Update actions in GH build

Old actions use deprecated node 12 - cache v2 -> v3 - checkout v2 -> v3 - download-artifact v2 -> v3 - setup-java v2 -> v3 - disable access to GITHUB_TOKEN - don't store credentials with checkout - don't execute build for PR from local repository branches - we have build on push event
apache · Nov 16, 2022 · a6b1ebb · a6b1ebb
1 parent fa15fcf
commit a6b1ebb
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 9 deletions.
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
@@ -19,8 +19,15 @@ name: Java CI
 
 on: [push, pull_request]
 
+# clear all permissions for GITHUB_TOKEN
+permissions: {}
+
 jobs:
   build:
+
+    # execute on any push or pull request from forked repo
+    if: github.event_name == 'push' || ( github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork )
+
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macOS-latest]
@@ -29,8 +36,11 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-java@v2
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-java@v3
         with:
           java-version: 8
           distribution: 'temurin'
@@ -40,7 +50,7 @@ jobs:
         run: mvn verify -e -B -V -DdistributionFileName=apache-maven
 
       - name: Upload built Maven
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         if: ${{ matrix.os == 'ubuntu-latest' }}
         with:
           name: built-maven
@@ -89,28 +99,30 @@ jobs:
           echo "REPO_USER=$target_user" >> $GITHUB_ENV
 
       - name: Checkout maven-integration-testing
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           repository: ${{ env.REPO_USER }}/maven-integration-testing
           path: maven-integration-testing/
           ref: ${{ env.REPO_BRANCH }}
+          persist-credentials: false
+
 
       - name: Set up cache for ~/.m2/repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ~/.m2/repository
           key: it-m2-repo-${{ matrix.os }}-${{ hashFiles('maven-integration-testing/**/pom.xml') }}
           restore-keys: |
             it-m2-repo-${{ matrix.os }}-
 
       - name: Download built Maven
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
         with:
           name: built-maven
           path: built-maven/
 
       - name: Set up JDK
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v3
         with:
           java-version: ${{ matrix.java }}
           distribution: 'temurin'

diff --git a/.github/workflows/maven_build_itself.yml b/.github/workflows/maven_build_itself.yml
@@ -19,8 +19,15 @@ name: Can Maven build itself
 
 on: [push, pull_request]
 
+# clear all permissions for GITHUB_TOKEN
+permissions: {}
+
 jobs:
   build:
+
+    # execute on any push or pull request from forked repo
+    if: github.event_name == 'push' || ( github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork )
+
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest]
@@ -30,8 +37,11 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-java@v2
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-java@v3
         with:
           java-version: ${{ matrix.java }}
           distribution: 'temurin'