From 65cee35819acca4ba083657299b469b5f944c2e4 Mon Sep 17 00:00:00 2001 From: James Fredley Date: Fri, 29 May 2026 13:08:34 -0400 Subject: [PATCH 1/2] ci: audit and update GitHub Actions to ASF-approved versions Pin every external GitHub Action to a full commit SHA from the ASF approved actions allow-list, with a trailing comment naming the version it resolves to. Mirrors the grails-core audit in apache/grails-core#15690. - actions/checkout -> de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (was v4, v5) - actions/setup-java -> be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 (was v4, v5) - gradle/actions/setup-gradle -> 50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 (was 0723195856401067f7a2779048b490ace7a47d7c # v5.0.2) - actions/upload-artifact -> 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 (was 50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0) - release-drafter/release-drafter -> e1247478eabc9f6d9cf5ec2b3547469b0e1d2767 # v7.3.1 (was 6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6.4.0) - softprops/action-gh-release -> b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 (was 153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1) Add cache-provider: basic to all 6 setup-gradle steps so caching stays on the MIT-licensed provider rather than the proprietary enhanced provider introduced in gradle/actions v6 (Gradle commercial Terms of Use). First-party apache/grails-github-actions/* and local ./.github/actions/* references are intentionally left unchanged. Assisted-by: claude-code:claude-4.8-opus --- .github/workflows/gradle.yml | 14 ++++++------ .github/workflows/rat.yml | 9 ++++---- .github/workflows/release-notes.yml | 2 +- .github/workflows/release.yml | 33 ++++++++++++++++------------- 4 files changed, 32 insertions(+), 26 deletions(-) diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index de7cbdb..a92f005 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -48,15 +48,16 @@ jobs: --health-retries 5 steps: - name: "📥 Checkout repository" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "☕️ Setup JDK" - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: 17 distribution: liberica - name: "🐘 Setup Gradle" - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: + cache-provider: basic # 'basic' uses the MIT-licensed, open-source cache provider; the default 'enhanced' provider (v6+) is proprietary (Gradle commercial Terms of Use) develocity-access-key: ${{ secrets.GRAILS_DEVELOCITY_ACCESS_KEY }} - name: "🏃‍♂️ Run Build" id: build @@ -72,15 +73,16 @@ jobs: contents: write steps: - name: "📥 Checkout repository" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "☕️ Setup JDK" - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: 17 distribution: liberica - name: "🐘 Setup Gradle" - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: + cache-provider: basic # 'basic' uses the MIT-licensed, open-source cache provider; the default 'enhanced' provider (v6+) is proprietary (Gradle commercial Terms of Use) develocity-access-key: ${{ secrets.GRAILS_DEVELOCITY_ACCESS_KEY }} - name: "📤 Publish Snapshot Artifacts" id: publish diff --git a/.github/workflows/rat.yml b/.github/workflows/rat.yml index 2a18429..0d4ab41 100644 --- a/.github/workflows/rat.yml +++ b/.github/workflows/rat.yml @@ -33,21 +33,22 @@ jobs: runs-on: ubuntu-latest steps: - name: "📥 Checkout repository" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "☕️ Setup JDK" - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: liberica java-version: 17 - name: "🐘 Setup Gradle" - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: + cache-provider: basic # 'basic' uses the MIT-licensed, open-source cache provider; the default 'enhanced' provider (v6+) is proprietary (Gradle commercial Terms of Use) develocity-access-key: ${{ secrets.GRAILS_DEVELOCITY_ACCESS_KEY }} - name: "🧐 Apache License - Release Audit Tool" run: ./gradlew rat - name: Upload RAT HTML report if: always() - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: rat-report path: build/reports/rat/index.html diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml index afd0283..0510d7c 100644 --- a/.github/workflows/release-notes.yml +++ b/.github/workflows/release-notes.yml @@ -32,6 +32,6 @@ jobs: runs-on: ubuntu-latest steps: - name: "📝 Update Release Draft" - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6.4.0 + uses: release-drafter/release-drafter@e1247478eabc9f6d9cf5ec2b3547469b0e1d2767 # v7.3.1 env: GITHUB_TOKEN: ${{ secrets.GRAILS_GH_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 23c1a69..09b2808 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,7 +45,7 @@ jobs: - name: "📝 Establish release version" run: echo "VERSION=${TAG#v}" >> "$GITHUB_ENV" - name: "📥 Checkout repository" - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.TAG }} token: ${{ secrets.GITHUB_TOKEN }} # This should not be needed as ${{ github.token }} is the default, but there have been issues with it. @@ -60,13 +60,14 @@ jobs: env: GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} - name: "☕️ Setup JDK" - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: ${{ env.JAVA_DISTRIBUTION }} java-version: ${{ env.JAVA_VERSION }} - name: "🐘 Setup Gradle" - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: + cache-provider: basic # 'basic' uses the MIT-licensed, open-source cache provider; the default 'enhanced' provider (v6+) is proprietary (Gradle commercial Terms of Use) develocity-access-key: ${{ secrets.GRAILS_DEVELOCITY_ACCESS_KEY }} - name: "⚙️ Run pre-release" uses: apache/grails-github-actions/pre-release@asf @@ -110,7 +111,7 @@ jobs: - name: "📅 Generate build date file" run: echo "$SOURCE_DATE_EPOCH" >> build/BUILD_DATE.txt - name: "📤 Upload build date, checksums and published artifacts files" - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 with: tag_name: ${{ env.TAG }} files: | @@ -128,7 +129,7 @@ jobs: - name: "📝 Establish release version" run: echo "VERSION=${TAG#v}" >> "$GITHUB_ENV" - name: "📥 Checkout repository" - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: ${{ env.REPO_NAME }} ref: ${{ env.TAG }} @@ -196,7 +197,7 @@ jobs: > "apache-${REPO_NAME}-${VERSION}-src.zip.sha512" cat "./apache-${REPO_NAME}-${VERSION}-src.zip.sha512" - name: "🚀 Upload ZIP and Signature to GitHub Release" - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 with: tag_name: ${{ env.TAG }} files: | @@ -304,12 +305,12 @@ jobs: cd dev-repo svn info "$VERSION" > "DIST_SVN_REVISION.txt" - name: "📤 Upload the Distribution SVN revision file" - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 with: tag_name: ${{ env.TAG }} files: dev-repo/DIST_SVN_REVISION.txt - name: "📥 Checkout repository" - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: ${{ env.REPO_NAME }} ref: ${{ env.TAG }} @@ -354,7 +355,7 @@ jobs: - name: "📝 Establish release version" run: echo "VERSION=${TAG#v}" >> "$GITHUB_ENV" - name: "📥 Checkout repository" - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.TAG }} - name: "⚙️ Setup SVN and Tools" @@ -413,20 +414,21 @@ jobs: - name: "📝 Establish release version" run: echo "VERSION=${TAG#v}" >> "$GITHUB_ENV" - name: "📥 Checkout repository" - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.TAG }} token: ${{ secrets.GITHUB_TOKEN }} - name: "📅 Ensure Common Build Date" # to ensure a reproducible build run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "$GITHUB_ENV" - name: "☕️ Setup JDK" - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: ${{ env.JAVA_DISTRIBUTION }} java-version: ${{ env.JAVA_VERSION }} - name: "🐘 Setup Gradle" - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: + cache-provider: basic # 'basic' uses the MIT-licensed, open-source cache provider; the default 'enhanced' provider (v6+) is proprietary (Gradle commercial Terms of Use) develocity-access-key: ${{ secrets.GRAILS_DEVELOCITY_ACCESS_KEY }} - name: "🔨 Build Documentation" run: ./gradlew :grails-redis:groovydoc @@ -450,18 +452,19 @@ jobs: - name: "📝 Establish release version" run: echo "VERSION=${TAG#v}" >> "$GITHUB_ENV" - name: "📥 Checkout repository" - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ env.TAG }} token: ${{ secrets.GITHUB_TOKEN }} - name: "☕️ Setup JDK" - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: ${{ env.JAVA_DISTRIBUTION }} java-version: ${{ env.JAVA_VERSION }} - name: "🐘 Setup Gradle" - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 with: + cache-provider: basic # 'basic' uses the MIT-licensed, open-source cache provider; the default 'enhanced' provider (v6+) is proprietary (Gradle commercial Terms of Use) develocity-access-key: ${{ secrets.GRAILS_DEVELOCITY_ACCESS_KEY }} - name: "⚙️ Run post-release" uses: apache/grails-github-actions/post-release@asf From b18dfe86b7fca200b8bfb073a93b06509937a5a0 Mon Sep 17 00:00:00 2001 From: James Fredley Date: Fri, 29 May 2026 13:30:26 -0400 Subject: [PATCH 2/2] ci: tolerate release-drafter create-release failure on pull_request runs release-drafter v7 attempts to create the release draft and hard-fails under the job's contents:read permission when triggered by pull_request (v6 was a silent no-op). The draft is still created/updated by the parallel pull_request_target run, so mark the step continue-on-error to keep the redundant pull_request run from failing CI. This matches the continue-on-error pattern used on grails-core's release-drafter step. Assisted-by: claude-code:claude-4.8-opus --- .github/workflows/release-notes.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml index 0510d7c..fcacc19 100644 --- a/.github/workflows/release-notes.yml +++ b/.github/workflows/release-notes.yml @@ -33,5 +33,6 @@ jobs: steps: - name: "📝 Update Release Draft" uses: release-drafter/release-drafter@e1247478eabc9f6d9cf5ec2b3547469b0e1d2767 # v7.3.1 + continue-on-error: true # this pull_request-triggered run only has contents:read; the draft is created/updated by the pull_request_target run env: GITHUB_TOKEN: ${{ secrets.GRAILS_GH_TOKEN }}