This is an automated email from the ASF dual-hosted git repository.

robertlazarski pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git

commit f15d3c31e20f3295e4d0b5dd05f6df91851ad849
Author: Robert Lazarski <[email protected]>
AuthorDate: Wed Jul 1 08:37:42 2026 -1000

    ci: least-privilege permissions + SHA-pin actions
    
    Security hardening brought over from axis-axis2-c-core's CI review:
    
    - Add top-level `permissions: contents: read`. The workflow had no
      permissions block, so it inherited the default GITHUB_TOKEN scope. All
      three jobs only read the repo and build with Maven; the deploy job's Nexus
      credentials come from secrets, not GITHUB_TOKEN (verified: no github.token
      usage anywhere), so read is sufficient.
    - Pin actions to immutable commit SHAs (checkout v7.0.0, cache v6.1.0,
      setup-java v5.4.0) so a hijacked tag can't inject code into CI. The
      existing daily github-actions Dependabot keeps the SHAs (and their # 
vX.Y.Z
      comments) current.
    
    Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
---
 .github/workflows/ci.yml | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e6f0904fa7..ffa98b4c57 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -24,6 +24,11 @@ env:
   MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=25 
-Dmaven.wagon.http.retryHandler.count=3
   BASE_JAVA_VERSION: 17
   DEFAULT_JAVA_DISTRIBUTION: 'temurin'
+# Least privilege: all jobs only read the repo and build with Maven. Nexus
+# deploy credentials come from secrets, not GITHUB_TOKEN, so no write scope is
+# needed. Deny everything the default token would otherwise grant.
+permissions:
+  contents: read
 jobs:
   build:
     strategy:
@@ -34,9 +39,9 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
     - name: Checkout
-      uses: actions/checkout@v7
+      uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
     - name: Cache Maven Repository
-      uses: actions/cache@v6
+      uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
       with:
         path: ~/.m2/repository
         key: maven-java-${{ matrix.java }}-${{ hashFiles('**/pom.xml') }}
@@ -44,7 +49,7 @@ jobs:
           maven-java-${{ matrix.java }}-
           maven-
     - name: Set up Java
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # 
v5.4.0
       with:
         java-version: ${{ matrix.java }}
         distribution: ${{ env.DEFAULT_JAVA_DISTRIBUTION }}
@@ -57,9 +62,9 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
     - name: Checkout
-      uses: actions/checkout@v7
+      uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
     - name: Cache Maven Repository
-      uses: actions/cache@v6
+      uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
       with:
         path: ~/.m2/repository
         key: maven-site-${{ hashFiles('**/pom.xml') }}
@@ -67,7 +72,7 @@ jobs:
           maven-site-
           maven-
     - name: Set up Java
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # 
v5.4.0
       with:
         java-version: ${{ env.BASE_JAVA_VERSION }}
         distribution: ${{ env.DEFAULT_JAVA_DISTRIBUTION }}
@@ -84,9 +89,9 @@ jobs:
       - site
     steps:
     - name: Checkout
-      uses: actions/checkout@v7
+      uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
     - name: Cache Maven Repository
-      uses: actions/cache@v6
+      uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
       with:
         path: ~/.m2/repository
         key: maven-deploy-${{ hashFiles('**/pom.xml') }}
@@ -94,7 +99,7 @@ jobs:
           maven-deploy-
           maven-
     - name: Set up Java
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # 
v5.4.0
       with:
         java-version: ${{ env.BASE_JAVA_VERSION }}
         distribution: ${{ env.DEFAULT_JAVA_DISTRIBUTION }}

Reply via email to