diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2516374c..0af25b61 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,6 +14,20 @@ on: branches: ['**', '!update/**', '!pr/**'] tags: [v*] +permissions: + actions: none + checks: none + contents: read + deployments: none + id-token: none + issues: none + packages: read + pages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -101,6 +115,7 @@ jobs: with: name: target-${{ matrix.os }}-${{ matrix.java }}-${{ matrix.scala }}-${{ matrix.project }} path: targets.tar + retention-days: 1 publish: name: Publish Artifacts @@ -225,6 +240,19 @@ jobs: os: [ubuntu-22.04] java: [temurin@11] runs-on: ${{ matrix.os }} + permissions: + actions: none + checks: none + contents: write + deployments: none + id-token: none + issues: none + packages: read + pages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none steps: - name: Checkout current branch (full) uses: actions/checkout@v6 @@ -296,6 +324,19 @@ jobs: os: [ubuntu-22.04] java: [temurin@11] runs-on: ${{ matrix.os }} + permissions: + actions: none + checks: none + contents: write + deployments: none + id-token: none + issues: none + packages: read + pages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none steps: - name: Checkout current branch (full) uses: actions/checkout@v6 diff --git a/.github/workflows/clean.yml b/.github/workflows/clean.yml deleted file mode 100644 index 547aaa43..00000000 --- a/.github/workflows/clean.yml +++ /dev/null @@ -1,59 +0,0 @@ -# This file was automatically generated by sbt-github-actions using the -# githubWorkflowGenerate task. You should add and commit this file to -# your git repository. It goes without saying that you shouldn't edit -# this file by hand! Instead, if you wish to make changes, you should -# change your sbt build configuration to revise the workflow description -# to meet your needs, then regenerate this file. - -name: Clean - -on: push - -jobs: - delete-artifacts: - name: Delete Artifacts - runs-on: ubuntu-latest - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - steps: - - name: Delete artifacts - run: | - # Customize those three lines with your repository and credentials: - REPO=${GITHUB_API_URL}/repos/${{ github.repository }} - - # A shortcut to call GitHub API. - ghapi() { curl --silent --location --user _:$GITHUB_TOKEN "$@"; } - - # A temporary file which receives HTTP response headers. - TMPFILE=/tmp/tmp.$$ - - # An associative array, key: artifact name, value: number of artifacts of that name. - declare -A ARTCOUNT - - # Process all artifacts on this repository, loop on returned "pages". - URL=$REPO/actions/artifacts - while [[ -n "$URL" ]]; do - - # Get current page, get response headers in a temporary file. - JSON=$(ghapi --dump-header $TMPFILE "$URL") - - # Get URL of next page. Will be empty if we are at the last page. - URL=$(grep '^Link:' "$TMPFILE" | tr ',' '\n' | grep 'rel="next"' | head -1 | sed -e 's/.*.*//') - rm -f $TMPFILE - - # Number of artifacts on this page: - COUNT=$(( $(jq <<<$JSON -r '.artifacts | length') )) - - # Loop on all artifacts on this page. - for ((i=0; $i < $COUNT; i++)); do - - # Get name of artifact and count instances of this name. - name=$(jq <<<$JSON -r ".artifacts[$i].name?") - ARTCOUNT[$name]=$(( $(( ${ARTCOUNT[$name]} )) + 1)) - - id=$(jq <<<$JSON -r ".artifacts[$i].id?") - size=$(( $(jq <<<$JSON -r ".artifacts[$i].size_in_bytes?") )) - printf "Deleting '%s' #%d, %'d bytes\n" $name ${ARTCOUNT[$name]} $size - ghapi -X DELETE $REPO/actions/artifacts/$id - done - done diff --git a/build.sbt b/build.sbt index 668816a8..6367018a 100644 --- a/build.sbt +++ b/build.sbt @@ -2,6 +2,7 @@ import scala.concurrent.duration.DurationInt import scala.sys.process._ import nl.zolotko.sbt.jfr.{JfrRecorderOptions, JfrRecording} +import org.typelevel.sbt.gha.{Permissions, PermissionValue} import spray.revolver.Actions._ val catsVersion = "2.13.0" @@ -21,6 +22,7 @@ val munitVersion = "1.3.3" val munitCatsEffectVersion = "2.2.0" val munitScalaCheckVersion = "1.3.0" val oracleDriverVersion = "23.26.2.0.0" +val postgresVersion = "42.7.11" val skunkVersion = "1.0.0" val shapeless2Version = "2.3.13" val shapeless3Version = "3.6.0" @@ -62,6 +64,24 @@ ThisBuild / githubWorkflowBuild ~= { steps => } ThisBuild / githubWorkflowJavaVersions := Seq(JavaSpec.temurin("11")) ThisBuild / tlBspCrossProjectPlatforms := Set(JVMPlatform) +ThisBuild / githubWorkflowPermissions := Some(Permissions.Specify.defaultRestrictive) +ThisBuild / githubWorkflowIncludeClean := false + +ThisBuild / githubWorkflowGeneratedCI ~= { + _.map { job => + if (Set("dependency-submission", "site")(job.id)) + job.withPermissions( + Some(Permissions.Specify.defaultRestrictive.withContents(PermissionValue.Write))) + else if (job.id == "build") + job.withSteps(job.steps.map { + case use: WorkflowStep.Use + if use.ref == UseRef.Public("actions", "upload-artifact", "v5") => + use.concatParams(List("retention-days" -> "1")) + case step => step + }) + else job + } +} ThisBuild / githubWorkflowAddedJobs += WorkflowJob( @@ -278,7 +298,9 @@ lazy val doobiepg = project Test / testOptions += Tests .Setup(_ => runDocker("docker compose up -d --wait --quiet-pull postgres")), libraryDependencies ++= Seq( - "org.typelevel" %% "doobie-postgres-circe" % doobieVersion + "org.typelevel" %% "doobie-postgres-circe" % doobieVersion, + // Pin transitive Postgres JDBC driver to >= 42.7.11 (CVE-2026-42198 / GHSA-98qh-xjc8-98pq) + "org.postgresql" % "postgresql" % postgresVersion ) ) @@ -374,6 +396,8 @@ lazy val demo = project "ch.qos.logback" % "logback-classic" % logbackVersion, "org.typelevel" %% "doobie-core" % doobieVersion, "org.typelevel" %% "doobie-postgres" % doobieVersion, + // Pin transitive Postgres JDBC driver to >= 42.7.11 (CVE-2026-42198 / GHSA-98qh-xjc8-98pq) + "org.postgresql" % "postgresql" % postgresVersion, "org.typelevel" %% "doobie-hikari" % doobieVersion, "org.http4s" %% "http4s-ember-server" % http4sVersion, "org.http4s" %% "http4s-ember-client" % http4sVersion,