Merge branch 'main' into main

Author: phipag

.github/workflows/auto-merge.yml

@@ -18,6 +18,9 @@ on:
       - 'mkdocs.yml'
       - 'Makefile'
 
+permissions:
+  contents: read
+
 jobs:
   docs:
     runs-on: ubuntu-latest

.github/workflows/build-docs.yml

@@ -7,22 +7,23 @@ on:
     - cron: '0 * * * *'
 
 permissions:
-  id-token: write
-  actions: read
-  checks: read
   contents: read
-  deployments: read
-  issues: read
-  discussions: read
-  packages: read
-  pages: read
-  pull-requests: read
-  repository-projects: read
-  security-events: read
-  statuses: read
 
 jobs:
   dispatch_token:
+    permissions:
+      id-token: write
+      actions: read
+      checks: read
+      deployments: read
+      issues: read
+      discussions: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: read
+      statuses: read
     concurrency:
       group: analytics
     runs-on: ubuntu-latest

.github/workflows/dispatch_analytics.yml

@@ -7,14 +7,14 @@ on:
   workflow_dispatch: {}
 
 permissions:
-  id-token: write
-  contents: write
-  pages: write
+  contents: read
 
 jobs:
   docs:
     runs-on: ubuntu-latest
     environment: Docs
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Set up Python

.github/workflows/docs.yml

@@ -0,0 +1,48 @@
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  schedule:
+    - cron: "0 9 * * *"
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    # environment: scorecard
+    permissions:
+      security-events: write  # update code-scanning dashboard
+      id-token: write  # confirm org+repo identity before publish results
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true  # publish to OSSF Scorecard REST API
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}  # read-only fine-grained token to read branch protection settings
+
+      - name: "Upload results"
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
+        with:
+          sarif_file: results.sarif

.github/workflows/openssf_scorecard.yml

@@ -0,0 +1,26 @@
+name: OSV-Scanner
+
+# Change "main" to your default branch if you use a different name, i.e. "master"
+on:
+  pull_request:
+    branches: [main]
+  merge_group:
+    branches: [main]
+  workflow_dispatch: {}
+
+  schedule:
+    - cron: "30 12 * * 1"
+  # Change "main" to your default branch if you use a different name, i.e. "master"
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  scan-pr:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@764c91816374ff2d8fc2095dab36eecd42d61638"

.github/workflows/osv.yml

@@ -23,6 +23,10 @@ on:
       - 'powertools-validation/**'
       - 'pom.xml'
       - '.github/workflows/pr_artifacts_size.yml'
+
+permissions:
+  contents: read
+
 jobs:
   codecheck:
     runs-on: ubuntu-latest

.github/workflows/pr_artifacts_size.yml

@@ -1,6 +1,7 @@
 name: Build
 
 on:
+  workflow_dispatch:
   pull_request:
     branches:
       - main
@@ -45,6 +46,10 @@ on:
       - 'pom.xml'
       - 'examples/pom.xml'
       - '.github/workflows/**'
+
+permissions:
+  contents: read
+
 jobs:
   build-corretto:
     runs-on: ubuntu-latest
@@ -58,7 +63,6 @@ jobs:
       AWS_REGION: eu-west-1
     permissions:
       id-token: write # needed to interact with GitHub's OIDC Token endpoint.
-      contents: read
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Setup java
@@ -69,14 +73,30 @@ jobs:
           cache: 'maven'
       - name: Build with Maven
         run: mvn -B install --file pom.xml
+      - name: Build Gradle Setup
+        if: ${{ matrix.java == '8' }} # Gradle example can only be built on Java 8
+        working-directory: examples/powertools-examples-core/gradle
+        run: |
+          curl -L -o gradle/wrapper/gradle.zip https:$(cat gradle/wrapper/gradle-wrapper.properties  | grep distributionUrl | cut -d ':' -f 2)
+          unzip gradle/wrapper/gradle.zip -d gradle/wrapper/gradle
+          ./gradle/wrapper/gradle/gradle-8.2.1/bin/gradle wrapper
       - name: Build Gradle Example - Java
         if: ${{ matrix.java == '8' }} # Gradle example can only be built on Java 8
         working-directory: examples/powertools-examples-core/gradle
         run: ./gradlew build
+
+      - name: Build Gradle Setup (Kotlin)
+        if: ${{ matrix.java == '8' }} # Gradle example can only be built on Java 8
+        working-directory: examples/powertools-examples-core/kotlin
+        run: |
+          curl -L -o gradle/wrapper/gradle.zip https:$(cat gradle/wrapper/gradle-wrapper.properties  | grep distributionUrl | cut -d ':' -f 2)
+          unzip gradle/wrapper/gradle.zip -d gradle/wrapper/gradle
+          ./gradle/wrapper/gradle/gradle-8.2.1/bin/gradle wrapper
       - name: Build Gradle Example - Kotlin
         if: ${{ matrix.java == '8' }} # Gradle example can only be built on Java 8
         working-directory: examples/powertools-examples-core/kotlin
         run: ./gradlew build
+        
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # v3.1.1
         if: ${{ matrix.java == '11' }} # publish results once

.github/workflows/pr_build.yml

@@ -41,6 +41,10 @@ on:
       - 'pom.xml'
       - 'examples/pom.xml'
       - '.github/workflows/**'
+
+permissions:
+  contents: read
+
 jobs:
   build-corretto:
     runs-on: ubuntu-latest
@@ -54,7 +58,6 @@ jobs:
       AWS_REGION: eu-west-1
     permissions:
       id-token: write # needed to interact with GitHub's OIDC Token endpoint.
-      contents: read
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Setup java

.github/workflows/pr_build_v2.yml

@@ -11,6 +11,10 @@ on:
       - v2
     paths:
       - 'examples/**'
+
+permissions:
+  contents: read
+
 jobs:
   linter:
     runs-on: ubuntu-latest

.github/workflows/pr_iac_lint.yml

@@ -4,9 +4,18 @@ on:
     types:
       - published
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
+    environment: Release
+    permissions:
+      id-token: write
+      issues: write
+      contents: write
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Set up Maven Central Repository

.github/workflows/publish.yml

@@ -6,9 +6,15 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - uses: release-drafter/release-drafter@569eb7ee3a85817ab916c8f8ff03a5bd96c9c83e # v5.23.0
         env:

.github/workflows/release-drafter.yml

@@ -6,9 +6,16 @@ on:
         description: 'Release number to upgrade to. For example X.X.X. Follow Semantic Versioning when deciding on next version.'
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pull-requests: write
+      contents: write
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Get current date
@@ -69,12 +76,11 @@ jobs:
         uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3.14.0
         with:
           commit-message: chore:prep release ${{ github.event.inputs.targetRelease }}
-          token: ${{ secrets.RELEASE }}
           signoff: false
           branch: prep-release-${{ github.event.inputs.targetRelease }}
           delete-branch: true
           title: chore:Prep release ${{ github.event.inputs.targetRelease }}
           body: |
             This is automated release prep. Remember to update [CHANGELOG.md](https://github.com/aws-powertools/powertools-lambda-java/blob/prep-release-${{ github.event.inputs.targetRelease }}/CHANGELOG.md) to capture changes in this release. Please review changes carefully before merging.
             
-            * [ ] Updated CHANGELOG.md
+            * [ ] Updated CHANGELOG.md

.github/workflows/release-prep.yml

@@ -27,6 +27,9 @@ on:
     paths:
       - 'powertools-e2e-tests/**'
 
+permissions:
+  contents: read
+
 jobs:
   e2e:
     runs-on: ubuntu-latest