Skip to content

[StepSecurity] Apply security best practices#481

Merged
cx-yevgeny-kuznetsov merged 1 commit into
mainfrom
chore/GHA-291953-stepsecurity-remediation
May 30, 2026
Merged

[StepSecurity] Apply security best practices#481
cx-yevgeny-kuznetsov merged 1 commit into
mainfrom
chore/GHA-291953-stepsecurity-remediation

Conversation

@stepsecurity-app

Copy link
Copy Markdown
Contributor

Summary

This pull request has been generated by StepSecurity as part of your enterprise subscription to ensure compliance with recommended security best practices. Please review and merge the pull request to apply these security enhancements.

Security Fixes

Pinned Dependencies

Pinning GitHub Actions to specific versions or commit SHAs ensures that your workflows remain consistent and secure.
Unpinned actions can lead to unexpected changes or vulnerabilities caused by upstream updates.

StepSecurity Maintained Actions

Risky GitHub Actions can expose your project to potential security risks. Risky actions have been replaced with StepSecurity maintained actions, that are secure drop-in replacements.

Feedback

For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo or contact us via our website.

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
@stepsecurity-app

Copy link
Copy Markdown
Contributor Author

Security Policy Alert: Secret Policy Violation

This workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch.

To approve this workflow, please add the workflows-approved label to this PR.

Note: The label must be added by someone other than the PR author (stepsecurity-app[bot]) or automation bots to ensure proper security review.

After the label is added, you can re-run the blocked workflow to proceed.

This workflow will be automatically approved once merged into the default branch.

For more information, see StepSecurity's Secret Exfiltration Policy documentation.

@stepsecurity-app

Copy link
Copy Markdown
Contributor Author

Security Policy Alert: Secret Policy Violation

This workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch.

To approve this workflow, please add the workflows-approved label to this PR.

Note: The label must be added by someone other than the PR author (stepsecurity-app[bot]) or automation bots to ensure proper security review.

After the label is added, you can re-run the blocked workflow to proceed.

This workflow will be automatically approved once merged into the default branch.

For more information, see StepSecurity's Secret Exfiltration Policy documentation.

@cx-yevgeny-kuznetsov
cx-yevgeny-kuznetsov merged commit 814a504 into main May 30, 2026
5 of 6 checks passed
@cx-yevgeny-kuznetsov
cx-yevgeny-kuznetsov deleted the chore/GHA-291953-stepsecurity-remediation branch May 30, 2026 01:26
cx-atish-jadhav added a commit that referenced this pull request Jul 13, 2026
commit 8e107dc
Author: Atish Jadhav <atish.jadhav@checkmarx.com>
Date:   Tue Jun 23 19:34:27 2026 +0530

    security: fix SCA vulnerability for JUnit (#488)

    Co-authored-by: Luís Ventuzelos <207163323+cx-luis-ventuzelos@users.noreply.github.com>

commit 06dafaa
Author: Luís Ventuzelos <207163323+cx-luis-ventuzelos@users.noreply.github.com>
Date:   Mon Jun 22 12:37:18 2026 +0100

    security: harden release workflow and declare workflow_call secrets (#487)

    * security: harden release workflow and declare workflow_call secrets

    - Replace actions/checkout v4.3.1 with v6.0.3 and switch from PERSONAL_ACCESS_TOKEN to GITHUB_TOKEN
    - Fix script injection in Download CLI, Tag, Update POM, Build artifactId, and Publish steps by moving inputs to env vars
    - Replace deprecated ::set-output with $GITHUB_OUTPUT in Tag step
    - Update actions/setup-java v4.3.0 to v5.2.0
    - Add explicit secrets declaration for workflow_call (MAVEN_GPG_PASSPHRASE, MAVEN_GPG_PRIVATE_KEY, OSSRH_TOKEN, OSSRH_USERNAME)
    - Fix broken shell conditional in Build artifactId property step

    * chore(gha): harden GitHub Actions workflows security

    * chore(gha): disable nightly trigger and remove pr-labeler workflow

    * chore(gha): configure echo mirror for Maven dependency resolution

commit 6661e60
Author: Atish Jadhav <141334503+cx-atish-jadhav@users.noreply.github.com>
Date:   Thu Jun 18 22:49:44 2026 +0530

    Updating ast-cli version and binaries 2.3.54 (#485)

    * Updating ast-cli version and binaries

    * Harden workflows: scope permissions, fix set-output, replace dev-drprasad, remove repository_dispatch, comment notify and spotbugs

    * Remove Maven cache from release and CI workflows

    * Add publish input to gate Maven Central deploy

    ---------

    Co-authored-by: Luís Ventuzelos <207163323+cx-luis-ventuzelos@users.noreply.github.com>

commit 06b449c
Author: Alon Rosenhek <80337069+cx-alon-rosenhek@users.noreply.github.com>
Date:   Thu Jun 18 16:57:16 2026 +0300

    chore: remove .github/workflows/dependabot-auto-merge.yml

commit 6fb3166
Author: Ohad Israeli <243351248+cx-ohad-israeli@users.noreply.github.com>
Date:   Wed Jun 10 17:39:51 2026 +0300

    chore: remove Dependabot configuration

commit 814a504
Author: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date:   Fri May 29 21:25:57 2026 -0400

    [StepSecurity] Apply security best practices (#481)

    Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
    Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant