From 01b98dcdde7f96f159908271fe40a55f787c0b6a Mon Sep 17 00:00:00 2001 From: Justin Abrahms Date: Fri, 30 Sep 2022 13:23:07 -0700 Subject: [PATCH 1/3] Add a dependabot file to keep deps up to date Signed-off-by: Justin Abrahms --- .github/dependabot.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..fb167d170 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,14 @@ +version: 2 +updates: + + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + + # Maintain dependencies for npm + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "weekly" From 90bf877eca8872c3c70c32ef2d2d5d70bc6b658b Mon Sep 17 00:00:00 2001 From: Justin Abrahms Date: Sun, 2 Oct 2022 23:12:13 -0700 Subject: [PATCH 2/3] Move write permissions to the specific job, rather than globally Signed-off-by: Justin Abrahms --- .github/workflows/merge.yml | 3 ++- .github/workflows/pullrequest.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index ed30bdbfc..302f788cf 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -12,13 +12,14 @@ on: branches: [ master, main ] permissions: - packages: write contents: read jobs: build: runs-on: ubuntu-latest + permissions: + packages: write steps: - uses: actions/checkout@v3 diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml index 3b7430a0a..bbe1d8ddd 100644 --- a/.github/workflows/pullrequest.yml +++ b/.github/workflows/pullrequest.yml @@ -3,7 +3,6 @@ on: pull_request: branches: [ master, main ] permissions: - packages: write contents: read jobs: @@ -15,6 +14,8 @@ jobs: ports: - 8013:8013 + permissions: + packages: write steps: - name: Check out the code uses: actions/checkout@v3 From 64bf2a3b23164a43de6f36c77ee4cd044daab85f Mon Sep 17 00:00:00 2001 From: Justin Abrahms Date: Mon, 3 Oct 2022 09:04:32 -0700 Subject: [PATCH 3/3] Run code scanning (slow auto-build) weekly Signed-off-by: Justin Abrahms --- .github/workflows/static-code-scanning.yaml | 41 +++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/static-code-scanning.yaml diff --git a/.github/workflows/static-code-scanning.yaml b/.github/workflows/static-code-scanning.yaml new file mode 100644 index 000000000..4cc4b6b35 --- /dev/null +++ b/.github/workflows/static-code-scanning.yaml @@ -0,0 +1,41 @@ +name: "Code Scanning - Action" + +# Docs for this at https://github.com/github/codeql-action#usage + +on: + schedule: + # ┌───────────── minute (0 - 59) + # │ ┌───────────── hour (0 - 23) + # │ │ ┌───────────── day of the month (1 - 31) + # │ │ │ ┌───────────── month (1 - 12 or JAN-DEC) + # │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT) + # │ │ │ │ │ + # │ │ │ │ │ + # │ │ │ │ │ + # * * * * * + - cron: '30 1 * * 1' + +jobs: + CodeQL-Build: + # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest + runs-on: ubuntu-latest + + permissions: + # required for all workflows + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: java + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2