ci: harden CI pipeline for external/fork PRs (GTI-846)#27
Merged
Conversation
- Add least-privilege permissions (contents: read) to build.yml - Add concurrency groups to cancel superseded runs in build, early-access, and release workflows - Pin all third-party actions to immutable commit SHAs - Remove styfle/cancel-workflow-action in favour of native concurrency blocks - Use jreleaser/release-action 2.5.0 tag SHA instead of mutable v2 branch ref Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
🛡️ Jit Security Scan Results
✅ No security findings were detected in this PR
Security scan by Jit
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- Add actions: write to build, early-access, and release workflows so actions/upload-artifact can write artifacts when permissions are explicit - Pin jreleaser/release-action to 2.5.0 tag SHA (90ac653) in release.yml, matching early-access.yml (was still pointing at mutable v2 branch ref) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- style: spotlessCheck only — fast (~30s), no Docker, runs independently - compile: assemble only — fast fail gate before heavier jobs - test: :core:test — unit tests (testcontainers/Redis), gated on compile - spotbugs: :core:spotbugsMain — static analysis, runs in parallel with test Mirrors the multi-job structure already used in redis-om-spring. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 7fc85a4. Configure here.
langchain4j-vcr and spring-ai-vcr tests use PLAYBACK mode with pre-recorded cassettes — no API key needed, safe to run in CI. rag-multimodal tests are excluded as they require live API keys (OpenAI, LangCache etc). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
permissions: contents: readonbuild.yml— explicit least-privilege for fork PR runs; no secrets are accessible to untrusted codebuild.yml,early-access.yml, andrelease.yml— superseded runs are cancelled automatically (cancel-in-progress: falseon release to avoid mid-publish interruption)@v4/@v2tags with immutable commit SHAs across all four workflows; a compromised tag can no longer silently swap action codestyfle/cancel-workflow-actioninearly-access.ymlandrelease.yml— replaced with nativeconcurrencyblocks; eliminates an extra third-party dependency and the PAT it requiredjreleaser/release-actionpinned to2.5.0tag SHA (90ac653) instead of the mutablev2branch refAcceptance criteria (GTI-846)
Manual step required (cannot be done via YAML)
Enable Settings → Actions → General → Fork pull request workflows → "Require approval for first-time contributors" to gate workflow runs from first-time external contributors behind maintainer approval.
🤖 Generated with Claude Code
Note
Medium Risk
PR validation scope changed from full
buildto explicit Gradle targets, so coverage gaps are possible if modules were previously picked up only by the monolithic task.Overview
Hardens GitHub Actions for fork/untrusted PRs and supply-chain risk:
build.ymlnow declares least-privilegepermissions(contents: read,actions: writefor artifacts), concurrency that cancels superseded PR runs, and commit-SHA–pinned third-party actions instead of mutable@v4/@v2tags.The PR build is no longer one
./gradlew buildjob—it’s split intostyle(Spotless),compile(assemble),test(after compile::core:testplus demo VCR modules), andspotbugsin parallel after compile; failed-test artifact paths point at those module report dirs.early-access.ymlandrelease.ymldropstyfle/cancel-workflow-action(and its PAT) in favor of native concurrency; release keepscancel-in-progress: falseso publishes aren’t interrupted.docs.yml(and release/early-access) get the same SHA pinning; JReleaser is pinned to the 2.5.0 action SHA.Maintainers still need the repo setting to require approval for first-time contributors on fork workflows—that’s called out as outside YAML.
Reviewed by Cursor Bugbot for commit e0b57ae. Bugbot is set up for automated code reviews on this repo. Configure here.