This is an automated email from the ASF dual-hosted git repository.
vy pushed a commit to branch gha/v0
in repository https://gitbox.apache.org/repos/asf/logging-parent.git
The following commit(s) were added to refs/heads/gha/v0 by this push:
new 71b09eb Remove Develocity and OSSH Scorecards (#468)
71b09eb is described below
commit 71b09eb2a1dfd4999f399ec10b75c3238613fafd
Author: Volkan Yazıcı <[email protected]>
AuthorDate: Sat May 2 19:37:13 2026 +0200
Remove Develocity and OSSH Scorecards (#468)
---
.github/workflows/build-reusable.yaml | 44 ---------------
.github/workflows/codeql-analysis.yaml | 56 ++++++++++++++++++
.../workflows/scorecards-analysis-reusable.yaml | 66 ----------------------
3 files changed, 56 insertions(+), 110 deletions(-)
diff --git a/.github/workflows/build-reusable.yaml
b/.github/workflows/build-reusable.yaml
index d9363e8..315b9e8 100644
--- a/.github/workflows/build-reusable.yaml
+++ b/.github/workflows/build-reusable.yaml
@@ -20,10 +20,6 @@ name: build-reusable
on:
workflow_call:
inputs:
- develocity-enabled:
- description: Enable Develocity Build Scan publication
- default: false
- type: boolean
java-version:
description: The Java compiler version
default: 17
@@ -95,38 +91,6 @@ jobs:
java-version: ${{ inputs.java-version }}
cache: maven
- - name: Set up Develocity
- if: inputs.develocity-enabled
- shell: bash
- run: |
- if [ -f .mvn/develocity.xml ]; then
- DEVELOCITY_VERSION=$(./mvnw help:evaluate -q -DforceStdout
-Dexpression=develocity-maven-plugin.version)
- USER_DATA_VERSION=$(./mvnw help:evaluate -q -DforceStdout
-Dexpression=develocity-user-data-extension.version)
- cat >.mvn/extensions.xml <<EOF
- <extensions>
- <extension>
- <groupId>com.gradle</groupId>
- <artifactId>develocity-maven-extension</artifactId>
- <version>$DEVELOCITY_VERSION</version>
- </extension>
- <extension>
- <groupId>com.gradle</groupId>
-
<artifactId>common-custom-user-data-maven-extension</artifactId>
- <version>$USER_DATA_VERSION</version>
- </extension>
- </extensions>
- EOF
- # Print file for debugging purposes
- cat .mvn/extensions.xml
- fi
-
- - name: Setup Develocity Build Scan capture
- if: inputs.develocity-enabled
- # INFRA-approved GHAs:
https://github.com/apache/infrastructure-actions/blob/main/actions.yml
- uses:
gradle/develocity-actions/setup-maven@4a2aed82eea165ba2d5c494fc2a8730d7fdff229
# 2.1
- with:
- develocity-access-key: ${{ secrets.DV_ACCESS_TOKEN }}
-
# We use `install` instead of `verify`, otherwise the build website step
below fails
- name: Build
id: build
@@ -148,14 +112,6 @@ jobs:
**/target/surefire-reports
**/target/logs
- - name: Clean up Develocity
- if: inputs.develocity-enabled
- shell: bash
- run: |
- rm -f .mvn/extensions.xml
- # Clean up changes introduced by
gradle/develocity-actions/maven-setup
- echo "MAVEN_OPTS=" >> "$GITHUB_ENV"
-
# Node.js cache is needed for Antora
- name: Set up Node.js cache
if: inputs.site-enabled
diff --git a/.github/workflows/codeql-analysis.yaml
b/.github/workflows/codeql-analysis.yaml
new file mode 100644
index 0000000..138f15b
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yaml
@@ -0,0 +1,56 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Perform CodeQL analysis of GitHub Actions
+name: codeql-analysis
+
+on:
+ push:
+ branches:
+ - "gha/v0"
+ pull_request:
+ branches:
+ - "gha/v0"
+ schedule:
+ - cron: '32 12 * * 5'
+
+# Drop all permissions (and later explicitly enable ones needed)
+permissions: { }
+
+jobs:
+
+ analyze:
+ name: Analyze
+ runs-on: ubuntu-latest
+ # Permissions required to publish Security Alerts
+ permissions:
+ security-events: write
+
+ # This branch does not have a `pom.xml` file or any Java source code,
+ # therefore we can not reuse the reusable workflow.
+ steps:
+
+ - name: Checkout repository
+ uses: actions/checkout@v6
+
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v4
+ with:
+ languages: actions
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v4
diff --git a/.github/workflows/scorecards-analysis-reusable.yaml
b/.github/workflows/scorecards-analysis-reusable.yaml
deleted file mode 100644
index 68764c8..0000000
--- a/.github/workflows/scorecards-analysis-reusable.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to you under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-name: scorecards-analysis
-
-on:
- workflow_call:
-
-# Explicitly drop all permissions inherited from the caller for security.
-# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
-permissions: { }
-
-jobs:
-
- analysis:
- name: "Scorecards analysis"
- runs-on: ubuntu-latest
- # Permissions required to publish Security Alerts
- permissions:
- security-events: write
-
- steps:
-
- - name: "Checkout code"
- uses: actions/checkout@v6
- with:
- persist-credentials: false
-
- - name: "Run analysis"
- # INFRA-approved GHAs:
https://github.com/apache/infrastructure-actions/blob/main/actions.yml
- uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
# 2.4.3
- with:
- results_file: results.sarif
- results_format: sarif
- # A read-only PAT token, which is sufficient for the action to
function.
- # The relevant discussion:
https://github.com/ossf/scorecard-action/issues/188
- repo_token: ${{ secrets.GITHUB_TOKEN }}
- # Publish the results for public repositories to enable scorecard
badges.
- # For more details:
https://github.com/ossf/scorecard-action#publishing-results
- publish_results: true
-
- - name: "Upload artifact"
- uses: actions/upload-artifact@v7
- with:
- name: SARIF file
- path: results.sarif
- retention-days: 5
-
- - name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@v4
- with:
- sarif_file: results.sarif
