diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d0e021d2..93e5b9aa 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -25,8 +25,7 @@ jobs: if: ${{ github.event.workflow_run.conclusion == 'success' }} permissions: - actions: read - contents: read + # Only allow write for security, then all others default to read only security-events: write strategy: diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 7e501105..aaca51fd 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -21,7 +21,8 @@ jobs: # Environment image - always use the newest OS runs-on: ubuntu-latest permissions: - contents: write + # With at least one permission given, all default to read + contents: read # Run steps steps: @@ -42,6 +43,25 @@ jobs: # ignore snapshot updates, because they are likely to have breaking changes, enforce checksums run: mvn test --batch-mode --threads 2.0C --no-snapshot-updates --strict-checksums --file pom.xml - - name: Update dependency graph + dependency: + runs-on: ubuntu-latest + permissions: + # Write only necessary for dependency submission all others then default to read + contents: write + + # Run steps + steps: + # Pull changes + - uses: actions/checkout@v4 + + # Setup Java + - name: Set up JDK + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version-file: '.java-version' + cache: 'maven' + + - name: Submit Dependency Snapshot if: ${{ github.event_name == 'push' }} uses: advanced-security/maven-dependency-submission-action@v4.0.3