diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 96fe9d7..e473ffe 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,8 +11,12 @@ updates: maven-plugins: patterns: - "*:*maven*plugin*" + cooldown: + default-days: 7 - package-ecosystem: github-actions directory: / schedule: interval: daily + cooldown: + default-days: 7 \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2f68085..7590c33 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -47,6 +47,8 @@ jobs: - name: Checkout repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/dependabot-changesets.yml b/.github/workflows/dependabot-changesets.yml index 413d7a5..02c69da 100644 --- a/.github/workflows/dependabot-changesets.yml +++ b/.github/workflows/dependabot-changesets.yml @@ -20,6 +20,8 @@ jobs: egress-policy: audit - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Set up JDK 17 uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index cccd929..45e117e 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -23,5 +23,8 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false + - name: 'Dependency Review' uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..b99d503 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,32 @@ +name: Lint + +on: + push: + branches: + - main + pull_request: + branches: + - "**" + +permissions: {} + +jobs: + lint: + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 \ No newline at end of file diff --git a/.github/workflows/maven-central-publish.yml b/.github/workflows/maven-central-publish.yml index a59a155..47caf52 100644 --- a/.github/workflows/maven-central-publish.yml +++ b/.github/workflows/maven-central-publish.yml @@ -18,6 +18,9 @@ jobs: egress-policy: audit - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false + - name: Set up Maven Central Repository uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: diff --git a/.github/workflows/maven-publish.yml b/.github/workflows/maven-publish.yml index b80463f..c8ab292 100644 --- a/.github/workflows/maven-publish.yml +++ b/.github/workflows/maven-publish.yml @@ -22,6 +22,9 @@ jobs: egress-policy: audit - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false + - name: Set up JDK 17 uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 791fa2d..1492620 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -25,6 +25,9 @@ jobs: egress-policy: audit - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false + - name: Set up JDK 17 uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: