Pipeline Security Hardening

[Schmarvinius]

Pipeline Security Hardening: Pin GitHub Actions to Commit SHAs and Remove Piper Dependencies

Chore

🔒 Security Hardening: Pins all GitHub Actions to specific commit SHAs instead of mutable version tags, removes the SAP/project-piper-action dependency, replaces it with direct tool invocations, and enforces minimal permissions across all workflows.

Changes

• .github/actions/build/action.yml: Pins actions/setup-java and stCarolas/setup-maven to commit SHAs. Replaces the SAP/project-piper-action Maven build step with a direct mvn clean install command.

• .github/actions/deploy-release/action.yml: Pins actions/setup-java and stCarolas/setup-maven to commit SHAs. Removes the debug "Echo Inputs" step that printed sensitive values.

• .github/actions/integration-tests/action.yml: Pins actions/setup-java and stCarolas/setup-maven to commit SHAs.

• .github/actions/newrelease/action.yml: Pins actions/setup-java and stCarolas/setup-maven to commit SHAs.

• .github/actions/scan-with-blackduck/action.yml: Pins action dependencies to SHAs. Replaces the SAP/project-piper-action BlackDuck step with a direct detect9.sh script invocation using explicit, scoped environment variables instead of secrets: inherit.

• .github/actions/scan-with-sonar/action.yml: Pins action dependencies to SHAs. Replaces the SAP/project-piper-action SonarQube step with a direct mvn sonar-maven-plugin:sonar invocation. Removes debug Print Revision step.

• .github/actions/test-sample/action.yml: Adds java-version and maven-version inputs. Pins actions/setup-java (upgraded from v4 to v5 SHA) and stCarolas/setup-maven to commit SHAs.

• .github/dependabot.yml: Adds open-pull-requests-limit: 5 for GitHub Actions updates.

• .github/workflows/issue.yml, prevent-issue-labeling.yml, stale.yml: Moves permissions from workflow level to job level (permissions: {} at top, specific grants per job).

• .github/workflows/main.yml, pipeline.yml, pr.yml, release.yml: Adds permissions: read-all at the workflow level. Pins all actions/checkout, actions/upload-artifact, actions/download-artifact, and github/codeql-action steps to commit SHAs. Replaces secrets: inherit with explicit, enumerated secret passing. Removes the deploy-snapshot job/input from the reusable pipeline.

• .pipeline/config.yml: Removed entirely as the Piper configuration is no longer needed.

• 🔄 Regenerate and Update Summary

PR Bot Information

Version: 1.20.37

• Correlation ID: 682ae9d7-451b-4e5a-a603-5f1617ab08a3
• Event Trigger: pull_request.opened
• Output Template: Default Template
• LLM: anthropic--claude-4.6-sonnet
• Summary Prompt: Default Prompt
• File Content Strategy: Full file content

[hyperspace-insights]

This PR makes good security improvements — pinning all GitHub Actions to full commit SHAs, moving permissions to the job level with least-privilege defaults, and replacing the Piper abstraction layer with direct tool invocations. The main issues to address are: the SonarQube token being interpolated directly into the shell command line (a secret exposure risk), the removal of include-hidden-files: true from the release artifact uploads (which may break downstream jobs), and the unauthenticated remote script execution in the BlackDuck step.

PR Bot Information

Version: 1.20.37

• Correlation ID: 682ae9d7-451b-4e5a-a603-5f1617ab08a3
• Event Trigger: pull_request.opened
• LLM: anthropic--claude-4.6-sonnet
• File Content Strategy: Full file content
• Agent Instructions:
  • CLAUDE.md