Upgrade GitHub actions & pin to commit hash (#2598)
* Upgrade GitHub actions & pin to commit hash The only exception is `google/oss-fuzz` which does not seem to have releases or Git tags, so pinning might not make sense there. Also adds `actions/setup-java` to the `codeql-analysis` workflow to explicitly specify the JDK version to use (and to use the caching of that action) instead of relying on the default JDK of the runner image. * Enable Dependabot for GitHub actions --------- Co-authored-by: Éamonn McManus <emcmanus@google.com>
This commit is contained in:
parent
46ab704221
commit
87a391363e
|
@ -4,3 +4,8 @@ updates:
|
||||||
directory: "/"
|
directory: "/"
|
||||||
schedule:
|
schedule:
|
||||||
interval: "daily"
|
interval: "daily"
|
||||||
|
|
||||||
|
- package-ecosystem: "github-actions"
|
||||||
|
directory: "/"
|
||||||
|
schedule:
|
||||||
|
interval: "weekly"
|
||||||
|
|
|
@ -19,9 +19,9 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||||
- name: "Set up JDK ${{ matrix.java }}"
|
- name: "Set up JDK ${{ matrix.java }}"
|
||||||
uses: actions/setup-java@v3
|
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
|
||||||
with:
|
with:
|
||||||
distribution: 'temurin'
|
distribution: 'temurin'
|
||||||
java-version: ${{ matrix.java }}
|
java-version: ${{ matrix.java }}
|
||||||
|
@ -35,9 +35,9 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||||
- name: "Set up GraalVM"
|
- name: "Set up GraalVM"
|
||||||
uses: graalvm/setup-graalvm@v1
|
uses: graalvm/setup-graalvm@b8dc5fccfbc65b21dd26e8341e7b21c86547f61b # v1.1.5.1
|
||||||
with:
|
with:
|
||||||
java-version: '17'
|
java-version: '17'
|
||||||
distribution: 'graalvm'
|
distribution: 'graalvm'
|
||||||
|
@ -54,9 +54,9 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||||
- name: "Set up JDK 17"
|
- name: "Set up JDK 17"
|
||||||
uses: actions/setup-java@v3
|
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
|
||||||
with:
|
with:
|
||||||
distribution: 'temurin'
|
distribution: 'temurin'
|
||||||
java-version: 17
|
java-version: 17
|
||||||
|
|
|
@ -14,10 +14,10 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||||
|
|
||||||
- name: Set up JDK 11
|
- name: Set up JDK 11
|
||||||
uses: actions/setup-java@v3
|
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
|
||||||
with:
|
with:
|
||||||
distribution: 'temurin'
|
distribution: 'temurin'
|
||||||
java-version: '11'
|
java-version: '11'
|
||||||
|
|
|
@ -10,13 +10,13 @@ jobs:
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout old version
|
- name: Checkout old version
|
||||||
uses: actions/checkout@v3
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||||
with:
|
with:
|
||||||
ref: ${{ github.event.pull_request.base.sha }}
|
ref: ${{ github.event.pull_request.base.sha }}
|
||||||
path: 'gson-old-japicmp'
|
path: 'gson-old-japicmp'
|
||||||
|
|
||||||
- name: Set up JDK 11
|
- name: Set up JDK 11
|
||||||
uses: actions/setup-java@v3
|
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
|
||||||
with:
|
with:
|
||||||
distribution: 'temurin'
|
distribution: 'temurin'
|
||||||
java-version: '11'
|
java-version: '11'
|
||||||
|
@ -31,7 +31,7 @@ jobs:
|
||||||
mvn --batch-mode --no-transfer-progress install -DskipTests
|
mvn --batch-mode --no-transfer-progress install -DskipTests
|
||||||
|
|
||||||
- name: Checkout new version
|
- name: Checkout new version
|
||||||
uses: actions/checkout@v3
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||||
|
|
||||||
- name: Check API compatibility
|
- name: Check API compatibility
|
||||||
id: check-compatibility
|
id: check-compatibility
|
||||||
|
@ -39,7 +39,7 @@ jobs:
|
||||||
mvn --batch-mode --fail-at-end --no-transfer-progress package japicmp:cmp -DskipTests
|
mvn --batch-mode --fail-at-end --no-transfer-progress package japicmp:cmp -DskipTests
|
||||||
|
|
||||||
- name: Upload API differences artifacts
|
- name: Upload API differences artifacts
|
||||||
uses: actions/upload-artifact@v3
|
uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0
|
||||||
# Run on workflow success (in that case differences report might include added methods and classes)
|
# Run on workflow success (in that case differences report might include added methods and classes)
|
||||||
# or when API compatibility check failed
|
# or when API compatibility check failed
|
||||||
if: success() || ( failure() && steps.check-compatibility.outcome == 'failure' )
|
if: success() || ( failure() && steps.check-compatibility.outcome == 'failure' )
|
||||||
|
|
|
@ -18,7 +18,7 @@ jobs:
|
||||||
fuzz-seconds: 600
|
fuzz-seconds: 600
|
||||||
dry-run: false
|
dry-run: false
|
||||||
- name: Upload Crash
|
- name: Upload Crash
|
||||||
uses: actions/upload-artifact@v1
|
uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0
|
||||||
if: failure() && steps.build.outcome == 'success'
|
if: failure() && steps.build.outcome == 'success'
|
||||||
with:
|
with:
|
||||||
name: artifacts
|
name: artifacts
|
||||||
|
|
|
@ -25,24 +25,23 @@ jobs:
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v3
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||||
|
|
||||||
|
- name: Set up JDK 17
|
||||||
|
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
|
||||||
|
with:
|
||||||
|
distribution: 'temurin'
|
||||||
|
java-version: '17'
|
||||||
|
cache: 'maven'
|
||||||
|
|
||||||
# Initializes the CodeQL tools for scanning
|
# Initializes the CodeQL tools for scanning
|
||||||
- name: Initialize CodeQL
|
- name: Initialize CodeQL
|
||||||
uses: github/codeql-action/init@v2
|
uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
|
||||||
with:
|
with:
|
||||||
languages: ${{ matrix.language }}
|
languages: ${{ matrix.language }}
|
||||||
# Run all security queries and maintainability and reliability queries
|
# Run all security queries and maintainability and reliability queries
|
||||||
queries: +security-and-quality
|
queries: +security-and-quality
|
||||||
|
|
||||||
- name: Cache local Maven repository
|
|
||||||
uses: actions/cache@v3
|
|
||||||
with:
|
|
||||||
path: ~/.m2/repository
|
|
||||||
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
|
|
||||||
restore-keys: |
|
|
||||||
${{ runner.os }}-maven-
|
|
||||||
|
|
||||||
# Only compile main sources, but ignore test sources because findings for them might not
|
# Only compile main sources, but ignore test sources because findings for them might not
|
||||||
# be that relevant (though GitHub security view also allows filtering by source type)
|
# be that relevant (though GitHub security view also allows filtering by source type)
|
||||||
# Can replace this with github/codeql-action/autobuild action to run complete build
|
# Can replace this with github/codeql-action/autobuild action to run complete build
|
||||||
|
@ -51,4 +50,4 @@ jobs:
|
||||||
mvn compile --batch-mode --no-transfer-progress
|
mvn compile --batch-mode --no-transfer-progress
|
||||||
|
|
||||||
- name: Perform CodeQL Analysis
|
- name: Perform CodeQL Analysis
|
||||||
uses: github/codeql-action/analyze@v2
|
uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
|
||||||
|
|
Loading…
Reference in New Issue