Skip to content

build(deps): update jni requirement from 0.21.1 to 0.22.4 #225

build(deps): update jni requirement from 0.21.1 to 0.22.4

build(deps): update jni requirement from 0.21.1 to 0.22.4 #225

Workflow file for this run

name: Security
on:
schedule:
- cron: '0 8 * * 1' # Every Monday at 8 AM UTC
push:
branches: [master]
pull_request:
branches: [master]
workflow_dispatch:
permissions:
security-events: write
contents: read
jobs:
# Rust dependency audit
cargo-audit:
name: Cargo Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: Install cargo-audit
run: cargo install cargo-audit
- name: Audit Rust dependencies
run: |
# All ignored advisories are transitive rustls-webpki 0.102.8 issues
# pinned by wasmtime-wasi-http 43.0.1 via rustls 0.22.4. Fix requires
# an upstream wasmtime release bumping rustls.
# RUSTSEC-2026-0049: rustls-webpki CRL matching bug
# RUSTSEC-2026-0098: name constraints accepted for URI names
# RUSTSEC-2026-0099: name constraints accepted for wildcard names
cargo audit \
--ignore RUSTSEC-2026-0049 \
--ignore RUSTSEC-2026-0098 \
--ignore RUSTSEC-2026-0099
# Maven dependency vulnerability check
dependency-check:
name: OWASP Dependency Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
java-version: '21'
distribution: 'temurin'
- name: Cache Maven
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: m2-security-${{ hashFiles('**/pom.xml') }}
restore-keys: m2-security-
- name: Run OWASP dependency check
continue-on-error: true
run: |
./mvnw org.owasp:dependency-check-maven:check \
-DfailBuildOnCVSS=7 \
-P skip-native \
-B
- name: Upload report
if: always()
uses: actions/upload-artifact@v4
with:
name: dependency-check-report
path: '**/target/dependency-check-report.html'
retention-days: 30
# CodeQL analysis
codeql:
name: CodeQL
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
java-version: '23'
distribution: 'temurin'
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: java
- name: Build for CodeQL
run: |
COMMON_ARGS="-B -P skip-native -DskipTests -DskipQuality -Dmaven.javadoc.skip=true -Dgpg.skip=true -Dcheckstyle.skip=true -Dspotless.check.skip=true"
./mvnw install $COMMON_ARGS -Dmaven.test.skip=true -pl '!:wasmtime4j-tests-stress' -q
./mvnw compile $COMMON_ARGS -pl wasmtime4j,wasmtime4j-jni,wasmtime4j-native-loader
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
# Secret scanning
secret-scan:
name: Secret Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run TruffleHog
uses: trufflesecurity/trufflehog@v3.88.0
with:
path: ./
base: ${{ github.event.pull_request.base.sha || 'HEAD~1' }}
head: HEAD
# SBOM generation
sbom:
name: SBOM
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/master'
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
java-version: '21'
distribution: 'temurin'
- name: Generate SBOM
run: ./mvnw org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom -B -P skip-native
- uses: actions/upload-artifact@v4
with:
name: sbom
path: target/bom.xml
retention-days: 90