Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Code Owners - Security Protection
# Any changes to .github folder require approval from these users
# This enforces that workflow/action changes must be reviewed

# GitHub workflows and actions - Require security team approval
/.github/workflows/ @vibhutikumar07 @yashmeet29
/.github/actions/ @vibhutikumar07 @yashmeet29

# All other .github files
/.github/ @vibhutikumar07 @yashmeet29

10 changes: 8 additions & 2 deletions .github/workflows/cfdeploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,10 @@ permissions:
jobs:
Deploy:
runs-on: ubuntu-latest
if: ${{ github.event.inputs.workflow_choice == 'Deploy' }}
# Security: Only run Deploy in original repo, not forks
if: |
github.repository == 'cap-java/sdm' &&
github.event.inputs.workflow_choice == 'Deploy'

steps:
- name: Checkout repository 📁
Expand Down Expand Up @@ -129,7 +132,10 @@ jobs:

SnapshotDeploy:
runs-on: ubuntu-latest
if: ${{ github.event.inputs.workflow_choice == 'Snapshot Deploy' }}
# Security: Only run Snapshot Deploy in original repo, not forks
if: |
github.repository == 'cap-java/sdm' &&
github.event.inputs.workflow_choice == 'Snapshot Deploy'

steps:
- name: Checkout repository 📁
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/internalArticatory.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ on:
jobs:
build-and-deploy-artifactory:
runs-on: ubuntu-latest
# Security: Only run in original repo, not forks
if: github.repository == 'cap-java/sdm'
permissions:
contents: read
steps:
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/main-build-and-deploy-oss.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,16 @@ on:
release:
types: [ "released" ]

permissions:
contents: write
packages: write

jobs:

update-version:
runs-on: ubuntu-latest
# Security: Only run in original repo, not forks
if: github.repository == 'cap-java/sdm'
#needs: blackduck
steps:

Expand Down Expand Up @@ -87,6 +93,15 @@ jobs:
name: Deploy to Maven Central
runs-on: ubuntu-latest
needs: build
# Security: Only run in original repo, not forks
if: github.repository == 'cap-java/sdm'
# Require manual approval before deploying to Maven Central
environment:
name: maven-central-production
url: https://central.sonatype.com/
permissions:
contents: read
packages: write
steps:
- name: Download artifact
uses: actions/download-artifact@v7
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/main-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ jobs:
name: Update version
runs-on: ubuntu-latest
needs: [ build ]
# Security: Only run in original repo, not forks
if: github.repository == 'cap-java/sdm'
permissions:
contents: write
packages: write
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/multiTenancyDeployLocal.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,14 @@ on:
default: ''

permissions:
contents: read
pull-requests: read
packages: read # Added permission to read packages

jobs:
deploy:
# Security: Only run in original repo, not forks
if: github.repository == 'cap-java/sdm'
runs-on: ubuntu-latest

steps:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,10 @@ permissions:

jobs:
deploy:
if: github.event.pull_request.merged == true
# Security: Only run if PR merged AND not from a fork
if: |
github.event.pull_request.merged == true &&
github.event.pull_request.head.repo.full_name == github.repository
runs-on: ubuntu-latest

steps:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,16 @@ on:
workflow_dispatch:

permissions:
contents: read
pull-requests: read
packages: read # Added permission to read packages

jobs:
deploy:
#Run only if the triggering workflow concluded successfully
if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
# Security: Run only if workflow succeeded AND not from a fork
if: |
github.repository == 'cap-java/sdm' &&
(github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch')
runs-on: ubuntu-latest

steps:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,10 @@ permissions:

jobs:
deploy:
if: github.event.pull_request.merged == true
# Security: Only run if PR merged AND not from a fork
if: |
github.event.pull_request.merged == true &&
github.event.pull_request.head.repo.full_name == github.repository
runs-on: ubuntu-latest

steps:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,10 @@ permissions:

jobs:
deploy:
# Run only if the triggering workflow concluded successfully
if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
# Security: Run only if workflow succeeded AND not from a fork
if: |
github.repository == 'cap-java/sdm' &&
(github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch')
runs-on: ubuntu-latest

steps:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/singleTenant_integration_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,13 @@ on:
description: 'Specify the branch to use for integration tests'
required: true

permissions:
contents: read

jobs:
integration-test:
# Security: Only run in original repo, not forks
if: github.repository == 'cap-java/sdm'
runs-on: ubuntu-latest
strategy:
fail-fast: false
Expand Down
Loading