fix(ci): OSSF Changes (#1769)

* Change permissions to be more granular * update to pinned deps * remove gradle wrapper * perms * perms * fix pinned deps * add gradle download * add hashes * pin to hash * update path for props file * update build script * fix path * add setup setup * build wrapper * gradle ver inc
aws-powertools · Feb 17, 2025 · ed89b3c · ed89b3c
1 parent bf91b40
commit ed89b3c
Show file tree

Hide file tree

Showing 8 changed files with 280 additions and 10 deletions.
diff --git a/.github/workflows/osv.yml b/.github/workflows/osv.yml
@@ -15,13 +15,12 @@ on:
     branches: [main]
 
 permissions:
-  # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117
-  actions: read
-  # Require writing security events to upload SARIF file to security tab
-  security-events: write
-  # Only need to read contents
   contents: read
 
 jobs:
   scan-pr:
-    uses: "google/osv-scanner-action/.github/workflows/[email protected]"
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@764c91816374ff2d8fc2095dab36eecd42d61638"
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
@@ -72,6 +72,13 @@ jobs:
           cache: 'maven'
       - name: Build with Maven
         run: mvn -B install --file pom.xml
+      - name: Build Gradle Setup
+        if: ${{ matrix.java == '8' }} # Gradle example can only be built on Java 8
+        working-directory: examples/powertools-examples-core/gradle
+        run: |
+          curl -L -o gradle/wrapper/gradle.zip https:$(cat gradle/wrapper/gradle-wrapper.properties  | grep distributionUrl | cut -d ':' -f 2)
+          unzip gradle/wrapper/gradle.zip -d gradle/wrapper/gradle
+          ./gradle/wrapper/gradle/gradle-8.2.1/bin/gradle wrapper
       - name: Build Gradle Example - Java
         if: ${{ matrix.java == '8' }} # Gradle example can only be built on Java 8
         working-directory: examples/powertools-examples-core/gradle

diff --git a/docs/Dockerfile b/docs/Dockerfile
@@ -1,2 +1,4 @@
-FROM squidfunk/mkdocs-material
-RUN pip install mkdocs-git-revision-date-plugin mkdocs-macros-plugin
+FROM squidfunk/mkdocs-material@sha256:6ffbcd0e1438f3278341e437048ba4507e7e0af70efe700dd6d8a1d76fc071dd
+
+COPY requirements.txt /tmp/
+RUN pip install --require-hashes -r /tmp/requirements.txt
diff --git a/docs/requirements.in b/docs/requirements.in
@@ -0,0 +1,2 @@
+mkdocs-git-revision-date-plugin==0.3.2
+mkdocs-macros-plugin==1.3.7
diff --git a/docs/requirements.txt b/docs/requirements.txt
diff --git a/examples/powertools-examples-core/gradle/gradle/wrapper/gradle-wrapper.jar b/examples/powertools-examples-core/gradle/gradle/wrapper/gradle-wrapper.jar
diff --git a/examples/powertools-examples-core/gradle/gradle/wrapper/gradle-wrapper.properties b/examples/powertools-examples-core/gradle/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.3.3-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

diff --git a/examples/powertools-examples-core/kotlin/gradle/wrapper/gradle-wrapper.properties b/examples/powertools-examples-core/kotlin/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.3.3-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		mkdocs-git-revision-date-plugin==0.3.2
		mkdocs-macros-plugin==1.3.7