From 0a10d755bf88f36e767d8a6d41da56c5580fd68b Mon Sep 17 00:00:00 2001 From: black-sliver <59490463+black-sliver@users.noreply.github.com> Date: Wed, 15 Apr 2026 01:21:33 +0200 Subject: [PATCH 1/4] CI: use cooldown for dependabot if supported; 3 days is hopefully good enough to catch bad stuff. Actions currently do not support cooldown, but hopefully this will be added in the future. --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 178d985..6768255 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,7 +9,11 @@ updates: directory: "/" # Location of package manifests schedule: interval: "weekly" + cooldown: + default-days: 3 - package-ecosystem: "github-actions" # See documentation for possible values directory: "/" # Location of package manifests schedule: interval: "weekly" + cooldown: + default-days: 3 From 55d5cc0b33d1f9d0fde8c80587487b8f5fd3c737 Mon Sep 17 00:00:00 2001 From: black-sliver <59490463+black-sliver@users.noreply.github.com> Date: Wed, 15 Apr 2026 01:28:06 +0200 Subject: [PATCH 2/4] CI: drop all but required permissions --- .github/workflows/build.yml | 2 ++ .github/workflows/release.yml | 2 ++ .github/workflows/snapshot.yml | 2 ++ .github/workflows/update-dependancy-graph.yml | 3 +++ 4 files changed, 9 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e5eee58..8a99507 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,6 +4,8 @@ name: Java CI with Maven on: [pull_request] +permissions: {} + jobs: build: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4937dbf..739dd79 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,8 @@ on: tags: - '[0-9]+.[0-9]+.[0-9]+' +permissions: {} + jobs: build: if: github diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml index 8b10626..7015d38 100644 --- a/.github/workflows/snapshot.yml +++ b/.github/workflows/snapshot.yml @@ -6,6 +6,8 @@ on: branches: - 'main' +permissions: {} + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/update-dependancy-graph.yml b/.github/workflows/update-dependancy-graph.yml index f7d4e09..789dcb7 100644 --- a/.github/workflows/update-dependancy-graph.yml +++ b/.github/workflows/update-dependancy-graph.yml @@ -4,6 +4,9 @@ on: push: branches: [ main ] +permissions: + contents: write + jobs: dependency-graph: From 11c00703d5f84a5c6d66f2b9f54eb084e5bc5d1a Mon Sep 17 00:00:00 2001 From: black-sliver <59490463+black-sliver@users.noreply.github.com> Date: Wed, 15 Apr 2026 01:31:42 +0200 Subject: [PATCH 3/4] CI: disable cache in release workflow --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 739dd79..f390497 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,7 +19,6 @@ jobs: with: java-version: '17' distribution: 'temurin' - cache: gradle - name: Build with Gradle # This just publishes to the local file system; jreleaser is responsible for uploading to maven central run: ./gradlew publish From 24044e176655b941e29d3c23ad46756f3b55c7d7 Mon Sep 17 00:00:00 2001 From: black-sliver <59490463+black-sliver@users.noreply.github.com> Date: Wed, 15 Apr 2026 01:39:46 +0200 Subject: [PATCH 4/4] CI: update and pin actions actions/* are pinned to version. Those should use immutable actions preview. gradle/* is pinned by commit hash. --- .github/workflows/build.yml | 4 ++-- .github/workflows/release.yml | 4 ++-- .github/workflows/snapshot.yml | 4 ++-- .github/workflows/update-dependancy-graph.yml | 6 +++--- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8a99507..88771f0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,9 +12,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6.0.2 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@v5.2.0 with: java-version: '17' distribution: 'temurin' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f390497..ef3e81c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,9 +13,9 @@ jobs: if: github runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6.0.2 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@v5.2.0 with: java-version: '17' distribution: 'temurin' diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml index 7015d38..8e3584b 100644 --- a/.github/workflows/snapshot.yml +++ b/.github/workflows/snapshot.yml @@ -12,9 +12,9 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6.0.2 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@v5.2.0 with: java-version: '17' distribution: 'temurin' diff --git a/.github/workflows/update-dependancy-graph.yml b/.github/workflows/update-dependancy-graph.yml index 789dcb7..1f9f256 100644 --- a/.github/workflows/update-dependancy-graph.yml +++ b/.github/workflows/update-dependancy-graph.yml @@ -13,12 +13,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6.0.2 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@v5.2.0 with: java-version: '17' distribution: 'temurin' cache: gradle - name: Submit Dependency Snapshot - uses: gradle/actions/dependency-submission@v4 + uses: gradle/actions/dependency-submission@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0