From f6006bda1f3647b5d61915a8ea35625aafedbd65 Mon Sep 17 00:00:00 2001 From: Jonathan Hartman <208858388+cx-jonathan-hartman@users.noreply.github.com> Date: Tue, 16 Jun 2026 17:53:30 -0700 Subject: [PATCH 1/3] fix(actions): declare secrets used by reusable workflows Adds explicit on.workflow_call.secrets declarations for all secrets referenced in the workflow body, replacing implicit reliance on callers using secrets: inherit. --- .github/workflows/release.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 947aa9a..6edb4e8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,6 +31,17 @@ on: description: 'Version of the CLI to bundle' required: false type: string + secrets: + MAVEN_GPG_PASSPHRASE: + required: true + MAVEN_GPG_PRIVATE_KEY: + required: true + OSSRH_TOKEN: + required: true + OSSRH_USERNAME: + required: true + PERSONAL_ACCESS_TOKEN: + required: true jobs: release: From c854db19d405b17103203a2895c5d7d2c6f49756 Mon Sep 17 00:00:00 2001 From: Alon Rosenhek <80337069+cx-alon-rosenhek@users.noreply.github.com> Date: Thu, 18 Jun 2026 16:57:16 +0300 Subject: [PATCH 2/3] chore: remove .github/workflows/dependabot-auto-merge.yml --- .github/workflows/dependabot-auto-merge.yml | 25 --------------------- 1 file changed, 25 deletions(-) delete mode 100644 .github/workflows/dependabot-auto-merge.yml diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml deleted file mode 100644 index 2ee75e7..0000000 --- a/.github/workflows/dependabot-auto-merge.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: Dependabot auto-merge -on: pull_request - -permissions: - contents: write - -jobs: - dependabot-merge: - runs-on: cx-public-ubuntu-x64 - if: ${{ github.actor == 'dependabot[bot]' }} - steps: - - name: Dependabot metadata - id: metadata - uses: step-security/dependabot-fetch-metadata@bf8fb6e0be0a711c669dc236de6e7f7374ba626e # v3.1.0 - with: - github-token: "${{ secrets.PERSONAL_ACCESS_TOKEN }}" - - name: Enable auto-merge for Dependabot PRs - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN }} - run: gh pr merge --auto --squash "$PR_URL" - - name: Auto approve dependabot PRs - uses: step-security/auto-approve-action@0c28339628c8e79ab2f6813291e7e6cd584b4d30 # v4.0.0 - with: - github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} From 9d0785ddc5dc3431dbd694d6852e53f67e81cc08 Mon Sep 17 00:00:00 2001 From: Atish Jadhav <141334503+cx-atish-jadhav@users.noreply.github.com> Date: Thu, 18 Jun 2026 22:49:44 +0530 Subject: [PATCH 3/3] Updating ast-cli version and binaries 2.3.54 (#485) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Updating ast-cli version and binaries * Harden workflows: scope permissions, fix set-output, replace dev-drprasad, remove repository_dispatch, comment notify and spotbugs * Remove Maven cache from release and CI workflows * Add publish input to gate Maven Central deploy --------- Co-authored-by: Luís Ventuzelos <207163323+cx-luis-ventuzelos@users.noreply.github.com> --- .github/workflows/ci.yml | 18 +++----- .github/workflows/nightly.yml | 18 +++++--- .github/workflows/release.yml | 73 ++++++++++++++++++-------------- .github/workflows/update-cli.yml | 6 +-- checkmarx-ast-cli.version | 2 +- src/main/resources/cx-linux | 4 +- src/main/resources/cx-linux-arm | 4 +- src/main/resources/cx-mac | 4 +- src/main/resources/cx.exe | 4 +- 9 files changed, 68 insertions(+), 65 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 145ea6f..26ea6e1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,14 +21,6 @@ jobs: - name: Checkout LFS objects run: git lfs checkout - - name: Cache local Maven repository - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- - - name: Set up JDK 11 uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0 with: @@ -82,8 +74,8 @@ jobs: - name: Build with Maven run: mvn -B verify -DskipTests -Dgpg.skip --file pom.xml - - name: Run SpotBugs Analysis - if: ${{ github.actor != 'dependabot[bot]' }} - uses: jwgmeligmeyling/spotbugs-github-action@b8e2c3523acb34c87f14e18cbcd2d87db8c8584e #v1.2 - with: - path: '**/spotbugsXml.xml' + # - name: Run SpotBugs Analysis + # if: ${{ github.actor != 'dependabot[bot]' }} + # uses: jwgmeligmeyling/spotbugs-github-action@b8e2c3523acb34c87f14e18cbcd2d87db8c8584e #v1.2 + # with: + # path: '**/spotbugsXml.xml' diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 73efdc6..b52b877 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -5,20 +5,24 @@ on: branches: - main +permissions: + contents: read + jobs: delete_tag: + permissions: + contents: write runs-on: cx-public-ubuntu-x64 steps: - - name: Delete release - uses: dev-drprasad/delete-tag-and-release@8cd619d00037e4aeb781909c9a6b03940507d0da # v1.0.1 + - name: Delete release and tag env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - delete_release: true - tag_name: 1.0.0-SNAPSHOT + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh release delete "1.0.0-SNAPSHOT" --yes --cleanup-tag --repo ${{ github.repository }} || true + nightly: needs: delete_tag - uses: CheckmarxDev/ast-cli-java-wrapper/.github/workflows/release.yml@main + uses: Checkmarx/ast-cli-java-wrapper/.github/workflows/release.yml@main with: tag: "1.0.0-SNAPSHOT" dev: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6edb4e8..edd29fc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,6 +16,11 @@ on: description: 'Version of the CLI to bundle' required: false type: string + publish: + description: 'Publish package to Maven Central' + required: false + default: false + type: boolean workflow_call: inputs: tag: @@ -31,6 +36,14 @@ on: description: 'Version of the CLI to bundle' required: false type: string + publish: + description: 'Publish package to Maven Central' + required: false + default: false + type: boolean + +permissions: + contents: read secrets: MAVEN_GPG_PASSPHRASE: required: true @@ -45,6 +58,9 @@ on: jobs: release: + permissions: + id-token: write + contents: write runs-on: cx-public-ubuntu-x64 outputs: CLI_VERSION: ${{ steps.extract_cli_version.outputs.CLI_VERSION }} @@ -68,7 +84,7 @@ jobs: CLI_VERSION=$(./src/main/resources/cx-linux version | grep -Eo '^[0-9]+\.[0-9]+\.[0-9]+') echo "CLI version being packed is $CLI_VERSION" echo "CLI_VERSION=$CLI_VERSION" >> $GITHUB_ENV - echo "::set-output name=CLI_VERSION::$CLI_VERSION" + echo "CLI_VERSION=$CLI_VERSION" >> $GITHUB_OUTPUT - name: Check if CLI version is latest if: ${{ github.event.inputs.dev == 'false' && !github.event.inputs.cliTag && github.ref == 'refs/heads/main' }} @@ -96,15 +112,7 @@ jobs: git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" git tag -a "${tag}" -m "${message}" git push origin "${tag}" - echo "::set-output name=TAG_NAME::${{ inputs.tag }}" - - - name: Cache local Maven repository - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- + echo "TAG_NAME=${{ inputs.tag }}" >> $GITHUB_OUTPUT - name: Set up Maven Central Repository uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0 @@ -129,6 +137,7 @@ jobs: echo "AID_PROP=${prop}" >> $GITHUB_ENV - name: Publish package + if: inputs.publish == true run: mvn --batch-mode deploy -DskipTests ${{ env.AID_PROP }} env: MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }} @@ -142,26 +151,26 @@ jobs: tag_name: ${{ inputs.tag }} prerelease: ${{ inputs.dev }} - notify: - if: inputs.dev == false - needs: release - uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main - with: - product_name: Java Wrapper - release_version: ${{ needs.release.outputs.TAG_NAME }} - cli_release_version: ${{ needs.release.outputs.CLI_VERSION }} - release_author: "Sypher Team" - release_url: https://github.com/Checkmarx/ast-cli-java-wrapper/releases/tag/${{ needs.release.outputs.TAG_NAME }} - jira_product_name: JAVA_WRAPPER - secrets: inherit + # notify: + # if: inputs.dev == false + # needs: release + # uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main + # with: + # product_name: Java Wrapper + # release_version: ${{ needs.release.outputs.TAG_NAME }} + # cli_release_version: ${{ needs.release.outputs.CLI_VERSION }} + # release_author: "Sypher Team" + # release_url: https://github.com/Checkmarx/ast-cli-java-wrapper/releases/tag/${{ needs.release.outputs.TAG_NAME }} + # jira_product_name: JAVA_WRAPPER + # secrets: inherit - dispatch_auto_release: - name: Update Jenkins/Jetbrains/Eclipse Extensions With new Wrapper Version - if: inputs.dev == false - needs: notify - uses: Checkmarx/plugins-release-workflow/.github/workflows/dispatch-workflow.yml@main - with: - cli_version: ${{ needs.release.outputs.CLI_VERSION }} - is_cli_release: false - is_java_release: true - secrets: inherit + # dispatch_auto_release: + # name: Update Jenkins/Jetbrains/Eclipse Extensions With new Wrapper Version + # if: inputs.dev == false + # needs: notify + # uses: Checkmarx/plugins-release-workflow/.github/workflows/dispatch-workflow.yml@main + # with: + # cli_version: ${{ needs.release.outputs.CLI_VERSION }} + # is_cli_release: false + # is_java_release: true + # secrets: inherit diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml index 947b7b8..04fa5c7 100644 --- a/.github/workflows/update-cli.yml +++ b/.github/workflows/update-cli.yml @@ -2,8 +2,6 @@ name: Update checkmarx ast cli on: workflow_dispatch: - repository_dispatch: - types: [cli-version-update] permissions: contents: read @@ -31,8 +29,8 @@ jobs: - name: Get Latest Checkmarx API version id: checkmarx-ast-cli run: | - echo ::set-output name=release_tag::$(curl -sL https://api.github.com/repos/checkmarx/ast-cli/releases/latest | jq -r ".tag_name") - echo ::set-output name=current_tag::$(> $GITHUB_OUTPUT + echo "current_tag=$(> $GITHUB_OUTPUT - name: Update Checkmarx cli version if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag diff --git a/checkmarx-ast-cli.version b/checkmarx-ast-cli.version index aadd7fd..fae1739 100644 --- a/checkmarx-ast-cli.version +++ b/checkmarx-ast-cli.version @@ -1 +1 @@ -2.3.48 +2.3.54 diff --git a/src/main/resources/cx-linux b/src/main/resources/cx-linux index 1322d95..85f008e 100755 --- a/src/main/resources/cx-linux +++ b/src/main/resources/cx-linux @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:f73e555c94ea77a10d31e37de49e40d3468ec2787e4e6d917539409210a8fe8d -size 81281208 +oid sha256:776d9864c0104e1d0023641ef931bd1c58478cf56768ce77f2bfbfd6e9e64493 +size 80568482 diff --git a/src/main/resources/cx-linux-arm b/src/main/resources/cx-linux-arm index 5b533e6..1062917 100755 --- a/src/main/resources/cx-linux-arm +++ b/src/main/resources/cx-linux-arm @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:101acdd3d54073d9964986e279da786e527d0e649f5ae5473a79481bbb8389ef -size 76415160 +oid sha256:d40b3cfb9f930e96a9d6b494d4c7b9cd98e3bb857e55a0f55c92d764bb8c3c1a +size 75235490 diff --git a/src/main/resources/cx-mac b/src/main/resources/cx-mac index d016514..e137bc6 100755 --- a/src/main/resources/cx-mac +++ b/src/main/resources/cx-mac @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:71a744df366cddf2312b2e4a51f1174ab785d06b48506e08c3c8ee9cde8f82cf -size 162260464 +oid sha256:df4a2d6b72936afa65df8730f0ee491f6d518286421063f50df2e48d3d5b56f9 +size 160422432 diff --git a/src/main/resources/cx.exe b/src/main/resources/cx.exe index 4d61a0c..f2f6b69 100644 --- a/src/main/resources/cx.exe +++ b/src/main/resources/cx.exe @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:489659950e778b01bf66ba126cd52a1acf8f124db62407b190516c12648baf6b -size 83262400 +oid sha256:c7227ac9dd89f344c12629d367774a2428595b3daff0a2e710981d924f13dbf4 +size 82488128