Pipeline Security Hardening

.github/actions/build/action.yml

@@ -8,33 +8,22 @@ inputs:
   maven-version:
     description: The Maven version the build will run with.
     required: true
-  mutation-testing:
-    description: Whether to run mutation testing or not.
-    default: 'true'
-    required: false
 
 runs:
   using: composite
   steps:
     - name: Set up Java ${{ inputs.java-version }}
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: ${{ inputs.java-version }}
         distribution: sapmachine
         cache: maven
 
     - name: Set up Maven ${{ inputs.maven-version }}
-      uses: stCarolas/setup-maven@v5
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
       with:
         maven-version: ${{ inputs.maven-version }}
 
-    - name: Piper Maven build
-      uses: SAP/project-piper-action@main
-      with:
-        step-name: mavenBuild
-        docker-image: ''
-
-    - name: Mutation Testing
-      if: ${{ inputs.mutation-testing == 'true' }}
-      run: mvn org.pitest:pitest-maven:mutationCoverage -f cds-feature-attachments/pom.xml -ntp -B
+    - name: Maven Build
+      run: mvn clean install -DskipTests -B -ntp
       shell: bash

.github/actions/deploy-release/action.yml

@@ -27,14 +27,8 @@ inputs:
 runs:
   using: composite
   steps:
-    - name: Echo Inputs
-      run: |
-        echo "user: ${{ inputs.user }}"
-        echo "revision: ${{ inputs.revision }}"
-      shell: bash
-
     - name: Set up Java
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         distribution: sapmachine
         java-version: '17'
@@ -44,7 +38,7 @@ runs:
         server-password: MAVEN_CENTRAL_PASSWORD
 
     - name: Set up Maven ${{ inputs.maven-version }}
-      uses: stCarolas/setup-maven@v5
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
       with:
         maven-version: ${{ inputs.maven-version }}
 

.github/actions/integration-tests/action.yml

@@ -11,19 +11,22 @@ inputs:
   test-type:
     description: 'Which integration test to run: build-version, latest-version, or oss'
     required: true
+  auth-method:
+    description: 'Authentication method: basic or mtls'
+    required: true
 
 runs:
   using: composite
   steps:
     - name: Set up Java ${{ inputs.java-version }}
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: ${{ inputs.java-version }}
         distribution: sapmachine
         cache: maven
 
     - name: Setup Maven ${{ inputs.maven-version }}
-      uses: stCarolas/setup-maven@v5
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
       with:
         maven-version: ${{ inputs.maven-version }}
 

.github/actions/newrelease/action.yml

@@ -13,14 +13,14 @@ runs:
   using: composite
   steps:
     - name: Set up Java ${{ inputs.java-version }}
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: ${{ inputs.java-version }}
         distribution: sapmachine
         cache: maven
 
     - name: Set up Maven ${{ inputs.maven-version }}
-      uses: stCarolas/setup-maven@v5
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
       with:
         maven-version: ${{ inputs.maven-version }}
 

.github/actions/scan-with-blackduck/action.yml

@@ -24,35 +24,40 @@ runs:
   using: composite
   steps:
     - name: Set up Java ${{ inputs.java-version }}
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: ${{ inputs.java-version }}
         distribution: sapmachine
         cache: maven
 
     - name: Set up Maven ${{ inputs.maven-version }}
-      uses: stCarolas/setup-maven@v5
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
       with:
         maven-version: ${{ inputs.maven-version }}
 
-    - name: Get Major Version
-      id: get-major-version
+    - name: Get Revision
+      id: get-revision
       run: |
         echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT
       shell: bash
 
-    - name: Print Version Number
-      run: echo "${{ steps.get-major-version.outputs.REVISION }}"
+    - name: BlackDuck Detect Scan
+      run: |
+        bash <(curl -s -L https://detect.synopsys.com/detect9.sh) \
+          --blackduck.url=https://sap.blackducksoftware.com/ \
+          --blackduck.api.token="${BLACKDUCK_TOKEN}" \
+          --detect.project.name=com.sap.cds.feature.attachments \
+          --detect.project.version.name="${REVISION}" \
+          --detect.included.detector.types=MAVEN \
+          --detect.excluded.directories='**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar,**/samples/**' \
+          --detect.maven.excluded.modules=integration-tests,integration-tests/db,integration-tests/generic,integration-tests/mtx-local/srv \
+          --detect.maven.build.command='-pl com.sap.cds:cds-feature-attachments' \
+          --detect.tools=DETECTOR,BINARY_SCAN \
+          --detect.blackduck.scan.mode="${SCAN_MODE}" \
+          --detect.risk.report.pdf=false \
+          --logging.level.detect=INFO
       shell: bash
-
-    - name: BlackDuck Scan
-      uses: SAP/project-piper-action@main
-      with:
-        step-name: detectExecuteScan
-        flags: \
-          --githubToken=$GITHUB_token \
-          --version=${{ steps.get-major-version.outputs.REVISION }}
       env:
-        PIPER_token: ${{ inputs.blackduck_token }}
-        GITHUB_token: ${{ inputs.github_token }}
+        BLACKDUCK_TOKEN: ${{ inputs.blackduck_token }}
         SCAN_MODE: ${{ inputs.scan_mode }}
+        REVISION: ${{ steps.get-revision.outputs.REVISION }}

