From 095952af05683139fcf4745c4ae763aef9296b74 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 7 Mar 2024 19:18:20 -0800 Subject: [PATCH 01/10] chore(ci): apply hardening to ci jobs - chore: apply 'Harden Runner' auditing to all ci tasks - chore: apply `persist-credentials: false` to checkout tasks - chore: publish dependency graph and add dependency review check - chore: add codeql scan job (temp) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.6.0...b4ffde65f46336ab88eb53be808477a3936bae11) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 4.1.3. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/0efb1d1d84fc9633afcdaad14c485cbbc90ef46c...9129d7d40b8c12c1ed0f60400d00c92d437adcce) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: StepSecurity Bot Signed-off-by: Sam Gammon Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 15 +++- .github/workflows/codeql.yml | 68 +++++++++++++++++++ .github/workflows/dependency-review.yml | 33 +++++++++ .../workflows/gradle-wrapper-validation.yml | 14 +++- .github/workflows/scorecard.yml | 4 ++ 5 files changed, 132 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0fc561fbcd75..b92bcd7a9648 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,6 +30,10 @@ jobs: env: ROOT_POM: ${{ matrix.root-pom }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit # Cancel any previous runs for the same branch that are still running. - name: 'Cancel previous runs' uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 @@ -37,9 +41,10 @@ jobs: access_token: ${{ github.token }} - name: 'Check out repository' uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + persist-credentials: false - name: 'Set up JDK ${{ matrix.java }}' uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 - with: java-version: ${{ matrix.java }} distribution: 'zulu' @@ -66,6 +71,10 @@ jobs: if: github.event_name == 'push' && github.repository == 'google/guava' runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit - name: 'Check out repository' uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - name: 'Set up JDK 21' @@ -91,6 +100,10 @@ jobs: if: github.event_name == 'push' && github.repository == 'google/guava' runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit - name: 'Check out repository' uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - name: 'Set up JDK 21' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000000..df4d4495e2d7 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,68 @@ +name: "CodeQL" + +on: + push: + branches: ["master"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["master"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["java"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@928ff8c822d966a999092a6a35e32177899afb7c # v2.24.6 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@928ff8c822d966a999092a6a35e32177899afb7c # v2.24.6 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@928ff8c822d966a999092a6a35e32177899afb7c # v2.24.6 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000000..8b419a6a39ad --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,33 @@ +name: 'Dependency Graph' +on: + pull_request: {} + push: + branches: + - master + +permissions: + contents: read + +jobs: + dependency-review: + name: 'Dependency Graph' + runs-on: ubuntu-latest + permissions: + contents: read # needed to check out the repository + id-token: write # needed to exchange the graph publish token for an access token + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: 'Checkout Repository' + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Maven Dependency Tree Dependency Submission + uses: advanced-security/maven-dependency-submission-action@bfd2106013da0957cdede0b6c39fb5ca25ae375e # v4.0.2 + with: + token: ${{ secrets.GH_GRAPH_PUBLISH_TOKEN }} + - name: 'Dependency Review' + uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3 + continue-on-error: true + with: + retry-on-snapshot-warnings: true diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml index d08048c14e64..356be8d5dbf1 100644 --- a/.github/workflows/gradle-wrapper-validation.yml +++ b/.github/workflows/gradle-wrapper-validation.yml @@ -1,5 +1,11 @@ name: "Validate Gradle Wrapper" -on: [push, pull_request] +on: + push: + branches: + - master + pull_request: + branches: + - master permissions: contents: read @@ -9,5 +15,11 @@ jobs: name: "Validation" runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + persist-credentials: false - uses: gradle/wrapper-validation-action@699bb18358f12c5b78b37bb0111d3a0e2276e0e2 # v2.1.1 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 034a76f0ae08..993b06893eae 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,10 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit - name: "Checkout code" uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: From a5826e65696d4804bcfd61922d8d817fd82815e0 Mon Sep 17 00:00:00 2001 From: Sam Gammon Date: Thu, 7 Mar 2024 20:29:57 -0800 Subject: [PATCH 02/10] chore(ci): refactor into reusable workflows This change refactors the main CI workflow into two new workflows, `on.pr.yml` and `on.push.yml`, which each call into the exiting CI job as a reusable workflow. This has the nice benefit of putting all tests, checks, builds, etc., on one screen during development on GitHub, allows customization of the PR vs. push flow, and yet keeps behavior fully consistent between the two. - chore: move ci jobs to `workflow_call` trigger - chore: add entrypoint jobs for PR and Push events - chore: cleanup permissions and dispatch checks/tests Signed-off-by: Sam Gammon --- .github/workflows/ci.yml | 17 ++++--- .github/workflows/codeql.yml | 15 +++--- .github/workflows/dependency-review.yml | 23 ++++++---- .../workflows/gradle-wrapper-validation.yml | 10 ++-- .github/workflows/on.pr.yml | 46 +++++++++++++++++++ .github/workflows/on.push.yml | 35 ++++++++++++++ 6 files changed, 113 insertions(+), 33 deletions(-) create mode 100644 .github/workflows/on.pr.yml create mode 100644 .github/workflows/on.push.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b92bcd7a9648..134b8c0f86c8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,12 +1,8 @@ name: CI on: - push: - branches: - - master - pull_request: - branches: - - master + workflow_call: {} + workflow_dispatch: {} permissions: contents: read @@ -21,14 +17,17 @@ jobs: matrix: os: [ ubuntu-latest ] java: [ 8, 11, 17, 21 ] - root-pom: [ 'pom.xml', 'android/pom.xml' ] + mode: [ 'JRE', 'Android' ] include: - os: windows-latest java: 21 - root-pom: pom.xml + mode: JRE + - os: windows-latest + java: 21 + mode: Android runs-on: ${{ matrix.os }} env: - ROOT_POM: ${{ matrix.root-pom }} + ROOT_POM: ${{ matrix.mode == 'Android' && 'android/pom.xml' || 'pom.xml' }} steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index df4d4495e2d7..15d155c0e0f7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,11 +1,10 @@ name: "CodeQL" on: + workflow_call: {} + workflow_dispatch: {} push: branches: ["master"] - pull_request: - # The branches below must be a subset of the branches above - branches: ["master"] schedule: - cron: "0 0 * * 1" @@ -14,7 +13,7 @@ permissions: jobs: analyze: - name: Analyze + name: CodeQL Analysis runs-on: ubuntu-latest permissions: actions: read @@ -37,10 +36,8 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@928ff8c822d966a999092a6a35e32177899afb7c # v2.24.6 + uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -50,7 +47,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@928ff8c822d966a999092a6a35e32177899afb7c # v2.24.6 + uses: github/codeql-action/autobuild@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -63,6 +60,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@928ff8c822d966a999092a6a35e32177899afb7c # v2.24.6 + uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 8b419a6a39ad..ea5d4df36afa 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,9 +1,17 @@ name: 'Dependency Graph' on: - pull_request: {} - push: - branches: - - master + workflow_call: + inputs: + review: + type: boolean + description: "Dependency Review" + default: false + workflow_dispatch: + inputs: + review: + type: boolean + description: "Dependency Review" + default: false permissions: contents: read @@ -13,8 +21,8 @@ jobs: name: 'Dependency Graph' runs-on: ubuntu-latest permissions: - contents: read # needed to check out the repository - id-token: write # needed to exchange the graph publish token for an access token + contents: write # needed to post a dependency graph + id-token: write # needed to exchange the graph publish token for an access token steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -23,9 +31,8 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Maven Dependency Tree Dependency Submission + continue-on-error: true uses: advanced-security/maven-dependency-submission-action@bfd2106013da0957cdede0b6c39fb5ca25ae375e # v4.0.2 - with: - token: ${{ secrets.GH_GRAPH_PUBLISH_TOKEN }} - name: 'Dependency Review' uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3 continue-on-error: true diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml index 356be8d5dbf1..94205f3cb664 100644 --- a/.github/workflows/gradle-wrapper-validation.yml +++ b/.github/workflows/gradle-wrapper-validation.yml @@ -1,18 +1,14 @@ name: "Validate Gradle Wrapper" on: - push: - branches: - - master - pull_request: - branches: - - master + workflow_call: {} + workflow_dispatch: {} permissions: contents: read jobs: validation: - name: "Validation" + name: "Gradle Wrapper Validate" runs-on: ubuntu-latest steps: - name: Harden Runner diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml new file mode 100644 index 000000000000..a530d42a17a6 --- /dev/null +++ b/.github/workflows/on.pr.yml @@ -0,0 +1,46 @@ +name: PR + +on: + pull_request: + branches: + - master + +concurrency: + group: guava-pr-${{ github.event.number }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + ## Run main CI build and tests. + run-ci: + name: "Build & Test" + uses: ./.github/workflows/ci.yml + permissions: + actions: write + contents: write + + ## Validate the Gradle Wrapper binary + checks-gradle-wrapper: + name: "Checks" + uses: ./.github/workflows/gradle-wrapper-validation.yml + + ## Publish and check the dependency graph. + checks-dependency-graph: + name: "Checks" + uses: ./.github/workflows/dependency-review.yml + permissions: + contents: write + id-token: write + with: + review: true + + ## Run CodeQL checks + checks-codeql: + name: "Checks" + uses: ./.github/workflows/codeql.yml + permissions: + actions: read + contents: read + security-events: write diff --git a/.github/workflows/on.push.yml b/.github/workflows/on.push.yml new file mode 100644 index 000000000000..08706b14f87c --- /dev/null +++ b/.github/workflows/on.push.yml @@ -0,0 +1,35 @@ +name: Push + +on: + push: + branches: + - master + +concurrency: + group: guava-push-${{ github.sha }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + ## Run main CI build and tests. + run-ci: + name: "Build & Test" + uses: ./.github/workflows/ci.yml + permissions: + actions: write + contents: write + + ## Publish and check the dependency graph. + checks-dependency-graph: + name: "Checks" + uses: ./.github/workflows/dependency-review.yml + permissions: + contents: write + id-token: write + + ## Validate the Gradle Wrapper binary + checks-gradle-wrapper: + name: "Checks" + uses: ./.github/workflows/gradle-wrapper-validation.yml From 7faf45debd85cf8348b67b62fe94fc02fdc43292 Mon Sep 17 00:00:00 2001 From: Sam Gammon Date: Thu, 7 Mar 2024 20:52:41 -0800 Subject: [PATCH 03/10] chore(ci): switch to enforced hardening mode This changeset switches the StepSecurity hardening action to enforced mode, where previously it was running in `audit` mode. Now, audit logs have been gathered and it is time to seal off the list of accessible network endpoints for a given job. - chore: gather and apply network endpoints for each job - chore: move to `block` mode for `egress-policy` in `step-security/harden-runner` Signed-off-by: Sam Gammon --- .github/workflows/ci.yml | 23 +++++--- .github/workflows/codeql.yml | 53 ++++++++++++------- .github/workflows/dependency-review.yml | 8 ++- .../workflows/gradle-wrapper-validation.yml | 5 +- 4 files changed, 59 insertions(+), 30 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 134b8c0f86c8..1df15ecfcf8e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,9 +10,8 @@ permissions: jobs: test: permissions: - actions: write # for styfle/cancel-workflow-action to cancel/stop running workflows contents: read # for actions/checkout to fetch code - name: "${{ matrix.root-pom }} on JDK ${{ matrix.java }} on ${{ matrix.os }}" + name: "JDK ${{ matrix.java }} / ${{ matrix.mode }} (${{ matrix.os }})" strategy: matrix: os: [ ubuntu-latest ] @@ -32,12 +31,20 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: - egress-policy: audit - # Cancel any previous runs for the same branch that are still running. - - name: 'Cancel previous runs' - uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - with: - access_token: ${{ github.token }} + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.azul.com:443 + api.github.com:443 + cdn.azul.com:443 + dl.google.com:443 + docs.oracle.com:443 + errorprone.info:443 + github.com:443 + objects.githubusercontent.com:443 + oss.sonatype.org:443 + repo.maven.apache.org:443 + services.gradle.org:443 - name: 'Check out repository' uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 15d155c0e0f7..621e59148d6c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -31,35 +31,48 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.azul.com:443 + api.github.com:443 + cdn.azul.com:443 + dl.google.com:443 + docs.oracle.com:443 + errorprone.info:443 + github.com:443 + objects.githubusercontent.com:443 + oss.sonatype.org:443 + repo.maven.apache.org:443 + services.gradle.org:443 - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false + - name: 'Set up JDK 21' + uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 + with: + java-version: 21 + distribution: 'zulu' + cache: 'maven' - name: Initialize CodeQL uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 + continue-on-error: true with: languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - + - name: Build Package + run: | + ./mvnw \ + --strict-checksums \ + -B \ + -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ + install \ + -U \ + -DskipTests=true \ + -Dmaven.javadoc.skip=true \ + -f pom.xml - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 + continue-on-error: true with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index ea5d4df36afa..f302b07d983b 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -27,7 +27,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + oss.sonatype.org:443 + repo.maven.apache.org:443 - name: 'Checkout Repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Maven Dependency Tree Dependency Submission diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml index 94205f3cb664..e9d096538eac 100644 --- a/.github/workflows/gradle-wrapper-validation.yml +++ b/.github/workflows/gradle-wrapper-validation.yml @@ -14,7 +14,10 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: persist-credentials: false From 9417e1cda7264388663553c02d500c02cdd4d86d Mon Sep 17 00:00:00 2001 From: Sam Gammon Date: Thu, 7 Mar 2024 21:08:32 -0800 Subject: [PATCH 04/10] feat(ci): slsa provenance support This changeset adds SLSA 3+ provenance support to the workflow. The main CI run has now been split into two: `ci.build.yml`, which only builds the library and is provenance-capable, and `ci.test.yml`, which is the previous CI logic. The regular build logic is applied only on push, and can be applied on PRs too, with publish of provenance material turned off. The test suite is invoked from PRs. The workflows have been split into build/test phases to avoid publishing provenance data and GitHub artifacts for build matrix outputs. JARs are uniform across OS targets, so there is no need to gather and publish for more than Ubuntu. - feat: add slsa support to build workflow - chore: split `test` into `build` and `test` workflows - chore: use new workflows (build/test) from push/pr triggers Signed-off-by: Sam Gammon --- .github/workflows/ci.build.yml | 183 ++++++++++++++++++++++ .github/workflows/{ci.yml => ci.test.yml} | 57 +------ .github/workflows/codeql.yml | 8 +- .github/workflows/on.pr.yml | 22 ++- .github/workflows/on.push.yml | 8 +- 5 files changed, 219 insertions(+), 59 deletions(-) create mode 100644 .github/workflows/ci.build.yml rename .github/workflows/{ci.yml => ci.test.yml} (53%) diff --git a/.github/workflows/ci.build.yml b/.github/workflows/ci.build.yml new file mode 100644 index 000000000000..79448d235219 --- /dev/null +++ b/.github/workflows/ci.build.yml @@ -0,0 +1,183 @@ +name: Build + +on: + workflow_call: + inputs: + provenance: + type: boolean + description: "Provenance" + default: false + provenance_publish: + type: boolean + description: "Publish: Provenance" + default: true + snapshot: + type: boolean + description: "Publish: Snapshot" + default: false + repository: + type: string + description: "Publish Repository" + default: "sonatype-nexus-snapshots" + + workflow_dispatch: + inputs: + provenance: + type: boolean + description: "Provenance" + default: false + provenance_publish: + type: boolean + description: "Publish: Provenance" + default: false + snapshot: + type: boolean + description: "Publish: Snapshot" + default: true + repository: + type: string + description: "Publish Repository" + default: "sonatype-nexus-snapshots" + +permissions: + contents: read + +jobs: + build: + strategy: + fail-fast: false + matrix: + mode: ["JRE", "Android"] + name: "Build Guava (${{ matrix.mode }})" + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + env: + ROOT_POM: ${{ matrix.mode == 'Android' && 'android/pom.xml' || 'pom.xml' }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.azul.com:443 + api.github.com:443 + cdn.azul.com:443 + dl.google.com:443 + docs.oracle.com:443 + errorprone.info:443 + github.com:443 + objects.githubusercontent.com:443 + oss.sonatype.org:443 + repo.maven.apache.org:443 + services.gradle.org:443 + - name: 'Check out repository' + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - name: 'Set up JDK 11' + uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 + with: + java-version: 11 + distribution: 'zulu' + cache: 'maven' + - name: 'Install' + shell: bash + run: ./mvnw -B -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn install -U -DskipTests=true -f $ROOT_POM + - name: Generate hashes + shell: bash + id: hash + if: matrix.mode == 'JRE' + run: | + echo "Building SLSA provenance material..." + ls guava/target/*.jar guava-gwt/target/*.jar guava-testlib/target/*.jar + echo "hashes=$(sha256sum guava/target/*.jar guava-gwt/target/*.jar guava-testlib/target/*.jar | base64 -w0)" >> ./provenance-hashes.txt + cat ./provenance-hashes.txt >> "$GITHUB_OUTPUT" + echo "Gathered provenance hashes:" + cat ./provenance-hashes.txt + - name: 'Upload artifacts' + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + if: matrix.mode == 'JRE' + with: + name: guava-artifacts-${{ matrix.mode == 'Android' && 'android' || 'jre' }}-${{ github.sha }} + path: | + guava/target/*.jar + guava-gwt/target/*.jar + guava-testlib/target/*.jar + ./provenance-hashes.txt + if-no-files-found: warn + retention-days: 7 + + # Generate SLSA provenance + provenance: + needs: [build] + if: inputs.provenance + name: "SLSA Provenance" + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + permissions: + actions: read + id-token: write + contents: write + with: + base64-subjects: "${{ needs.build.outputs.hashes }}" + upload-assets: ${{ inputs.provenance_publish }} + + # Publish snapshot JAR + publish_snapshot: + name: 'Publish Snapshot' + needs: [build, provenance] + if: inputs.snapshot + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: 'Check out repository' + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: 'Set up JDK 11' + uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 + with: + java-version: 11 + distribution: 'zulu' + server-id: ${{ inputs.repository }} + server-username: CI_DEPLOY_USERNAME + server-password: CI_DEPLOY_PASSWORD + cache: 'maven' + - name: "Download artifacts" + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + with: + name: guava-artifacts-jre-${{ github.sha }} + - name: 'Publish' + env: + CI_DEPLOY_USERNAME: ${{ secrets.CI_DEPLOY_USERNAME }} + CI_DEPLOY_PASSWORD: ${{ secrets.CI_DEPLOY_PASSWORD }} + run: ./util/deploy_snapshot.sh + + generate_docs: + permissions: + contents: write + name: 'Generate Docs' + needs: build + if: github.event_name == 'push' && github.repository == 'google/guava' + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: 'Check out repository' + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: 'Set up JDK 11' + uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 + with: + java-version: 11 + distribution: 'zulu' + cache: 'maven' + - name: 'Generate latest docs' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: ./util/update_snapshot_docs.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.test.yml similarity index 53% rename from .github/workflows/ci.yml rename to .github/workflows/ci.test.yml index 1df15ecfcf8e..a3ea325b1dc3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.test.yml @@ -1,4 +1,4 @@ -name: CI +name: Tests on: workflow_call: {} @@ -11,7 +11,7 @@ jobs: test: permissions: contents: read # for actions/checkout to fetch code - name: "JDK ${{ matrix.java }} / ${{ matrix.mode }} (${{ matrix.os }})" + name: "JDK ${{ matrix.java }} ${{ matrix.mode }} (${{ matrix.os }})" strategy: matrix: os: [ ubuntu-latest ] @@ -25,6 +25,8 @@ jobs: java: 21 mode: Android runs-on: ${{ matrix.os }} + outputs: + hashes: ${{ steps.hash.outputs.hashes }} env: ROOT_POM: ${{ matrix.mode == 'Android' && 'android/pom.xml' || 'pom.xml' }} steps: @@ -71,54 +73,3 @@ jobs: shell: bash run: util/gradle_integration_tests.sh - publish_snapshot: - name: 'Publish snapshot' - needs: test - if: github.event_name == 'push' && github.repository == 'google/guava' - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - name: 'Check out repository' - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: 'Set up JDK 21' - uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 - with: - java-version: 21 - distribution: 'zulu' - server-id: sonatype-nexus-snapshots - server-username: CI_DEPLOY_USERNAME - server-password: CI_DEPLOY_PASSWORD - cache: 'maven' - - name: 'Publish' - env: - CI_DEPLOY_USERNAME: ${{ secrets.CI_DEPLOY_USERNAME }} - CI_DEPLOY_PASSWORD: ${{ secrets.CI_DEPLOY_PASSWORD }} - run: ./util/deploy_snapshot.sh - - generate_docs: - permissions: - contents: write - name: 'Generate latest docs' - needs: test - if: github.event_name == 'push' && github.repository == 'google/guava' - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - name: 'Check out repository' - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: 'Set up JDK 21' - uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 - with: - java-version: 21 - distribution: 'zulu' - cache: 'maven' - - name: 'Generate latest docs' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: ./util/update_snapshot_docs.sh diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 621e59148d6c..d2d37a273117 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,7 +1,13 @@ name: "CodeQL" on: - workflow_call: {} + workflow_call: + inputs: + publish: + type: boolean + description: "Publish SARIF" + default: true + workflow_dispatch: {} push: branches: ["master"] diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml index a530d42a17a6..7c8f965fd95c 100644 --- a/.github/workflows/on.pr.yml +++ b/.github/workflows/on.pr.yml @@ -13,13 +13,27 @@ permissions: contents: read jobs: + ## Build the library and provenance material, but don't publish + build: + name: "Build" + uses: ./.github/workflows/ci.build.yml + permissions: + actions: write + contents: write + id-token: write + with: + provenance: ${{ github.event.pull_request.head.repo.full_name == 'google/guava' }} + provenance_publish: false + snapshot: false + ## Run main CI build and tests. - run-ci: - name: "Build & Test" - uses: ./.github/workflows/ci.yml + test: + name: "Tests" + uses: ./.github/workflows/ci.test.yml permissions: actions: write contents: write + id-token: write ## Validate the Gradle Wrapper binary checks-gradle-wrapper: @@ -44,3 +58,5 @@ jobs: actions: read contents: read security-events: write + with: + publish: ${{ github.event.pull_request.head.repo.full_name == 'google/guava' }} diff --git a/.github/workflows/on.push.yml b/.github/workflows/on.push.yml index 08706b14f87c..f6aedfa8ea1c 100644 --- a/.github/workflows/on.push.yml +++ b/.github/workflows/on.push.yml @@ -15,11 +15,15 @@ permissions: jobs: ## Run main CI build and tests. run-ci: - name: "Build & Test" - uses: ./.github/workflows/ci.yml + name: "Build" + uses: ./.github/workflows/ci.build.yml permissions: actions: write contents: write + id-token: write + with: + snapshot: github.repository == 'google/guava' + provenance: true ## Publish and check the dependency graph. checks-dependency-graph: From 3403c87a6f7eb4ec453c00c1d02f9ba43f38c298 Mon Sep 17 00:00:00 2001 From: Sam Gammon Date: Thu, 7 Mar 2024 22:56:44 -0800 Subject: [PATCH 05/10] chore(ci): build with `--strict-checksums` Fails the build if any downloaded dependencies fail their checksum verification. - chore: add `--strict-checksums` flag to `mvnw` calls in ci --- .github/workflows/ci.build.yml | 2 +- .github/workflows/ci.test.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.build.yml b/.github/workflows/ci.build.yml index 79448d235219..7a13f13c9caa 100644 --- a/.github/workflows/ci.build.yml +++ b/.github/workflows/ci.build.yml @@ -86,7 +86,7 @@ jobs: cache: 'maven' - name: 'Install' shell: bash - run: ./mvnw -B -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn install -U -DskipTests=true -f $ROOT_POM + run: ./mvnw --strict-checksums -B -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn install -U -DskipTests=true -f $ROOT_POM - name: Generate hashes shell: bash id: hash diff --git a/.github/workflows/ci.test.yml b/.github/workflows/ci.test.yml index a3ea325b1dc3..3085c4784035 100644 --- a/.github/workflows/ci.test.yml +++ b/.github/workflows/ci.test.yml @@ -59,10 +59,10 @@ jobs: cache: 'maven' - name: 'Install' shell: bash - run: ./mvnw -B -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn install -U -DskipTests=true -f $ROOT_POM + run: ./mvnw --strict-checksums -B -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn install -U -DskipTests=true -f $ROOT_POM - name: 'Test' shell: bash - run: ./mvnw -B -P!standard-with-extra-repos verify -U -Dmaven.javadoc.skip=true -f $ROOT_POM + run: ./mvnw --strict-checksums -B -P!standard-with-extra-repos verify -U -Dmaven.javadoc.skip=true -f $ROOT_POM - name: 'Print Surefire reports' # Note: Normally a step won't run if the job has failed, but this causes it to if: ${{ failure() }} From 0d6f994e1c709abc913367c74161fd17afdb67d5 Mon Sep 17 00:00:00 2001 From: Sam Gammon Date: Fri, 8 Mar 2024 13:50:30 -0800 Subject: [PATCH 06/10] chore(ci): build avoidance (javadoc, gpg) - chore: don't rebuild javadoc during tests in ci - chore: don't run with gpg enabled in ci Signed-off-by: Sam Gammon --- .github/workflows/ci.build.yml | 24 +++++++++++++++++------- .github/workflows/ci.test.yml | 22 ++++++++++++++++++++-- .github/workflows/codeql.yml | 1 + 3 files changed, 38 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.build.yml b/.github/workflows/ci.build.yml index 7a13f13c9caa..52690da38308 100644 --- a/.github/workflows/ci.build.yml +++ b/.github/workflows/ci.build.yml @@ -78,15 +78,25 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - - name: 'Set up JDK 11' + - name: 'Set up JDK 21' uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 with: - java-version: 11 + java-version: 21 distribution: 'zulu' cache: 'maven' - name: 'Install' shell: bash - run: ./mvnw --strict-checksums -B -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn install -U -DskipTests=true -f $ROOT_POM + run: | + ./mvnw \ + --strict-checksums \ + -B \ + -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ + install \ + -U \ + -DskipTests=true \ + -Dmaven.javadoc.skip=false \ + -Dgpg.skip \ + -f $ROOT_POM - name: Generate hashes shell: bash id: hash @@ -138,10 +148,10 @@ jobs: egress-policy: audit - name: 'Check out repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: 'Set up JDK 11' + - name: 'Set up JDK 21' uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 with: - java-version: 11 + java-version: 21 distribution: 'zulu' server-id: ${{ inputs.repository }} server-username: CI_DEPLOY_USERNAME @@ -171,10 +181,10 @@ jobs: egress-policy: audit - name: 'Check out repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: 'Set up JDK 11' + - name: 'Set up JDK 21' uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 with: - java-version: 11 + java-version: 21 distribution: 'zulu' cache: 'maven' - name: 'Generate latest docs' diff --git a/.github/workflows/ci.test.yml b/.github/workflows/ci.test.yml index 3085c4784035..3f63c05378a1 100644 --- a/.github/workflows/ci.test.yml +++ b/.github/workflows/ci.test.yml @@ -59,10 +59,28 @@ jobs: cache: 'maven' - name: 'Install' shell: bash - run: ./mvnw --strict-checksums -B -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn