Skip to content

build(deps): bump the maven-plugins group across 1 directory with 3 updates #251

build(deps): bump the maven-plugins group across 1 directory with 3 updates

build(deps): bump the maven-plugins group across 1 directory with 3 updates #251

Workflow file for this run

name: CI Guardrails
on:
push:
branches:
- 'main'
pull_request:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
zizmor:
name: Analyze (Zizmor)
runs-on: ubuntu-latest
permissions:
security-events: write # Required to create code scanning alerts
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: false # needed for Zizmor's use of Docker
egress-policy: block
allowed-endpoints: >
api.github.com:443
ghcr.io:443
github.com:443
pkg-containers.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Run zizmor
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
poutine:
name: Analyze (Poutine)
runs-on: ubuntu-latest
permissions:
security-events: write # Required to create code scanning alerts
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
release-assets.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Load pinned tool versions
id: versions
run: |
poutine="$(jq -r '.poutine' tools/github-workflow-tools/versions.json)"
echo "poutine=${poutine}" >> "$GITHUB_OUTPUT"
- name: Install poutine
env:
VERSION: ${{ steps.versions.outputs.poutine }}
run: |
curl -sSfL "https://github.com/boostsecurityio/poutine/releases/download/v${VERSION}/poutine_Linux_x86_64.tar.gz" \
| tar -xzf - -C /usr/local/bin poutine
- name: Generate poutine SARIF
run: |
# poutine emits an all-zero GUID that fails GitHub's UUID validation;
# replace it with a valid RFC-4122 nil-equivalent.
poutine analyze_local "${GITHUB_WORKSPACE}" -f sarif \
| jq '(.runs[].tool.driver.supportedTaxonomies[] | select(.guid == "00000000-0000-0000-0000-000000000000")).guid = "00000000-0000-1000-8000-000000000000"' \
> poutine_results.sarif
- name: Upload poutine SARIF file
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
with:
sarif_file: poutine_results.sarif
trufflehog:
name: Analyze (TruffleHog)
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: false # needed for TruffleHog's use of Docker
egress-policy: block
allowed-endpoints: >
ghcr.io:443
github.com:443
pkg-containers.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Load pinned tool versions
id: versions
run: |
trufflehog="$(jq -r '.trufflehog' tools/github-workflow-tools/versions.json)"
echo "trufflehog=${trufflehog}" >> "$GITHUB_OUTPUT"
- name: Run TruffleHog
uses: trufflesecurity/trufflehog@37b77001d0174ebec2fcca2bd83ff83a6d45a3ab # v3.95.3
with:
extra_args: --results=verified,unknown
version: ${{ steps.versions.outputs.trufflehog }}
pom-consistency:
name: Analyze (POM Consistency)
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
raw.githubusercontent.com:443
api.github.com:443
files.pythonhosted.org:443
github.com:443
pypi.org:443
release-assets.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- name: Check plugin version consistency
run: uv run --project tools/github-workflow-tools --group python-common python3 .github/scripts/check-pom-consistency.py
hook-coverage:
name: Validate Hook Coverage Mapping
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Validate hook coverage mapping
run: python3 .github/scripts/check-hook-coverage.py
hook-revisions-frozen:
name: Validate Hook Revisions Are Frozen
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Validate hook revisions are frozen
run: python3 .github/scripts/check-hook-revisions-frozen.py