.github/actions/scan-with-codeql/action.yml

@@ -0,0 +1,40 @@
+name: CodeQL Analysis
+description: Runs CodeQL security analysis on the project.
+
+inputs:
+  java-version:
+    description: The Java version to use for the build.
+    required: true
+  maven-version:
+    description: The Maven version to use for the build.
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Set up Java ${{ inputs.java-version }}
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+      with:
+        java-version: ${{ inputs.java-version }}
+        distribution: sapmachine
+        cache: maven
+
+    - name: Set up Maven ${{ inputs.maven-version }}
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
+      with:
+        maven-version: ${{ inputs.maven-version }}
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4
+      with:
+        languages: java-kotlin
+        build-mode: manual
+
+    - name: Build Java code
+      run: mvn clean compile -B -ntp
+      shell: bash
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4
+      with:
+        category: "/language:java-kotlin"

.github/actions/scan-with-sonar/action.yml

@@ -20,14 +20,14 @@ runs:
 
   steps:
     - name: Set up Java ${{inputs.java-version}}
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: ${{inputs.java-version}}
         distribution: sapmachine
         cache: maven
 
     - name: Set up Maven ${{inputs.maven-version}}
-      uses: stCarolas/setup-maven@v5
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
       with:
         maven-version: ${{inputs.maven-version}}
 
@@ -37,10 +37,6 @@ runs:
         echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT
       shell: bash
 
-    - name: Print Revision
-      run: echo "${{steps.get-revision.outputs.REVISION}}"
-      shell: bash
-
     - name: Build project for SonarQube scan
       run: |
         mvn clean verify -ntp -B
@@ -66,12 +62,18 @@ runs:
       shell: bash
 
     - name: SonarQube Scan
-      uses: SAP/project-piper-action@main
-      with:
-        step-name: sonarExecuteScan
-        flags: >
-          --token=${{ inputs.sonarq-token }}
-          --githubToken=${{ inputs.github-token }}
-          --version=${{ steps.get-revision.outputs.REVISION }}
-          --inferJavaBinaries=true
-          --options=-Dsonar.exclusions=**/samples/**,-Dsonar.coverage.jacoco.xmlReportPaths=coverage-report/target/site/jacoco-aggregate/jacoco.xml
+      run: >
+        mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+        -Dsonar.host.url=https://sonar.tools.sap
+        -Dsonar.token=${{ inputs.sonarq-token }}
+        -Dsonar.projectKey=cds-feature-attachments
+        -Dsonar.projectVersion=${{ steps.get-revision.outputs.REVISION }}
+        -Dsonar.qualitygate.wait=true
+        -Dsonar.java.source=17
+        -Dsonar.exclusions=**/samples/**
+        -Dsonar.coverage.jacoco.xmlReportPaths=coverage-report/target/site/jacoco-aggregate/jacoco.xml
+        -Dsonar.coverage.exclusions=cds-feature-attachments/src/test/**,cds-feature-attachments/src/gen/**,storage-targets/cds-feature-attachments-fs/src/test/**,storage-targets/cds-feature-attachments-oss/src/test/**
+        -B -ntp
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.github-token }}

.github/actions/test-sample/action.yml

@@ -1,18 +1,26 @@
 name: 'Test Sample'
 description: 'Compile sample and run tests'
 
+inputs:
+  java-version:
+    description: The Java version the build shall run with.
+    required: true
+  maven-version:
+    description: The Maven version the build shall run with.
+    required: true
+
 runs:
   using: 'composite'
   steps:
     - name: Set up Java ${{ inputs.java-version }}
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: ${{ inputs.java-version }}
         distribution: sapmachine
         cache: maven
 
     - name: Set up Maven ${{ inputs.maven-version }}
-      uses: stCarolas/setup-maven@v5
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
       with:
         maven-version: ${{ inputs.maven-version }}
 
@@ -29,4 +37,4 @@ runs:
     - name: Run tests
       shell: bash
       working-directory: samples/bookshop
-      run: mvn test
+      run: mvn test

.github/dependabot.yml

@@ -5,10 +5,8 @@ updates:
       - "/"
     schedule:
       interval: weekly
-    ignore:
-      - dependency-name: "com.sap.cds:*"
-        versions:
-          - ">=4"
+    cooldown:
+      default-days: 7
     groups:
       minor-patch:
         patterns:
@@ -21,6 +19,8 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 7
     groups:
       minor-patch:
         patterns:

.github/workflows/issue.yml

@@ -1,7 +1,6 @@
 name: Label issues
 
-permissions:
-  issues: write
+permissions: {}
 
 on:
   issues:
@@ -11,6 +10,8 @@ on:
 jobs:
   label_issues:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - run: gh issue edit "$NUMBER" --add-label "$LABELS"
         env:
@@ -19,12 +20,12 @@ jobs:
           NUMBER: ${{ github.event.issue.number }}
           LABELS: New
 
-      - uses: actions/github-script@v9
+      - uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
         with:
           script: |
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
               body: `👋 Hello @${context.payload.issue.user.login}, thank you for submitting this issue. Our team is reviewing your report and will follow up with you as soon as possible.`
-            })
+            })

.github/workflows/main.yml

@@ -1,5 +1,11 @@
 name: CI - MAIN
 
+permissions:
+  actions: read
+  contents: read
+  packages: read
+  security-events: write
+
 env:
   MAVEN_VERSION: '3.9.12'
 
@@ -15,7 +21,7 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Scan With Black Duck
         uses: ./.github/actions/scan-with-blackduck
@@ -27,6 +33,4 @@ jobs:
 
   build-and-test:
     uses: ./.github/workflows/pipeline.yml
-    with:
-      deploy-snapshot: true
-    secrets: inherit
+    secrets: inherit