From 3a162ad8f074739c210e40e297aba3c7aa50fd37 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Thu, 21 May 2026 16:40:56 +0200 Subject: [PATCH 1/4] fix: avoid script injection in scan-with-blackduck action Bind inputs.version to env var instead of interpolating into run block. --- .github/actions/scan-with-blackduck/action.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/actions/scan-with-blackduck/action.yml b/.github/actions/scan-with-blackduck/action.yml index c8ae0ad2..ff3675c2 100644 --- a/.github/actions/scan-with-blackduck/action.yml +++ b/.github/actions/scan-with-blackduck/action.yml @@ -41,9 +41,11 @@ runs: - name: Resolve Project Version id: resolve-version + env: + VERSION_INPUT: ${{ inputs.version }} run: | - if [ -n "${{ inputs.version }}" ]; then - VERSION="${{ inputs.version }}" + if [ -n "$VERSION_INPUT" ]; then + VERSION="$VERSION_INPUT" else REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout) VERSION=$(echo "$REVISION" | cut -d. -f1,2) From 99873f6107086c442221aeb0a4ba5c20c5e93495 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Thu, 21 May 2026 17:30:42 +0200 Subject: [PATCH 2/4] fix: install @sap/cds-dk in deploy-release action --- .github/actions/deploy-release/action.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/actions/deploy-release/action.yml b/.github/actions/deploy-release/action.yml index 7b900da6..07198295 100644 --- a/.github/actions/deploy-release/action.yml +++ b/.github/actions/deploy-release/action.yml @@ -42,6 +42,10 @@ runs: with: maven-version: ${{ inputs.maven-version }} + - name: Install @sap/cds-dk + run: npm i -g @sap/cds-dk@9.9.1 + shell: bash + - name: Import GPG Key run: | echo "${{ inputs.pgp-private-key }}" | gpg --batch --passphrase "$PASSPHRASE" --import @@ -54,6 +58,7 @@ runs: mvn -B -ntp --show-version -Dmaven.install.skip=true -Dmaven.test.skip=true + -Dcds.install-node.skip -Dgpg.passphrase="$GPG_PASSPHRASE" -Dgpg.keyname="$GPG_PUB_KEY" clean deploy -P deploy-release From 406c6f2459cb48d571ce59ff9b94d165f039f41d Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Thu, 21 May 2026 17:49:54 +0200 Subject: [PATCH 3/4] fix: skip central publishing for coverage-report module --- coverage-report/pom.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/coverage-report/pom.xml b/coverage-report/pom.xml index d8380ed8..7c8988fd 100644 --- a/coverage-report/pom.xml +++ b/coverage-report/pom.xml @@ -53,6 +53,14 @@ + + org.sonatype.central + central-publishing-maven-plugin + + true + + + com.github.spotbugs From e1c53b32fcb9b1beda4de931a2571d33a08bb3e9 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Fri, 22 May 2026 08:46:28 +0200 Subject: [PATCH 4/4] fix: add actions language to CodeQL scan --- .github/actions/scan-with-codeql/action.yml | 13 ++++++++++--- .github/workflows/pipeline.yml | 7 ++++++- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/.github/actions/scan-with-codeql/action.yml b/.github/actions/scan-with-codeql/action.yml index 91793350..8cedbebc 100644 --- a/.github/actions/scan-with-codeql/action.yml +++ b/.github/actions/scan-with-codeql/action.yml @@ -8,11 +8,15 @@ inputs: maven-version: description: The Maven version to use for the build. required: true + language: + description: The CodeQL language to analyze (java-kotlin or actions). + required: true runs: using: composite steps: - name: Set up Java ${{ inputs.java-version }} + if: inputs.language == 'java-kotlin' uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: ${{ inputs.java-version }} @@ -20,6 +24,7 @@ runs: cache: maven - name: Set up Maven ${{ inputs.maven-version }} + if: inputs.language == 'java-kotlin' uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 with: maven-version: ${{ inputs.maven-version }} @@ -27,18 +32,20 @@ runs: - name: Initialize CodeQL uses: github/codeql-action/init@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 with: - languages: java-kotlin - build-mode: manual + languages: ${{ inputs.language }} + build-mode: ${{ inputs.language == 'java-kotlin' && 'manual' || 'none' }} - name: Install @sap/cds-dk + if: inputs.language == 'java-kotlin' run: npm i -g @sap/cds-dk@9.9.1 shell: bash - name: Build Java code + if: inputs.language == 'java-kotlin' run: mvn clean compile -B -ntp -Dcds.install-node.skip shell: bash - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 with: - category: "/language:java-kotlin" + category: "/language:${{ inputs.language }}" diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index d3d0d0e0..0f49d49e 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -128,7 +128,7 @@ jobs: github-token: ${{ secrets.GH_TOKEN }} codeql: - name: CodeQL Analysis + name: CodeQL Analysis (${{ matrix.language }}) runs-on: ubuntu-latest timeout-minutes: 30 permissions: @@ -136,6 +136,10 @@ jobs: packages: read actions: read contents: read + strategy: + fail-fast: false + matrix: + language: [java-kotlin, actions] steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 @@ -145,3 +149,4 @@ jobs: with: java-version: 17 maven-version: ${{ env.MAVEN_VERSION }} + language: ${{ matrix.language }}