From 4272e87ef7212d5418d2d19a8a8c6080a36bc214 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lu=C3=ADs=20Ventuzelos?= <207163323+cx-luis-ventuzelos@users.noreply.github.com> Date: Fri, 19 Jun 2026 15:07:57 +0100 Subject: [PATCH] security: harden release workflow and declare workflow_call secrets - Replace actions/checkout v4.3.1 with v6.0.3 and switch from PERSONAL_ACCESS_TOKEN to GITHUB_TOKEN - Fix script injection in Download CLI, Tag, Update POM, Build artifactId, and Publish steps by moving inputs to env vars - Replace deprecated ::set-output with $GITHUB_OUTPUT in Tag step - Update actions/setup-java v4.3.0 to v5.2.0 - Add explicit secrets declaration for workflow_call (MAVEN_GPG_PASSPHRASE, MAVEN_GPG_PRIVATE_KEY, OSSRH_TOKEN, OSSRH_USERNAME) - Fix broken shell conditional in Build artifactId property step --- .github/workflows/release.yml | 42 +++++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 27a9360..2174480 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,6 +41,15 @@ on: required: false default: false type: boolean + secrets: + MAVEN_GPG_PASSPHRASE: + required: true + MAVEN_GPG_PRIVATE_KEY: + required: true + OSSRH_TOKEN: + required: true + OSSRH_USERNAME: + required: true permissions: contents: read @@ -56,16 +65,18 @@ jobs: TAG_NAME: ${{ steps.set_tag_name.outputs.TAG_NAME }} steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: - token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} lfs: true - name: Download CLI if: inputs.cliTag + env: + INPUT_CLI_TAG: ${{ inputs.cliTag }} run: | chmod +x ./.github/scripts/update_cli.sh - ./.github/scripts/update_cli.sh ${{ inputs.cliTag }} + ./.github/scripts/update_cli.sh "$INPUT_CLI_TAG" - name: Extract CLI version id: extract_cli_version @@ -92,19 +103,19 @@ jobs: - name: Tag id: set_tag_name + env: + INPUT_TAG: ${{ inputs.tag }} run: | - echo ${{ inputs.tag }} - tag=${{ inputs.tag }} - echo "RELEASE_VERSION=${{ inputs.tag }}" >> $GITHUB_ENV - message='${{ inputs.tag }}' + echo "$INPUT_TAG" + echo "RELEASE_VERSION=$INPUT_TAG" >> $GITHUB_ENV git config user.name "${GITHUB_ACTOR}" git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" - git tag -a "${tag}" -m "${message}" - git push origin "${tag}" - echo "TAG_NAME=${{ inputs.tag }}" >> $GITHUB_OUTPUT + git tag -a "$INPUT_TAG" -m "$INPUT_TAG" + git push origin "$INPUT_TAG" + echo "TAG_NAME=$INPUT_TAG" >> $GITHUB_OUTPUT - name: Set up Maven Central Repository - uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: '11' distribution: 'temurin' @@ -115,19 +126,22 @@ jobs: gpg-passphrase: MAVEN_GPG_PASSPHRASE - name: Update the POM version. - run: mvn -B versions:set -DnewVersion='${{ env.RELEASE_VERSION }}' --file pom.xml -DskipTests + run: mvn -B versions:set -DnewVersion="$RELEASE_VERSION" --file pom.xml -DskipTests - name: Build artifactId property + env: + INPUT_DEV: ${{ inputs.dev }} + INPUT_TAG: ${{ inputs.tag }} run: | prop='' - if [ ${{ inputs.dev }} = true ] && ![ "${{ inputs.tag }}" = "1.0.0-SNAPSHOT" ]; then + if [ "$INPUT_DEV" = "true" ] && [ "$INPUT_TAG" != "1.0.0-SNAPSHOT" ]; then prop='-Dast.wrapper.id=ast-cli-java-wrapper-dev' fi echo "AID_PROP=${prop}" >> $GITHUB_ENV - name: Publish package if: inputs.publish == true - run: mvn --batch-mode deploy -DskipTests ${{ env.AID_PROP }} + run: mvn --batch-mode deploy -DskipTests $AID_PROP env: MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }} MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}