From 54ff67f16b23ff1b0ab846b6080c0fbb3dbf9569 Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Thu, 30 Jan 2025 10:04:47 +0100 Subject: [PATCH 1/5] Github Actions: Add GitHub Actions to Dependabot configuration This commit updates the Dependabot config to include GitHub Actions monitoring alongside Gradle. Both ecosystems are now set to update on a weekly schedule. Minor formatting adjustments were also made for consistency. --- .github/dependabot.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e025e5b..0d04011 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,10 @@ version: 2 updates: - - package-ecosystem: "gradle" - directory: "/" # Location of package manifests + - package-ecosystem: gradle + directory: "/" schedule: - interval: "weekly" + interval: weekly + - package-ecosystem: github-actions + directory: ".github/" + schedule: + interval: weekly From 4dca98c2b34dd7c00a442db3c6d78ccc5db78d23 Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Thu, 30 Jan 2025 10:07:08 +0100 Subject: [PATCH 2/5] Add GitHub funding configuration Configure FUNDING.yml to link the repository to the GitHub sponsor account "saschpe". This enables users to support the project financially directly via GitHub Sponsors. --- .github/FUNDING.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..55a61b1 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1 @@ +github: saschpe From 747d526c871aa1bb6f7386542a9519804ca0d5f7 Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Thu, 30 Jan 2025 10:15:10 +0100 Subject: [PATCH 3/5] GitHub Actions: Update CI trigger conditions for push and pull requests The workflow now triggers only for pushes to 'main' and ignores changes to specific files like .gitignore, LICENSE, and README.md. Additionally, it triggers on pull requests targeting the 'main' branch, enhancing clarity and efficiency in pipeline execution. --- .github/workflows/main.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 991fd49..8d4d089 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,5 +1,16 @@ name: Main CI -on: [ push ] + +on: + push: + branches: + - main + paths-ignore: + - .gitignore + - LICENSE + - README.md + pull_request: + branches: + - main concurrency: group: ${{ github.workflow }}-${{ github.ref }} From 31c6ef4d217095364a55bca17544bc0f0ac8f533 Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Thu, 30 Jan 2025 16:16:32 +0100 Subject: [PATCH 4/5] GitHub Actions: Update workflow dependencies to specific commit hashes Pin GitHub Actions dependencies to specific commit hashes for improved stability and security. Also, upgrade Python version to 3.13, update MobSF/mobsfscan to v0.4.5, and adjust MobSF and CodeQL actions for consistency. These changes ensure reproducibility and align with the latest recommended practices. --- .github/workflows/main.yml | 14 +++++++------- .github/workflows/scorecard.yml | 10 +++++----- .github/workflows/security.yml | 14 +++++++------- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8d4d089..1028b3d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,9 +23,9 @@ jobs: spotless: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: distribution: temurin java-version: 21 @@ -35,9 +35,9 @@ jobs: build: runs-on: macos-14 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: distribution: temurin java-version: 21 @@ -45,7 +45,7 @@ jobs: run: ./gradlew build - name: Archive build artifacts if: github.ref == 'refs/heads/main' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: log4k_build path: | @@ -65,12 +65,12 @@ jobs: SONATYPE_GPG_KEY: ${{ secrets.SONATYPE_GPG_KEY }} SONATYPE_GPG_KEY_PASSWORD: ${{ secrets.SONATYPE_GPG_KEY_PASSWORD }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: refs/heads/main fetch-depth: 0 - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: distribution: temurin java-version: 21 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 21ee262..f3677e7 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -3,8 +3,8 @@ on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + # To guarantee, Maintained check is occasionally updated. + # See https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '30 14 * * 6' push: @@ -22,17 +22,17 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@ # with: results_file: results.sarif results_format: sarif publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index c42d1a4..386b655 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -15,22 +15,22 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Setup Python 3.10 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Setup Python 3.13 uses: actions/setup-python@v4 with: - python-version: '3.11' + python-version: '3.13' - name: Run mobsfscan - uses: MobSF/mobsfscan@0.3.4 + uses: MobSF/mobsfscan@0.4.5 with: args: . --sarif --output results.sarif || true - name: Upload mobsfscan report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif gradle-validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: gradle/wrapper-validation-action@v1 \ No newline at end of file + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: gradle/actions/wrapper-validation@v4 From 556bb403a41bc822d82d4c97bf6998457cc6af41 Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Thu, 30 Jan 2025 16:16:44 +0100 Subject: [PATCH 5/5] Update Kotlin version to 2.1.10 Upgraded the Kotlin version from 2.1.0 to 2.1.10 in the dependencies file. This ensures compatibility with the latest features and fixes in the Kotlin release. --- gradle/libs.versions.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 3fe4095..2863bd0 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -6,7 +6,7 @@ compose = "1.7.3" gradle-android = "8.7.3" jacoco = "0.8.11" java = "21" -kotlin = "2.1.0" +kotlin = "2.1.10" ktlint = "1.3.1" log4k-demo = "1.0.0" mockk = "1.13.16"