diff --git a/.github/workflows/_meta-build.yaml b/.github/workflows/_meta-build.yaml index fda9f4ee5..23481b545 100644 --- a/.github/workflows/_meta-build.yaml +++ b/.github/workflows/_meta-build.yaml @@ -17,6 +17,8 @@ on: registry-0-psw: required: true +permissions: { } + jobs: build-java: runs-on: ubuntu-latest @@ -56,6 +58,8 @@ jobs: build-container: runs-on: ubuntu-latest + permissions: + security-events: write # Required to upload trivy's SARIF output needs: - build-java steps: diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml index 43874d183..2456500d9 100644 --- a/.github/workflows/ci-build.yaml +++ b/.github/workflows/ci-build.yaml @@ -16,12 +16,16 @@ on: - 'docs/**' workflow_dispatch: +permissions: { } + jobs: call-build: uses: ./.github/workflows/_meta-build.yaml with: app-version: "snapshot" publish-container: ${{ github.ref == 'refs/heads/main' }} + permissions: + security-events: write # Required to upload trivy's SARIF output secrets: registry-0-usr: ${{ github.repository_owner }} registry-0-psw: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci-publish.yaml b/.github/workflows/ci-publish.yaml index a9cd65ada..89cc44f9d 100644 --- a/.github/workflows/ci-publish.yaml +++ b/.github/workflows/ci-publish.yaml @@ -8,6 +8,8 @@ on: - released workflow_dispatch: +permissions: { } + jobs: read-version: runs-on: ubuntu-latest @@ -36,6 +38,8 @@ jobs: with: app-version: ${{ needs.read-version.outputs.version }} publish-container: true + permissions: + security-events: write # Required to upload trivy's SARIF output secrets: registry-0-usr: ${{ github.repository_owner }} registry-0-psw: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci-release.yaml b/.github/workflows/ci-release.yaml index 26d826385..3ac7f2423 100644 --- a/.github/workflows/ci-release.yaml +++ b/.github/workflows/ci-release.yaml @@ -9,6 +9,8 @@ on: description: 'Use this to overwrite the version number to release, otherwise uses the current SNAPSHOT version (expected format x.y.z)' type: string +permissions: { } + jobs: prepare-release: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-test.yaml b/.github/workflows/ci-test.yaml index 76a608946..a0f5e0eca 100644 --- a/.github/workflows/ci-test.yaml +++ b/.github/workflows/ci-test.yaml @@ -24,6 +24,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: { } + jobs: test: runs-on: ubuntu-latest diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index ad0451732..37193f893 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -2,8 +2,7 @@ name: Dependency Review on: pull_request: -permissions: - contents: read +permissions: { } jobs: dependency-review: diff --git a/.github/workflows/lock.yaml b/.github/workflows/lock.yaml index c097e6b20..dc348df7d 100644 --- a/.github/workflows/lock.yaml +++ b/.github/workflows/lock.yaml @@ -4,13 +4,14 @@ on: schedule: - cron: '0 10 * * *' -permissions: - issues: write - pull-requests: write +permissions: { } jobs: action: runs-on: ubuntu-latest + permissions: + issues: write # Required to lock issues + pull-requests: write # Required to lock PRs # don't run on forks if: ${{ contains(github.repository, 'DependencyTrack/') }} steps: diff --git a/src/main/docker/Dockerfile b/src/main/docker/Dockerfile index 49af4bc75..ecd86f9d9 100644 --- a/src/main/docker/Dockerfile +++ b/src/main/docker/Dockerfile @@ -1,4 +1,4 @@ -FROM eclipse-temurin:17.0.8.1_1-jre-focal@sha256:bed33979fe79ff4448686ca4074b43b87a8ea26f80cb3d6a9873634c4098ddfb AS jre-build +FROM eclipse-temurin:21_35-jre-jammy@sha256:82685ae01f788128caf3e0085e4fde21b9d1815dbbd3263082804d1de26f309c AS jre-build FROM debian:stable-slim@sha256:4255c9f8a4d6e66488adc0c2084c99df44bda22849b21b3afc0e9746e9a0be18