/.github/workflows/check-api-compatibility.yml index 79a793f5..b651f5f2 100644 --- a/.github/workflows/check-api-compatibility.yml +++ b/.github/workflows/check-api-compatibility.yml @@ -10,13 +10,13 @@ jobs: steps: - name: Checkout old version - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.pull_request.base.sha }} path: 'gson-old-japicmp' - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 with: distribution: 'temurin' java-version: '11' @@ -31,7 +31,7 @@ jobs: mvn --batch-mode --no-transfer-progress install -DskipTests - name: Checkout new version - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Check API compatibility id: check-compatibility @@ -39,7 +39,7 @@ jobs: mvn --batch-mode --fail-at-end --no-transfer-progress package japicmp:cmp -DskipTests - name: Upload API differences artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 # Run on workflow success (in that case differences report might include added methods and classes) # or when API compatibility check failed if: success() || ( failure() && steps.check-compatibility.outcome == 'failure' ) diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index 29b86b32..ad800cde 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -18,7 +18,7 @@ jobs: fuzz-seconds: 600 dry-run: false - name: Upload Crash - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0 if: failure() && steps.build.outcome == 'success' with: name: artifacts diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 76822e60..0e4b5323 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -25,24 +25,23 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Set up JDK 17 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 + with: + distribution: 'temurin' + java-version: '17' + cache: 'maven' # Initializes the CodeQL tools for scanning - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0 with: languages: ${{ matrix.language }} # Run all security queries and maintainability and reliability queries queries: +security-and-quality - - name: Cache local Maven repository - uses: actions/cache@v3 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- - # Only compile main sources, but ignore test sources because findings for them might not # be that relevant (though GitHub security view also allows filtering by source type) # Can replace this with github/codeql-action/autobuild action to run complete build @@ -51,4 +50,4 @@ jobs: mvn compile --batch-mode --no-transfer-progress - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0