install -U -DskipTests=true -f $ROOT_POM + run: | + ./mvnw \ + --strict-checksums \ + -B \ + -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ + install \ + -U \ + -DskipTests=true \ + -Dgpg.skip \ + -Dmaven.javadoc.skip=true \ + -f $ROOT_POM - name: 'Test' shell: bash - run: ./mvnw --strict-checksums -B -P!standard-with-extra-repos verify -U -Dmaven.javadoc.skip=true -f $ROOT_POM + run: | + ./mvnw \ + --strict-checksums \ + -B \ + -P!standard-with-extra-repos \ + verify \ + -U \ + -Dmaven.javadoc.skip=true \ + -f $ROOT_POM - name: 'Print Surefire reports' # Note: Normally a step won't run if the job has failed, but this causes it to if: ${{ failure() }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d2d37a273117..bdc2e9cd1d09 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -76,6 +76,7 @@ jobs: -U \ -DskipTests=true \ -Dmaven.javadoc.skip=true \ + -Dgpg.skip \ -f pom.xml - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 From 9c03223e42f336385c7b68ca9e43b1bfe4766aca Mon Sep 17 00:00:00 2001 From: Sam Gammon Date: Thu, 7 Mar 2024 22:05:03 -0800 Subject: [PATCH 07/10] chore(build): parameterize deploy repositories Adds two build parameters - `publishing.repository.snapshots`: Snapshot repo to deploy to - `publishing.repository.releases`: Releases repo to deploy to Both default to their current values, Sonatype. This small inert change allows a fork to easily publish to a different repository without resorting to a code change. Signed-off-by: Sam Gammon --- pom.xml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index f92855fb4ef8..a7704a6e6e31 100644 --- a/pom.xml +++ b/pom.xml @@ -32,6 +32,8 @@ HEAD-android-SNAPSHOT android android + https://oss.sonatype.org/content/repositories/snapshots/ + https://oss.sonatype.org/service/local/staging/deploy/maven2/ GitHub Issues @@ -279,12 +281,12 @@ sonatype-nexus-snapshots Sonatype Nexus Snapshots - https://oss.sonatype.org/content/repositories/snapshots/ + ${publishing.repository.snapshots} sonatype-nexus-staging Nexus Release Repository - https://oss.sonatype.org/service/local/staging/deploy/maven2/ + ${publishing.repository.releases} guava-site From 5a3edfe567ac690b521448b57f0362cc8b32b156 Mon Sep 17 00:00:00 2001 From: Sam Gammon Date: Thu, 7 Mar 2024 22:10:45 -0800 Subject: [PATCH 08/10] feat(build): sigstore publishing plugin This changeset adds the Maven Sigstore plugin for use during publishing to Sonatype and other public repositories. - chore: add sigstore plugin to build Signed-off-by: Sam Gammon --- pom.xml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/pom.xml b/pom.xml index a7704a6e6e31..6df3c36166e0 100644 --- a/pom.xml +++ b/pom.xml @@ -328,6 +328,19 @@ sonatype-oss-release + + dev.sigstore + sigstore-maven-plugin + 0.4.0 + + + sign + + sign + + + + maven-gpg-plugin 3.0.1 From 36538cc8738e606b4e5c4255296eaeadbd72859f Mon Sep 17 00:00:00 2001 From: Sam Gammon Date: Thu, 7 Mar 2024 23:17:57 -0800 Subject: [PATCH 09/10] chore(ci): document gha workflows Signed-off-by: Sam Gammon --- .github/workflows/ci.build.yml | 21 +++++++++++++++++++++ .github/workflows/ci.test.yml | 21 +++++++++++++++++++++ .github/workflows/dependency-review.yml | 13 +++++++++++++ .github/workflows/on.pr.yml | 8 ++++++++ .github/workflows/on.push.yml | 8 ++++++++ 5 files changed, 71 insertions(+) diff --git a/.github/workflows/ci.build.yml b/.github/workflows/ci.build.yml index 52690da38308..86c378599e2e 100644 --- a/.github/workflows/ci.build.yml +++ b/.github/workflows/ci.build.yml @@ -1,3 +1,24 @@ +# Guava GitHub CI +# --------------------------------------------------------------------------------------------------------------------- +# This is the main CI build on GitHub for the Google Guava project. This workflow is not invoked directly; instead, the +# `on.pr.yml` and `on.push.yml` workflows kick in on PR and push events, respectively, and call this workflow as a +# Reusable Workflow. +# +# This workflow can be tested independently of the entrypoint flow through the `workflow_dispatch` hook, which adds a +# button within the UI of the GitHub repository. You can trigger the workflow from here: +# +# https://github.com/google/guava/actions/workflows/ci.build.yml +# +# ## Inputs +# +# See the set of input parameters underneath the `workflow_call` and `workflow_dispatch` hooks for ways this workflow +# can be controlled when called. +# +# ## SLSA Provenance +# +# After building Guava in both JRE and Android variants, this workflow will (if enabled) generate provenance material +# and upload it to an associated release. Learn more about SLSA here: https://slsa.dev. + name: Build on: diff --git a/.github/workflows/ci.test.yml b/.github/workflows/ci.test.yml index 3f63c05378a1..b642288a455c 100644 --- a/.github/workflows/ci.test.yml +++ b/.github/workflows/ci.test.yml @@ -1,3 +1,24 @@ +# Guava GitHub CI +# --------------------------------------------------------------------------------------------------------------------- +# This is the main CI testsuite on GitHub for the Google Guava project. This workflow is not invoked directly; instead, +# the `on.pr.yml` and `on.push.yml` workflows kick in on PR and push events, respectively, and call this workflow as a +# Reusable Workflow. +# +# This workflow can be tested independently of the entrypoint flow through the `workflow_dispatch` hook, which adds a +# button within the UI of the GitHub repository. You can trigger the workflow from here: +# +# https://github.com/google/guava/actions/workflows/ci.test.yml +# +# ## Inputs +# +# See the set of input parameters underneath the `workflow_call` and `workflow_dispatch` hooks for ways this workflow +# can be controlled when called. +# +# ## Multi-OS and Multi-JVM Testing +# +# Guava is tested against each LTS release at JDK 8 through JDK 21, on Linux and on Windows (starting at JDK 17), and +# in Android and JRE flavors. + name: Tests on: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f302b07d983b..abc802dae2ac 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,3 +1,16 @@ +# Guava GitHub CI +# --------------------------------------------------------------------------------------------------------------------- +# This workflow is called from `on.push.yml` and `on.pr.yml` to operate on Guava's dependency graph: +# +# - The dependency graph is calculated from pom.xml files +# - The graph is then published to GitHub, and associated with the Guava repository +# - When operating on a PR, Dependency Review can be invoked to check dependency changes +# +# ## Inputs +# +# See the set of input parameters underneath the `workflow_call` and `workflow_dispatch` hooks for ways this workflow +# can be controlled when called. + name: 'Dependency Graph' on: workflow_call: diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml index 7c8f965fd95c..df88ff841bd9 100644 --- a/.github/workflows/on.pr.yml +++ b/.github/workflows/on.pr.yml @@ -1,3 +1,11 @@ +# Guava GitHub CI +# --------------------------------------------------------------------------------------------------------------------- +# This is an entrypoint workflow which operates on pull requests; this workflow doesn't do much on its own. Its job is +# to dispatch `on.build.yml` and check workflows, which can be found in this same directory. +# +# PR workflows are slightly different from push workflows (for example, they do not publish snapshots). See the +# `on.push.yml` workflow. PR and push flows are designed to be invoked separately. + name: PR on: diff --git a/.github/workflows/on.push.yml b/.github/workflows/on.push.yml index f6aedfa8ea1c..91e567b6d569 100644 --- a/.github/workflows/on.push.yml +++ b/.github/workflows/on.push.yml @@ -1,3 +1,11 @@ +# Guava GitHub CI +# --------------------------------------------------------------------------------------------------------------------- +# This is an entrypoint workflow which operates on pushed revisions to Guava; this workflow doesn't do much on its own. +# Its job is to dispatch `on.build.yml` and check workflows, which can be found in this same directory. +# +# PR workflows are slightly different from push workflows (for example, the push workflow publishes snapshots). See the +# `on.pr.yml` workflow. PR and push flows are designed to be invoked separately. + name: Push on: From c5846e10b994ea2580006091dd26c5fe0126d8a6 Mon Sep 17 00:00:00 2001 From: Sam Gammon Date: Fri, 8 Mar 2024 00:05:11 -0800 Subject: [PATCH 10/10] chore(ci): add spdx plugin Signed-off-by: Sam Gammon --- guava/pom.xml | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++- pom.xml | 16 ++++++++-- 2 files changed, 97 insertions(+), 3 deletions(-) diff --git a/guava/pom.xml b/guava/pom.xml index be0bab174e16..f0e50c58bb00 100644 --- a/guava/pom.xml +++ b/guava/pom.xml @@ -9,7 +9,7 @@ HEAD-jre-SNAPSHOT guava - bundle + jar Guava: Google Core Libraries for Java https://github.com/google/guava @@ -222,4 +222,86 @@ + + + spdx + + [11, + + + + + + org.spdx + spdx-maven-plugin + + + build-spdx + install + + createSPDX + + + + + true + true + Organization: Google, LLC + Copyright (c) 2012-2024, The Guava Authors + Copyright (c) 2012-2024, The Guava Authors + Apache-2.0 + Organization: Google, LLC + + SHA256 + + + + + + org.apache.maven.plugins + maven-antrun-plugin + + + repack-spdx + install + + run + + + + + + + + + + + + + + + + + + maven-gpg-plugin + + + default-gpg + install + + sign + + + + + + + + diff --git a/pom.xml b/pom.xml index 6df3c36166e0..e22e87011064 100644 --- a/pom.xml +++ b/pom.xml @@ -274,6 +274,20 @@ build-helper-maven-plugin 3.4.0 + + maven-gpg-plugin + 3.0.1 + + + dev.sigstore + sigstore-maven-plugin + 0.4.0 + + + org.spdx + spdx-maven-plugin + 0.7.3 + @@ -331,7 +345,6 @@ dev.sigstore sigstore-maven-plugin - 0.4.0 sign @@ -343,7 +356,6 @@ maven-gpg-plugin - 3.0.1 sign-artifacts