ci: Updated for GHA best practices (#196)

* Updated for GHA best practices Signed-off-by: Roger Barker <[email protected]> * Updated code owners file to scope lock root level codeowners file Signed-off-by: Roger Barker <[email protected]> --------- Signed-off-by: Roger Barker <[email protected]>
hashgraph · Jun 6, 2024 · 6e3d988 · 6e3d988
1 parent 5d48335
commit 6e3d988
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 10 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,34 @@
+###################################
+##### Global Protection Rule ######
+###################################
+# NOTE: This rule is overriden by the more specific rules below. This is the catch-all rule for all files not covered by the more specific rules below
+*                                              @hashgraph/developer-advocates
+
+#########################
+#####  Core Files  ######
+#########################
+
+# NOTE: Must be placed last to ensure enforcement over all other rules
+
+# Protection Rules for Github Configuration Files and Actions Workflows
+/.github/                                       @hashgraph/release-engineering @hashgraph/release-engineering-managers
+/.github/workflows/                             @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates
+
+# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval)
+/CODEOWNERS                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# Protect the repository root files
+/README.md                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers  @hashgraph/developer-advocates
+**/LICENSE                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# Gradle project files and inline plugins
+/gradle/                                        @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates
+gradlew                                         @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates
+gradlew.bat                                     @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates
+**/build-logic/                                 @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates
+**/gradle.*                                     @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates
+**/*.gradle.*                                   @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates
+
+# Git Ignore definitions
+**/.gitignore                                   @hashgraph/release-engineering @hashgraph/release-engineering-managers  @hashgraph/developer-advocates
+**/.gitignore.*                                 @hashgraph/release-engineering @hashgraph/release-engineering-managers  @hashgraph/developer-advocates
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -11,11 +11,18 @@ on:
       - v*
   workflow_dispatch:
 
+permissions:
+  contents: read
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   # Push image to GitHub Packages.
   # See also https://docs.docker.com/docker-hub/builds/
   build_docker_images:
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, Linux, medium, ephemeral]
     steps:
       - name: Set version
         run: echo "VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV
@@ -33,7 +40,7 @@ jobs:
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
 
       - name: Build java node image
         run: docker build . --file Dockerfile --tag ghcr.io/${{ github.repository }}/hedera_nft_auction_java_node:latest --tag ghcr.io/${{ github.repository }}/hedera_nft_auction_java_node:$VERSION --tag ghcr.io/${{ github.repository }}/hedera_nft_auction_java_node:$DATETIME --label "runnumber=${GITHUB_RUN_ID}"

diff --git a/.github/workflows/system-test.yml b/.github/workflows/system-test.yml
@@ -8,14 +8,21 @@ on:
     branches: [ master ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   build:
 
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, Linux, medium, ephemeral]
 
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/cache@v2
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             ~/hedera-nft-auction-demo-java-node/.gradle/caches
@@ -24,7 +31,7 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-gradle-`
       - name: Set up JDK 14
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
         with:
           java-version: '14'
           distribution: 'adopt'

diff --git a/.github/workflows/unit-integration-test.yml b/.github/workflows/unit-integration-test.yml
@@ -8,15 +8,22 @@ on:
   pull_request:
      branches: [ master ]
 
+permissions:
+  contents: read
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   build:
 
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, Linux, medium, ephemeral]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
 
-    - uses: actions/cache@v2
+    - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
       with:
         path: |
           ~/hedera-nft-auction-demo-java-node/.gradle/caches
@@ -26,7 +33,7 @@ jobs:
           ${{ runner.os }}-gradle-`
 
     - name: Set up JDK 14
-      uses: actions/setup-java@v2
+      uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
       with:
         java-version: '14'
         distribution: 'adopt'