From b9cbdacb7761160531e7d347c32016fc29efae2f Mon Sep 17 00:00:00 2001 From: sebastianMindee <130448732+sebastianMindee@users.noreply.github.com> Date: Wed, 17 Jun 2026 10:29:50 +0200 Subject: [PATCH 1/7] :wrench: add CI workflow checker --- .github/workflows/_workflow_lint.yml | 20 ++++++++++++++++++++ .github/workflows/pull-request.yml | 3 +++ 2 files changed, 23 insertions(+) create mode 100644 .github/workflows/_workflow_lint.yml diff --git a/.github/workflows/_workflow_lint.yml b/.github/workflows/_workflow_lint.yml new file mode 100644 index 000000000..8eb219046 --- /dev/null +++ b/.github/workflows/_workflow_lint.yml @@ -0,0 +1,20 @@ +name: Lint workflows + +on: + workflow_call: + +permissions: + contents: read + +jobs: + actionlint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Download actionlint + id: get_actionlint + run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) + shell: bash + - name: Run actionlint + run: ${{ steps.get_actionlint.outputs.executable }} -color + shell: bash diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index e2a94165d..d3942bf94 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -8,8 +8,11 @@ permissions: pull-requests: read jobs: + workflow-lint: + uses: ./.github/workflows/_workflow_lint.yml static_analysis: uses: ./.github/workflows/_static-analysis.yml + needs: workflow-lint build: uses: ./.github/workflows/_build.yml needs: static_analysis From 305ba4879935e58f131ae91c82052cd20e56ab97 Mon Sep 17 00:00:00 2001 From: sebastianMindee <130448732+sebastianMindee@users.noreply.github.com> Date: Wed, 17 Jun 2026 10:37:44 +0200 Subject: [PATCH 2/7] fix workflows --- .github/workflows/_codeql.yml | 64 ++++++++++++----------------- .github/workflows/_publish-code.yml | 2 +- .github/workflows/_publish-docs.yml | 2 +- 3 files changed, 28 insertions(+), 40 deletions(-) diff --git a/.github/workflows/_codeql.yml b/.github/workflows/_codeql.yml index e52a09168..de42ba65a 100644 --- a/.github/workflows/_codeql.yml +++ b/.github/workflows/_codeql.yml @@ -1,14 +1,3 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# name: "CodeQL" on: @@ -28,38 +17,37 @@ jobs: fail-fast: false steps: - - name: Checkout repository - uses: actions/checkout@v5 + - name: Checkout repository + uses: actions/checkout@v5 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v4 + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v4 - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 - with: - category: "/language:java" + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:java" diff --git a/.github/workflows/_publish-code.yml b/.github/workflows/_publish-code.yml index bd481ce15..ebbd255dd 100644 --- a/.github/workflows/_publish-code.yml +++ b/.github/workflows/_publish-code.yml @@ -16,7 +16,7 @@ jobs: - id: install-secret-key name: Install GPG secret key run: | - cat <(echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}") | gpg --batch --import + echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}" | gpg --batch --import gpg --list-secret-keys --keyid-format LONG - name: Set up JDK diff --git a/.github/workflows/_publish-docs.yml b/.github/workflows/_publish-docs.yml index f03886cab..3471292eb 100644 --- a/.github/workflows/_publish-docs.yml +++ b/.github/workflows/_publish-docs.yml @@ -26,7 +26,7 @@ jobs: - name: Delombok run: | LOMBOK_VERSION=$(mvn help:evaluate -Dexpression=org.projectlombok.version -q -DforceStdout) - java -jar ./target/dependency/lombok-$LOMBOK_VERSION.jar delombok src -d src-delomboked + java -jar ./target/dependency/lombok-"$LOMBOK_VERSION".jar delombok src -d src-delomboked mv src src-lomboked mv src-delomboked src From 067d91392342c747768f68a488760221f243996b Mon Sep 17 00:00:00 2001 From: sebastianMindee <130448732+sebastianMindee@users.noreply.github.com> Date: Wed, 17 Jun 2026 10:39:15 +0200 Subject: [PATCH 3/7] fix codeql workflow --- .github/workflows/_codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/_codeql.yml b/.github/workflows/_codeql.yml index de42ba65a..95881ab0b 100644 --- a/.github/workflows/_codeql.yml +++ b/.github/workflows/_codeql.yml @@ -24,6 +24,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: + languages: java # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. From 427cd25e9245a393aed0d9b0f8a1a63d65e396f1 Mon Sep 17 00:00:00 2001 From: sebastianMindee <130448732+sebastianMindee@users.noreply.github.com> Date: Wed, 17 Jun 2026 10:41:13 +0200 Subject: [PATCH 4/7] fix build action --- .github/workflows/_build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml index ab99c49d1..949bf8939 100644 --- a/.github/workflows/_build.yml +++ b/.github/workflows/_build.yml @@ -27,7 +27,7 @@ jobs: - id: install-secret-key name: Install GPG secret key run: | - cat <(echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}") | gpg --batch --import + echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}" | gpg --batch --import gpg --list-secret-keys --keyid-format LONG - name: Set up JDK ${{ matrix.java-version }} From 16022e62a80c77f91cc122c47d1dda5cb58b72a0 Mon Sep 17 00:00:00 2001 From: sebastianMindee <130448732+sebastianMindee@users.noreply.github.com> Date: Wed, 17 Jun 2026 10:45:49 +0200 Subject: [PATCH 5/7] fix cron --- .github/workflows/cron.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml index c9adc5804..0d87b069f 100644 --- a/.github/workflows/cron.yml +++ b/.github/workflows/cron.yml @@ -6,6 +6,8 @@ on: permissions: contents: read + actions: read + security-events: write jobs: codeql: From c268ec25ce18e589e81df7b0c8f01dd82f28d206 Mon Sep 17 00:00:00 2001 From: sebastianMindee <130448732+sebastianMindee@users.noreply.github.com> Date: Wed, 17 Jun 2026 10:53:13 +0200 Subject: [PATCH 6/7] restore & fix codeql --- .github/workflows/_codeql.yml | 65 ++++++++++++++++++++--------------- 1 file changed, 38 insertions(+), 27 deletions(-) diff --git a/.github/workflows/_codeql.yml b/.github/workflows/_codeql.yml index 95881ab0b..00bdb7365 100644 --- a/.github/workflows/_codeql.yml +++ b/.github/workflows/_codeql.yml @@ -1,3 +1,14 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# name: "CodeQL" on: @@ -17,38 +28,38 @@ jobs: fail-fast: false steps: - - name: Checkout repository - uses: actions/checkout@v5 + - name: Checkout repository + uses: actions/checkout@v5 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: java - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: java + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v4 + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v4 - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 - with: - category: "/language:java" + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:java" From 33aa3e6e1b8134be9eddf5eee6cd61c072f5caf2 Mon Sep 17 00:00:00 2001 From: sebastianMindee <130448732+sebastianMindee@users.noreply.github.com> Date: Wed, 17 Jun 2026 10:57:34 +0200 Subject: [PATCH 7/7] fix again --- .github/workflows/_build.yml | 2 +- .github/workflows/_publish-code.yml | 5 ++++- .github/workflows/cron.yml | 1 - 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml index 949bf8939..6e4110d60 100644 --- a/.github/workflows/_build.yml +++ b/.github/workflows/_build.yml @@ -27,7 +27,7 @@ jobs: - id: install-secret-key name: Install GPG secret key run: | - echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}" | gpg --batch --import + printf '%s' "${{ secrets.OSSRH_GPG_SECRET_KEY }}" | gpg --batch --import gpg --list-secret-keys --keyid-format LONG - name: Set up JDK ${{ matrix.java-version }} diff --git a/.github/workflows/_publish-code.yml b/.github/workflows/_publish-code.yml index ebbd255dd..20ee708f5 100644 --- a/.github/workflows/_publish-code.yml +++ b/.github/workflows/_publish-code.yml @@ -4,6 +4,9 @@ on: workflow_call: workflow_dispatch: +permissions: + security-events: write + jobs: publish: runs-on: ubuntu-latest @@ -16,7 +19,7 @@ jobs: - id: install-secret-key name: Install GPG secret key run: | - echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}" | gpg --batch --import + printf '%s' "${{ secrets.OSSRH_GPG_SECRET_KEY }}" | gpg --batch --import gpg --list-secret-keys --keyid-format LONG - name: Set up JDK diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml index 0d87b069f..22cbcad05 100644 --- a/.github/workflows/cron.yml +++ b/.github/workflows/cron.yml @@ -7,7 +7,6 @@ on: permissions: contents: read actions: read - security-events: write jobs: codeql: