diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 0ae15c491..054a81eb0 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -10,13 +10,17 @@ on: jobs: check: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + with: + persist-credentials: false - name: Set up the JDK - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: '17' distribution: 'temurin' - name: Set up Gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3 - run: ./gradlew checkWithCodenarc checkstyleMain checkstyleTest runUnitTests runLiveObjectUnitTests diff --git a/.github/workflows/emulate.yml b/.github/workflows/emulate.yml index eca63a3eb..a95d1386c 100644 --- a/.github/workflows/emulate.yml +++ b/.github/workflows/emulate.yml @@ -9,6 +9,8 @@ on: jobs: check: runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false matrix: @@ -16,16 +18,18 @@ jobs: steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Set up the JDK - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: '17' distribution: 'temurin' - name: Set up Gradle - uses: gradle/actions/setup-gradle@v5 + uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5 timeout-minutes: 5 # API 30+ emulators only have x86_64 system images. @@ -38,7 +42,7 @@ jobs: sudo udevadm control --reload-rules sudo udevadm trigger --name-match=kvm - - uses: reactivecircus/android-emulator-runner@v2 + - uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2 with: api-level: ${{ matrix.android-api-level }} emulator-options: -no-snapshot-save -no-window -gpu swiftshader_indirect -noaudio -no-boot-anim -camera-back none @@ -48,7 +52,7 @@ jobs: # Print emulator logs if tests fail script: ./gradlew :android:connectedAndroidTest ${{ matrix.android-api-level == 19 && '-PhttpURLConnection' || '' }} || (adb logcat -d System.out:I && exit 1) - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: always() with: name: android-build-reports-${{ matrix.android-api-level }} diff --git a/.github/workflows/example-app.yml b/.github/workflows/example-app.yml index 454594810..414ebe05d 100644 --- a/.github/workflows/example-app.yml +++ b/.github/workflows/example-app.yml @@ -9,6 +9,8 @@ on: jobs: check: runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false matrix: @@ -16,16 +18,18 @@ jobs: steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Set up the JDK - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: '17' distribution: 'temurin' - name: Set up Gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3 - name: Enable KVM run: | @@ -33,7 +37,7 @@ jobs: sudo udevadm control --reload-rules sudo udevadm trigger --name-match=kvm - - uses: reactivecircus/android-emulator-runner@v2 + - uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2 with: api-level: ${{ matrix.android-api-level }} emulator-options: -no-snapshot-save -no-window -gpu swiftshader_indirect -noaudio -no-boot-anim -camera-back none diff --git a/.github/workflows/features.yml b/.github/workflows/features.yml index bf45ed810..804458d17 100644 --- a/.github/workflows/features.yml +++ b/.github/workflows/features.yml @@ -8,7 +8,12 @@ on: jobs: build: - uses: ably/features/.github/workflows/sdk-features.yml@main + permissions: + contents: read + id-token: write + deployments: write + uses: ably/features/.github/workflows/sdk-features.yml@6b3fc7a8ede2ebdd7a6325314f3a96c6466f1453 # main with: repository-name: ably-java - secrets: inherit + secrets: + ABLY_AWS_ACCOUNT_ID_SDK: ${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK }} diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml index 373926f2d..1c59f771a 100644 --- a/.github/workflows/integration-test.yml +++ b/.github/workflows/integration-test.yml @@ -10,23 +10,26 @@ on: jobs: check-rest-httpurlconnection: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: submodules: 'recursive' + persist-credentials: false - name: Set up the JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: '17' distribution: 'temurin' - name: Set up Gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3 - run: ./gradlew :java:testRestSuite -PhttpURLConnection - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: always() with: name: java-build-reports-rest @@ -34,77 +37,89 @@ jobs: check-realtime-httpurlconnection: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: submodules: 'recursive' + persist-credentials: false - name: Set up the JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: '17' distribution: 'temurin' - name: Set up Gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3 - run: ./gradlew :java:testRealtimeSuite -PhttpURLConnection - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: always() with: name: java-build-reports-realtime path: java/build/reports/ check-rest-okhttp: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: submodules: 'recursive' + persist-credentials: false - name: Set up the JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: '17' distribution: 'temurin' - name: Set up Gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3 - run: ./gradlew :java:testRestSuite check-realtime-okhttp: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: submodules: 'recursive' + persist-credentials: false - name: Set up the JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: '17' distribution: 'temurin' - name: Set up Gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3 - run: ./gradlew :java:testRealtimeSuite check-liveobjects: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: submodules: 'recursive' + persist-credentials: false - name: Set up the JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: '17' distribution: 'temurin' - name: Set up Gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3 - run: ./gradlew runLiveObjectIntegrationTests diff --git a/.github/workflows/javadoc.yml b/.github/workflows/javadoc.yml index 504c014b4..8876dbb11 100644 --- a/.github/workflows/javadoc.yml +++ b/.github/workflows/javadoc.yml @@ -13,29 +13,31 @@ jobs: id-token: write deployments: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1 with: aws-region: eu-west-2 role-to-assume: arn:aws:iam::${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK }}:role/ably-sdk-builds-ably-java role-session-name: "${{ github.run_id }}-${{ github.run_number }}" - name: Set up the JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: '17' distribution: 'temurin' - name: Set up Gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3 - name: Build docs run: ./gradlew javadoc - name: Upload Documentation - uses: ably/sdk-upload-action@v2 + uses: ably/sdk-upload-action@4e694297f208b72b5a9f6b1248a1556f19f821d6 # v2 with: sourcePath: java/build/docs/javadoc githubToken: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 44a6814fe..c55cc27a9 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -7,9 +7,13 @@ jobs: run-on-release: runs-on: ubuntu-latest if: github.repository == 'ably/ably-java' + permissions: + contents: read steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Extract tag id: tag @@ -34,13 +38,13 @@ jobs: TAG: ${{ steps.tag.outputs.tag }} - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: java-version: 17 distribution: temurin - name: Set up Gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3 - name: Publish and release to Maven Central run: ./gradlew publishAndReleaseToMavenCentral