diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml
index 2675c8b..5b50d06 100644
--- a/.github/workflows/broken-links.yml
+++ b/.github/workflows/broken-links.yml
@@ -19,7 +19,7 @@ jobs:
- name: Link Checker
id: lychee
- uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2
+ uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2
with:
fail: false # Don't fail on broken links, create an issue instead
diff --git a/.github/workflows/check-build.yml b/.github/workflows/check-build.yml
index b1a6d66..daae7b2 100644
--- a/.github/workflows/check-build.yml
+++ b/.github/workflows/check-build.yml
@@ -69,7 +69,7 @@ jobs:
fi
- name: Upload demo files
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@v7
with:
name: demo-files-java-${{ matrix.java }}
path: ${{ env.DEMO_MAVEN_MODULE }}/target/${{ env.DEMO_MAVEN_MODULE }}.jar
@@ -151,8 +151,8 @@ jobs:
run: ./mvnw -B pmd:aggregate-cpd pmd:cpd-check -P pmd -DskipTests -T2C
- name: Upload report
- if: always()
- uses: actions/upload-artifact@v6
+ if: ${{ !cancelled() }}
+ uses: actions/upload-artifact@v7
with:
name: pmd-report
if-no-files-found: ignore
diff --git a/.github/workflows/report-gha-workflow-security-problems.yml b/.github/workflows/report-gha-workflow-security-problems.yml
new file mode 100644
index 0000000..b17aa53
--- /dev/null
+++ b/.github/workflows/report-gha-workflow-security-problems.yml
@@ -0,0 +1,61 @@
+name: Report workflow security problems
+
+on:
+ workflow_dispatch:
+ push:
+ branches: [ develop ]
+ paths:
+ - '.github/workflows/**'
+
+permissions:
+ issues: write
+
+jobs:
+ prt:
+ runs-on: ubuntu-latest
+ timeout-minutes: 15
+ # Only run this in our repos (Prevent notification spam by forks)
+ if: ${{ github.repository_owner == 'xdev-software' }}
+ steps:
+ - uses: actions/checkout@v6
+
+ - name: Check
+ id: check
+ run: |
+ grep -l 'pull_request_target:' --exclude report-gha-workflow-security-problems.yml *.yml > reported.txt && exit 1 || exit 0
+ working-directory: .github/workflows
+
+ - name: Find already existing issue
+ id: find-issue
+ if: ${{ !cancelled() }}
+ run: |
+ echo "number=$(gh issue list -l 'bug' -l 'automated' -L 1 -S 'in:title "Incorrectly configure GHA workflow (prt)"' -s 'open' --json 'number' --jq '.[].number')" >> $GITHUB_OUTPUT
+ env:
+ GH_TOKEN: ${{ github.token }}
+
+ - name: Close issue if everything is fine
+ if: ${{ success() && steps.find-issue.outputs.number != '' }}
+ run: gh issue close -r 'not planned' ${{ steps.find-issue.outputs.number }}
+ env:
+ GH_TOKEN: ${{ github.token }}
+
+ - name: Create report
+ if: ${{ failure() && steps.check.conclusion == 'failure' }}
+ run: |
+ echo 'Detected usage of `pull_request_target`. This event is dangerous and MUST NOT BE USED AT ALL COST!' > reported.md
+ echo '' >> reported.md
+ echo '/cc @xdev-software/gha-workflow-security' >> reported.md
+ echo '' >> reported.md
+ echo '```' >> reported.md
+ cat .github/workflows/reported.txt >> reported.md
+ echo '```' >> reported.md
+ cat reported.md
+
+ - name: Create Issue From File
+ if: ${{ failure() && steps.check.conclusion == 'failure' }}
+ uses: peter-evans/create-issue-from-file@fca9117c27cdc29c6c4db3b86c48e4115a786710 # v6
+ with:
+ issue-number: ${{ steps.find-issue.outputs.number }}
+ title: 'Incorrectly configure GHA workflow (prt)'
+ content-filepath: ./reported.md
+ labels: bug, automated
diff --git a/pom.xml b/pom.xml
index 8d5b582..eeca093 100644
--- a/pom.xml
+++ b/pom.xml
@@ -45,7 +45,7 @@
com.puppycrawl.tools
checkstyle
- 13.2.0
+ 13.3.0
@@ -83,12 +83,12 @@
net.sourceforge.pmd
pmd-core
- 7.21.0
+ 7.22.0
net.sourceforge.pmd
pmd-java
- 7.21.0
+ 7.22.0
diff --git a/sessionize-java-client/pom.xml b/sessionize-java-client/pom.xml
index 8c46a1a..4148f63 100644
--- a/sessionize-java-client/pom.xml
+++ b/sessionize-java-client/pom.xml
@@ -56,7 +56,7 @@
com.fasterxml.jackson
jackson-bom
- 2.21.0
+ 2.21.1
pom
import
@@ -91,7 +91,7 @@
org.openapitools
jackson-databind-nullable
- 0.2.8
+ 0.2.9
@@ -319,7 +319,7 @@
org.openapitools
openapi-generator-maven-plugin
- 7.18.0
+ 7.20.0
@@ -377,7 +377,7 @@
software.xdev
find-and-replace-maven-plugin
- 1.0.4
+ 1.0.5
@@ -444,7 +444,7 @@
com.puppycrawl.tools
checkstyle
- 13.2.0
+ 13.3.0
@@ -486,12 +486,12 @@
net.sourceforge.pmd
pmd-core
- 7.21.0
+ 7.22.0
net.sourceforge.pmd
pmd-java
- 7.21.0
+ 7.22.0