fix(ci): OSSF Changes (#1769)

sthulb · web-flow · commit ed89b3cf02c6 · 2025-02-17T13:19:02.000+01:00
* Change permissions to be more granular

* update to pinned deps

* remove gradle wrapper

* perms

* perms

* fix pinned deps

* add gradle download

* add hashes

* pin to hash

* update path for props file

* update build script

* fix path

* add setup setup

* build wrapper

* gradle ver inc
diff --git a/.github/workflows/osv.yml b/.github/workflows/osv.yml
@@ -15,13 +15,12 @@ on:
     branches: [main]
 
 permissions:
-  # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117
-  actions: read
-  # Require writing security events to upload SARIF file to security tab
-  security-events: write
-  # Only need to read contents
   contents: read
 
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.9.1"
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@764c91816374ff2d8fc2095dab36eecd42d61638"
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
@@ -72,6 +72,13 @@ jobs:
           cache: 'maven'
       - name: Build with Maven
         run: mvn -B install --file pom.xml
+      - name: Build Gradle Setup
+        if: ${{ matrix.java == '8' }} # Gradle example can only be built on Java 8
+        working-directory: examples/powertools-examples-core/gradle
+        run: |
+          curl -L -o gradle/wrapper/gradle.zip https:$(cat gradle/wrapper/gradle-wrapper.properties  | grep distributionUrl | cut -d ':' -f 2)
+          unzip gradle/wrapper/gradle.zip -d gradle/wrapper/gradle
+          ./gradle/wrapper/gradle/gradle-8.2.1/bin/gradle wrapper
       - name: Build Gradle Example - Java
         if: ${{ matrix.java == '8' }} # Gradle example can only be built on Java 8
         working-directory: examples/powertools-examples-core/gradle
diff --git a/docs/Dockerfile b/docs/Dockerfile
@@ -1,2 +1,4 @@
-FROM squidfunk/mkdocs-material
-RUN pip install mkdocs-git-revision-date-plugin mkdocs-macros-plugin
+FROM squidfunk/mkdocs-material@sha256:6ffbcd0e1438f3278341e437048ba4507e7e0af70efe700dd6d8a1d76fc071dd
+
+COPY requirements.txt /tmp/
+RUN pip install --require-hashes -r /tmp/requirements.txt
diff --git a/docs/requirements.in b/docs/requirements.in
@@ -0,0 +1,2 @@
+mkdocs-git-revision-date-plugin==0.3.2
+mkdocs-macros-plugin==1.3.7
diff --git a/docs/requirements.txt b/docs/requirements.txt
diff --git a/examples/powertools-examples-core/gradle/gradle/wrapper/gradle-wrapper.jar b/examples/powertools-examples-core/gradle/gradle/wrapper/gradle-wrapper.jar
diff --git a/examples/powertools-examples-core/gradle/gradle/wrapper/gradle-wrapper.properties b/examples/powertools-examples-core/gradle/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.3.3-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
diff --git a/examples/powertools-examples-core/kotlin/gradle/wrapper/gradle-wrapper.properties b/examples/powertools-examples-core/kotlin/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.3.3-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+mkdocs-git-revision-date-plugin==0.3.2`
	`2`	`+mkdocs-macros-plugin==1.3.7`