This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git
commit f15d3c31e20f3295e4d0b5dd05f6df91851ad849 Author: Robert Lazarski <[email protected]> AuthorDate: Wed Jul 1 08:37:42 2026 -1000 ci: least-privilege permissions + SHA-pin actions Security hardening brought over from axis-axis2-c-core's CI review: - Add top-level `permissions: contents: read`. The workflow had no permissions block, so it inherited the default GITHUB_TOKEN scope. All three jobs only read the repo and build with Maven; the deploy job's Nexus credentials come from secrets, not GITHUB_TOKEN (verified: no github.token usage anywhere), so read is sufficient. - Pin actions to immutable commit SHAs (checkout v7.0.0, cache v6.1.0, setup-java v5.4.0) so a hijacked tag can't inject code into CI. The existing daily github-actions Dependabot keeps the SHAs (and their # vX.Y.Z comments) current. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> --- .github/workflows/ci.yml | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e6f0904fa7..ffa98b4c57 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,6 +24,11 @@ env: MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=25 -Dmaven.wagon.http.retryHandler.count=3 BASE_JAVA_VERSION: 17 DEFAULT_JAVA_DISTRIBUTION: 'temurin' +# Least privilege: all jobs only read the repo and build with Maven. Nexus +# deploy credentials come from secrets, not GITHUB_TOKEN, so no write scope is +# needed. Deny everything the default token would otherwise grant. +permissions: + contents: read jobs: build: strategy: @@ -34,9 +39,9 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Cache Maven Repository - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: ~/.m2/repository key: maven-java-${{ matrix.java }}-${{ hashFiles('**/pom.xml') }} @@ -44,7 +49,7 @@ jobs: maven-java-${{ matrix.java }}- maven- - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5.4.0 with: java-version: ${{ matrix.java }} distribution: ${{ env.DEFAULT_JAVA_DISTRIBUTION }} @@ -57,9 +62,9 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Cache Maven Repository - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: ~/.m2/repository key: maven-site-${{ hashFiles('**/pom.xml') }} @@ -67,7 +72,7 @@ jobs: maven-site- maven- - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5.4.0 with: java-version: ${{ env.BASE_JAVA_VERSION }} distribution: ${{ env.DEFAULT_JAVA_DISTRIBUTION }} @@ -84,9 +89,9 @@ jobs: - site steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Cache Maven Repository - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: ~/.m2/repository key: maven-deploy-${{ hashFiles('**/pom.xml') }} @@ -94,7 +99,7 @@ jobs: maven-deploy- maven- - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5.4.0 with: java-version: ${{ env.BASE_JAVA_VERSION }} distribution: ${{ env.DEFAULT_JAVA_DISTRIBUTION }}
