diff --git a/.github/actions/integration-tests/action.yml b/.github/actions/integration-tests/action.yml index 738d4c38b..09ca847e3 100644 --- a/.github/actions/integration-tests/action.yml +++ b/.github/actions/integration-tests/action.yml @@ -41,10 +41,17 @@ runs: - name: Authenticate with Cloud Foundry shell: bash + env: + CF_API: ${{ inputs.CF_API }} + CF_USERNAME: ${{ inputs.CF_USERNAME }} + CF_PASSWORD: ${{ inputs.CF_PASSWORD }} + CF_ORG: ${{ inputs.CF_ORG }} + CF_SPACE: ${{ inputs.CF_SPACE }} run: | - echo "::debug::CF_API=${{ inputs.CF_API }}" for i in {1..5}; do - cf login -a ${{ inputs.CF_API }} -u ${{ inputs.CF_USERNAME }} -p ${{ inputs.CF_PASSWORD }} -o ${{ inputs.CF_ORG }} -s ${{ inputs.CF_SPACE }} && break + cf api "$CF_API" && \ + cf auth && \ + cf target -o "$CF_ORG" -s "$CF_SPACE" && break echo "cf login failed, retrying ($i/5)..." sleep 10 if [ "$i" -eq 5 ]; then @@ -53,11 +60,11 @@ runs: fi done - - uses: actions/checkout@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Use Node.js ${{ inputs.NODE_VERSION}} - uses: actions/setup-node@v6 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ inputs.NODE_VERSION }} - run: npm i -g @sap/cds-dk diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..9d529cf70 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,18 @@ +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + groups: + github-actions: + patterns: + - "*" + cooldown: + default-days: 7 diff --git a/.github/workflows/check-changelog.yml b/.github/workflows/check-changelog.yml index fb1569e05..7e6b57c70 100644 --- a/.github/workflows/check-changelog.yml +++ b/.github/workflows/check-changelog.yml @@ -13,6 +13,10 @@ jobs: name: Check Changelog Action runs-on: ubuntu-latest steps: - - uses: tarides/changelog-check-action@v3 + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + - uses: tarides/changelog-check-action@0189fc7eedec3ef3e9648c713908f6f2a6e99057 # v3 with: changelog: CHANGELOG.md diff --git a/.github/workflows/issue.yml b/.github/workflows/issue.yml index 42b2d6752..438f698e6 100644 --- a/.github/workflows/issue.yml +++ b/.github/workflows/issue.yml @@ -12,6 +12,10 @@ jobs: label-issues: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit - run: gh issue edit "$NUMBER" --add-label "$LABELS" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -19,7 +23,7 @@ jobs: NUMBER: ${{ github.event.issue.number }} LABELS: New - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | github.rest.issues.createComment({ diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index cebfdf35e..123e90960 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -17,14 +17,22 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/setup-node@v6 - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 - run: npm i - run: npm run lint prettier: runs-on: ubuntu-latest steps: - - uses: actions/setup-node@v6 - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 - run: npx prettier . --check diff --git a/.github/workflows/prevent-issue-labeling.yml b/.github/workflows/prevent-issue-labeling.yml index dac7a41b3..dfbf07b0a 100644 --- a/.github/workflows/prevent-issue-labeling.yml +++ b/.github/workflows/prevent-issue-labeling.yml @@ -11,6 +11,10 @@ jobs: remove_new_label: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit - name: Remove "New" label if applied by non-bot user if: > contains(github.event.issue.labels.*.name, 'New') && diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9e3ffffe9..364bf9977 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,8 +22,12 @@ jobs: runs-on: ubuntu-latest environment: npm steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 24 registry-url: https://registry.npmjs.org/ @@ -41,11 +45,11 @@ jobs: uses: martinbeentjes/npm-get-version-action@v1.2.3 - name: Parse changelog id: parse-changelog - uses: schwma/parse-changelog-action@v1.0.0 + uses: schwma/parse-changelog-action@69a9f9ab4cf2f2e736108ab41396fc3c55f65e40 # v1.0.0 with: version: "${{ steps.package-version.outputs.current-version }}" - name: Create a GitHub release - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0 with: tag: "v${{ steps.package-version.outputs.current-version }}" body: "${{ steps.parse-changelog.outputs.body }}" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6738ead4a..8fcb8cbe8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,11 +29,15 @@ jobs: matrix: node-version: [20.x, 22.x] steps: - - uses: actions/checkout@v5 + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} - run: npm i -g @sap/cds-dk @@ -53,12 +57,16 @@ jobs: hyperscaler: [AWS, AZURE, GCP] scanner-auth: [basic, mtls] steps: + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Integration tests (HANA) - uses: ./.github/actions/integration-tests + uses: ./.github/actions/integration-tests@main with: CF_API: ${{ secrets[format('CF_API_{0}', matrix.hyperscaler)] }} CF_USERNAME: ${{ secrets['CF_USERNAME'] }} @@ -92,11 +100,15 @@ jobs: --health-timeout 5s --health-retries 5 steps: - - uses: actions/checkout@v5 + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix['node-version'] }} - run: npm i -g @sap/cds-dk