From 2f16d9f66dbcda3a9ee4a54c7210a11bd0a34b76 Mon Sep 17 00:00:00 2001 From: Husam Date: Wed, 1 Jul 2026 01:40:42 +0000 Subject: [PATCH 1/2] chore(actions): address zizmor findings This PR is an auto-generated attempt to address zizmor findings. It may not catch everything, and should be reviewed by repository owners. If it is unhelpful, feel free to close the PR and address separately. This PR was generated by running `zizmor --fix=all --gh-token=$(gh auth token) ./.github/workflows`. See go/github-zizmor-help for instructions to install and run. If this PR is helpful, feel free to approve and merge, or edit/modify as needed to get it to the right state. Repository owners must ultimately ensure compliance by 2026-07-13. The purpose of this PR is to provide some assistance with achieving that as a first pass. This will become a blocking check for new changes to github workflows on 2026-07-13 within the `googleapis` org. There may be some ignored findings (with the comment `# zizmor: ignore[...]`), which you may fix if feasible. --- .github/workflows/approve-readme.yaml | 5 +- .github/workflows/auto-release.yaml | 5 +- .github/workflows/ci.yaml | 49 +++++++++++++------- .github/workflows/downstream.yaml | 9 +++- .github/workflows/renovate_config_check.yaml | 9 +++- 5 files changed, 55 insertions(+), 22 deletions(-) diff --git a/.github/workflows/approve-readme.yaml b/.github/workflows/approve-readme.yaml index 59f00b8eb..f5f952076 100644 --- a/.github/workflows/approve-readme.yaml +++ b/.github/workflows/approve-readme.yaml @@ -13,6 +13,9 @@ # limitations under the License. # Github action job to test core java library features on # downstream client libraries before they are released. +permissions: + contents: read + on: pull_request: name: auto-merge-readme @@ -21,7 +24,7 @@ jobs: runs-on: ubuntu-latest if: github.repository_owner == 'googleapis' && github.head_ref == 'autosynth-readme' steps: - - uses: actions/github-script@v7 + - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: github-token: ${{secrets.YOSHI_APPROVER_TOKEN}} script: | diff --git a/.github/workflows/auto-release.yaml b/.github/workflows/auto-release.yaml index 18d92e5a2..71179de7f 100644 --- a/.github/workflows/auto-release.yaml +++ b/.github/workflows/auto-release.yaml @@ -13,6 +13,9 @@ # limitations under the License. # Github action job to test core java library features on # downstream client libraries before they are released. +permissions: + contents: read + on: pull_request: name: auto-release @@ -21,7 +24,7 @@ jobs: runs-on: ubuntu-latest if: contains(github.head_ref, 'release-please') steps: - - uses: actions/github-script@v7 + - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: github-token: ${{secrets.YOSHI_APPROVER_TOKEN}} debug: true diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c1a809fe1..d785cebde 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -11,8 +14,10 @@ jobs: matrix: java: [8, 11] steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-java@v1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1 with: java-version: ${{matrix.java}} - run: java -version @@ -34,8 +39,10 @@ jobs: run: | git config --global core.autocrlf false git config --global core.eol lf - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-java@v1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1 with: java-version: 8 - run: java -version @@ -62,8 +69,10 @@ jobs: matrix: java: [8, 11] steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-java@v1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1 with: java-version: ${{matrix.java}} - run: java -version @@ -72,8 +81,10 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-java@v1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1 with: java-version: 11 - run: java -version @@ -84,8 +95,10 @@ jobs: clirr: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-java@v1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1 with: java-version: 8 - run: java -version @@ -99,8 +112,10 @@ jobs: name: "units (21)" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 21 distribution: temurin @@ -109,7 +124,7 @@ jobs: # https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#jvm run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v3 + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 8 distribution: temurin @@ -122,8 +137,10 @@ jobs: name: "units (25)" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 25 distribution: temurin @@ -132,7 +149,7 @@ jobs: # https://maven.apache.org/surefire/maven-surefire-plugin/test-mojo.html#jvm run: echo "SUREFIRE_JVM_OPT=-Djvm=${JAVA_HOME}/bin/java" >> $GITHUB_ENV shell: bash - - uses: actions/setup-java@v3 + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 8 distribution: temurin diff --git a/.github/workflows/downstream.yaml b/.github/workflows/downstream.yaml index 910e73a59..c0c0a624a 100644 --- a/.github/workflows/downstream.yaml +++ b/.github/workflows/downstream.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: types: [ labeled ] @@ -132,8 +135,10 @@ jobs: - workflow-executions - workflows steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-java@v3 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: distribution: zulu java-version: ${{matrix.java}} diff --git a/.github/workflows/renovate_config_check.yaml b/.github/workflows/renovate_config_check.yaml index d3467e9d2..329b7e2f0 100644 --- a/.github/workflows/renovate_config_check.yaml +++ b/.github/workflows/renovate_config_check.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: Renovate Bot Config Validation on: @@ -12,10 +15,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20' From fd2bc49494f3e64cb84c82e9bce6d4fa402811bb Mon Sep 17 00:00:00 2001 From: Husam Date: Wed, 1 Jul 2026 02:44:12 +0000 Subject: [PATCH 2/2] chore(renovate): replace config:base/recommended with best-practices --- renovate.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index a9dbc8a02..28d377173 100644 --- a/renovate.json +++ b/renovate.json @@ -1,6 +1,6 @@ { "extends": [ - "config:recommended" + "config:best-practices" ], "ignorePaths": [ ".kokoro/requirements.txt"