diff --git a/.github/workflows/ast-scan.yml b/.github/workflows/ast-scan.yml index 8efc927..22bd5da 100644 --- a/.github/workflows/ast-scan.yml +++ b/.github/workflows/ast-scan.yml @@ -10,7 +10,7 @@ on: jobs: cx-scan: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 365aa5c..2d6b01e 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -6,7 +6,7 @@ permissions: jobs: dependabot-merge: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 if: contains(github.head_ref, 'other/update_java_wrapper') steps: - name: Enable auto-merge for Dependabot PRs diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ed289f2..164d587 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,18 +7,18 @@ on: jobs: ui-tests: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: lfs: true - name: Checkout LFS objects run: git lfs checkout - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: temurin java-version: 17 - - uses: actions/cache@v3 + - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} @@ -34,7 +34,7 @@ jobs: Xvfb -ac :99 -screen 0 1920x1080x16 & mvn verify -Dtest.includes="**/ui/*.java" - name: Upload Coverage Report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: jacoco-coverage-report-ui path: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate @@ -44,18 +44,18 @@ jobs: jacoco-csv-file: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate/jacoco.csv generate-summary: true integration-tests: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: lfs: true - name: Checkout LFS objects run: git lfs checkout - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: temurin java-version: 17 - - uses: actions/cache@v3 + - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} @@ -71,7 +71,7 @@ jobs: Xvfb -ac :99 -screen 0 1920x1080x16 & mvn verify -Dtest.includes="**/integration/*Test.java" - name: Upload Coverage Report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: jacoco-coverage-report-integration path: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate @@ -81,18 +81,18 @@ jobs: jacoco-csv-file: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate/jacoco.csv generate-summary: true unit-tests: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: lfs: true - name: Checkout LFS objects run: git lfs checkout - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: temurin java-version: 17 - - uses: actions/cache@v3 + - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} @@ -108,7 +108,7 @@ jobs: Xvfb -ac :99 -screen 0 1920x1080x16 & mvn clean verify -Dtest.includes="**/unit/**/*Test.java" - name: Upload Coverage Report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: jacoco-coverage-report-unit path: checkmarx-ast-eclipse-plugin-tests/target/site/jacoco-aggregate diff --git a/.github/workflows/delete-dev-releases.yml b/.github/workflows/delete-dev-releases.yml index 77d64f7..d64be7a 100644 --- a/.github/workflows/delete-dev-releases.yml +++ b/.github/workflows/delete-dev-releases.yml @@ -20,7 +20,7 @@ permissions: jobs: delete: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - name: Delete releases and tags diff --git a/.github/workflows/manual-tag.yml b/.github/workflows/manual-tag.yml index cd27756..fb08413 100644 --- a/.github/workflows/manual-tag.yml +++ b/.github/workflows/manual-tag.yml @@ -7,12 +7,17 @@ on: description: 'Next release tag' required: true +permissions: + contents: read + jobs: tag-creation: - runs-on: ubuntu-latest + permissions: + contents: write # for Git to git push + runs-on: cx-public-ubuntu-x64 steps: - name: Checkout - uses: actions/checkout@v3.5.2 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} - name: Tag diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 4335898..78956ca 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -7,7 +7,7 @@ on: jobs: set_tag: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 outputs: tag_name: ${{ steps.tagname.outputs.tag_name }} steps: diff --git a/.github/workflows/pr-label.yml b/.github/workflows/pr-label.yml index 188fa9c..6c09bd3 100644 --- a/.github/workflows/pr-label.yml +++ b/.github/workflows/pr-label.yml @@ -10,7 +10,7 @@ jobs: pr-labeler: permissions: pull-requests: write # for TimonVS/pr-labeler-action to add labels in PR - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - uses: TimonVS/pr-labeler-action@8b99f404a073744885d8021d1de4e40c6eaf38e2 # v4 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 07a13d3..c97bd1b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,7 +38,7 @@ jobs: secrets: inherit if: inputs.rbranch release: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 outputs: TAG_NAME: ${{ steps.generate_tag_name.outputs.TAG_NAME }} CLI_VERSION: ${{ steps.set_outputs.outputs.CLI_VERSION }} @@ -75,13 +75,13 @@ jobs: echo "TAG_NAME=$GH_RELEASE_TAG_NAME" >> $GITHUB_OUTPUT - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: temurin java-version: 17 - name: Cache local Maven repository - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml index 15bf280..367fc93 100644 --- a/.github/workflows/update-cli.yml +++ b/.github/workflows/update-cli.yml @@ -4,11 +4,14 @@ on: repository_dispatch: types: [java-wrapper-version-update] +permissions: + contents: read + jobs: update-checkmarx-cli: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: lfs: true