Skip to content

ci: Address all code scan reports #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rodrigo-sobral merged 9 commits into from
Apr 29, 2026
Merged

ci: Address all code scan reports #54

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
50e5c33
ci: Address code scan reports (unpinned action reference)
rodrigo-sobral Apr 27, 2026
a96e978
ci: Address code scan reports (overly broad permissions)
rodrigo-sobral Apr 27, 2026
24a5b6c
ci: Address code scan reports (insufficient job-level concurrency lim…
rodrigo-sobral Apr 27, 2026
4d81a05
ci: Address code scan reports (secrets referenced without a dedicated…
rodrigo-sobral Apr 27, 2026
8c3592f
ci: Address code scan reports (code injection via template expansion)
rodrigo-sobral Apr 27, 2026
d0ba157
ci: Address code scan reports (credential persistence through GitHub …
rodrigo-sobral Apr 27, 2026
98982c4
ci: Address code scan reports (runtime artifacts potentially vulnerab…
rodrigo-sobral Apr 27, 2026
c6392de
ci: Push using command line instead of an action
rodrigo-sobral Apr 29, 2026
7bb865b
ci: Address code scan report (code injection via template expansion)
rodrigo-sobral Apr 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 13 additions & 5 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,21 @@ on:
branches: [ master ]
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {} # Deny all permissions by default at workflow level

jobs:
test-build:
runs-on: ubuntu-latest

steps:
# 1 – Check out the code
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

# 2 – Expose the version tag as $PACKAGE_VERSION (only if this is a v* tag ref)
- name: Set environment package version from tag
Expand All @@ -25,28 +33,28 @@ jobs:
fi

# 3 – Set up Python
- uses: actions/setup-python@v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.13'
cache: 'pip'

# 4 – Set up Node.js
- uses: actions/setup-node@v6
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '24.x'
cache: 'npm'

# 5 – Set up JDK 17 and enable sbt cache
- name: Set up JDK 17
uses: actions/setup-java@v5
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: 'temurin'
java-version: '17'
cache: 'sbt'

# 6 – Install sbt 1.12.4
- name: Set up sbt
uses: sbt/setup-sbt@v1
uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22
with:
sbt-runner-version: '1.12.4'

Expand Down
14 changes: 11 additions & 3 deletions .github/workflows/checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,21 +11,29 @@ on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {} # Deny all permissions by default at workflow level

jobs:
check-code:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Setup Node.js environment
uses: actions/setup-node@v6
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24.x
cache: yarn
cache-dependency-path: yarn.lock

- name: Setup Python
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.13'

Expand Down
24 changes: 15 additions & 9 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ on:
tags:
- 'v*' # runs only when you push tags like v1.2.3

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {} # Deny all permissions by default at workflow level

jobs:
build-publish:
runs-on: ubuntu-latest
Expand All @@ -14,7 +20,9 @@ jobs:

steps:
# 1 – Check out the repo
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

# 2 – Expose the tag (e.g. 1.2.3) as $PACKAGE_VERSION
- name: Set environment package version from tag
Expand All @@ -24,28 +32,26 @@ jobs:
echo "PACKAGE_VERSION=${ref#v}" >> "$GITHUB_ENV"

# 3 – Set up Python
- uses: actions/setup-python@v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.13'
cache: 'pip'

# 4 – Set up Node.js
- uses: actions/setup-node@v6
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '24.x'
cache: 'npm'
package-manager-cache: false

# 5 – Set up JDK 17 and enable sbt cache
- name: Set up JDK 17
uses: actions/setup-java@v5
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: 'temurin'
java-version: '17'
cache: 'sbt'

# 6 – Install sbt 1.12.4
- name: Set up sbt
uses: sbt/setup-sbt@v1
uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22
with:
sbt-runner-version: '1.12.4'

Expand All @@ -59,4 +65,4 @@ jobs:

# 9 – Publish to PyPI (Trusted Publishing)
- name: Publish distribution to PyPI 🚀
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
25 changes: 18 additions & 7 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,25 +8,36 @@ on:
required: true
default: "patch"

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {} # Deny all permissions by default at workflow level

jobs:
bump-version:
runs-on: ubuntu-latest
environment: tag-release
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-python@v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.13'
- name: Install release tooling
run: python -m pip install bump2version
- name: Bump and tag
env:
BUMP: ${{ github.event.inputs.bump }}
run: |
git config --local user.email "swan-admins@cern.ch"
git config --local user.name "swan-admins[bot]"
bump2version ${{ github.event.inputs.bump }}
bump2version ${BUMP}
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.WORKFLOW_ACCESS_TOKEN }}
tags: true
env:
WORKFLOW_ACCESS_TOKEN: ${{ secrets.WORKFLOW_ACCESS_TOKEN }}
REF_NAME: ${{ github.ref_name }}
run: |
git remote set-url origin "https://x-access-token:${WORKFLOW_ACCESS_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
git push origin "${REF_NAME}" --tags --atomic