diff --git a/.github/workflows/continuous-monitoring.yml b/.github/workflows/continuous-monitoring.yml index 88ac9148..0ddab705 100644 --- a/.github/workflows/continuous-monitoring.yml +++ b/.github/workflows/continuous-monitoring.yml @@ -14,21 +14,21 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@v1 + uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e #v1.2.0 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 with: role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }} aws-region: us-east-1 - name: Setup java - uses: actions/setup-java@v1 + uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde #v1.4.4 with: java-version: 11 - name: Cache Gradle Wrapper - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0 with: path: ~/.gradle/wrapper key: gradle-wrapper-${{ hashFiles('gradle/wrapper/gradle-wrapper.properties') }} diff --git a/.github/workflows/master-build.yml b/.github/workflows/master-build.yml index 77b7207c..98fb9824 100644 --- a/.github/workflows/master-build.yml +++ b/.github/workflows/master-build.yml @@ -25,21 +25,21 @@ jobs: coverage: true steps: - name: Checkout Repository - uses: actions/checkout@v1 + uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e #v1.2.0 - name: Setup java - uses: actions/setup-java@v1 + uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde #v1.4.4 with: java-version: ${{ matrix.java }} - name: Cache Gradle Modules - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0 with: path: ~/.gradle/caches key: gradle-caches-${{ hashFiles('**/*.gradle.kts') }} - name: Cache Gradle Wrapper - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0 with: path: ~/.gradle/wrapper key: gradle-wrapper-${{ hashFiles('gradle/wrapper/gradle-wrapper.properties') }} @@ -50,12 +50,12 @@ jobs: env: CI: true - - uses: codecov/codecov-action@v1 + - uses: codecov/codecov-action@29386c70ef20e286228c72b668a06fd0e8399192 #v1.5.2 if: ${{ matrix.coverage }} with: files: ./jacoco/build/reports/jacoco/codeCoverageReport/codeCoverageReport.xml - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 if: ${{ matrix.coverage }} with: name: coverage-report @@ -67,18 +67,18 @@ jobs: needs: build steps: - name: Checkout Repository - uses: actions/checkout@v1 + uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e #v1.2.0 - name: Setup java - uses: actions/setup-java@v1 + uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde #v1.4.4 with: java-version: 11 - name: Cache Gradle Modules - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0 with: path: ~/.gradle/caches key: gradle-caches-${{ hashFiles('**/*.gradle.kts') }} - name: Cache Gradle Wrapper - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0 with: path: ~/.gradle/wrapper key: gradle-wrapper-${{ hashFiles('gradle/wrapper/gradle-wrapper.properties') }} diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 3f2e4732..4a81f31d 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -26,21 +26,21 @@ jobs: coverage: true steps: - name: Checkout Repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 #v2.7.0 - name: Setup java - uses: actions/setup-java@v1 + uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde #v1.4.4 with: java-version: ${{ matrix.java }} - name: Cache Gradle Modules - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0 with: path: ~/.gradle/caches key: gradle-caches-${{ hashFiles('**/*.gradle.kts') }} - name: Cache Gradle Wrapper - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0 with: path: ~/.gradle/wrapper key: gradle-wrapper-${{ hashFiles('gradle/wrapper/gradle-wrapper.properties') }} @@ -51,13 +51,38 @@ jobs: env: CI: true - - uses: codecov/codecov-action@v1 + - uses: codecov/codecov-action@29386c70ef20e286228c72b668a06fd0e8399192 #v1.5.2 if: ${{ matrix.coverage }} with: files: ./jacoco/build/reports/jacoco/codeCoverageReport/codeCoverageReport.xml - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 if: ${{ matrix.coverage }} with: name: coverage-report path: jacoco/build/reports/jacoco/codeCoverageReport/html + + static-code-checks: + runs-on: ubuntu-latest + steps: + + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0 + with: + fetch-depth: 0 + - name: Check for versioned GitHub actions + if: always() + run: | + # Get changed GitHub workflow/action files + CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true) + + if [ -n "$CHANGED_FILES" ]; then + # Check for any versioned actions, excluding comments and this validation script + VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "#.*@v" || true) + if [ -n "$VIOLATIONS" ]; then + echo "Found versioned GitHub actions. Use commit SHAs instead:" + echo "$VIOLATIONS" + exit 1 + fi + fi + + echo "No versioned actions found in changed files" \ No newline at end of file diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index b4930d40..4f388be7 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -12,17 +12,17 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-java@v1 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 #v2.7.0 + - uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde #v1.4.4 with: java-version: 11 - name: Cache Gradle Modules - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0 with: path: ~/.gradle/caches key: gradle-caches-${{ hashFiles('**/*.gradle.kts') }} - name: Cache Gradle Wrapper - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0 with: path: ~/.gradle/wrapper key: gradle-wrapper-${{ hashFiles('gradle/wrapper/gradle-wrapper.properties') }} @@ -51,7 +51,7 @@ jobs: GRGIT_PASS: ${{ secrets.GITHUB_TOKEN }} - name: Create Release id: create_release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e #v1.1.4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: