From f2fa4af705ae55c3aa6d06d44c5b5da28926607b Mon Sep 17 00:00:00 2001 From: I569192 Date: Mon, 4 May 2026 12:47:17 +0200 Subject: [PATCH 1/8] . --- .github/dependabot.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..9d529cf7 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,18 @@ +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + groups: + github-actions: + patterns: + - "*" + cooldown: + default-days: 7 From 2b07c0a024e73cef18d119966967bdea55253c54 Mon Sep 17 00:00:00 2001 From: I569192 Date: Mon, 4 May 2026 12:54:07 +0200 Subject: [PATCH 2/8] update workflow config --- .github/actions/integration-tests/action.yml | 14 +++++++++++--- .github/workflows/check-changelog.yml | 6 +++++- .github/workflows/issue.yml | 6 +++++- .github/workflows/lint.yml | 16 ++++++++++++---- .github/workflows/prevent-issue-labeling.yml | 4 ++++ .github/workflows/release.yml | 12 ++++++++---- .github/workflows/test.yml | 20 ++++++++++++++++---- 7 files changed, 61 insertions(+), 17 deletions(-) diff --git a/.github/actions/integration-tests/action.yml b/.github/actions/integration-tests/action.yml index 738d4c38..7cf258c5 100644 --- a/.github/actions/integration-tests/action.yml +++ b/.github/actions/integration-tests/action.yml @@ -41,10 +41,18 @@ runs: - name: Authenticate with Cloud Foundry shell: bash + env: + CF_API: ${{ inputs.CF_API }} + CF_USERNAME: ${{ inputs.CF_USERNAME }} + CF_PASSWORD: ${{ inputs.CF_PASSWORD }} + CF_ORG: ${{ inputs.CF_ORG }} + CF_SPACE: ${{ inputs.CF_SPACE }} run: | echo "::debug::CF_API=${{ inputs.CF_API }}" for i in {1..5}; do - cf login -a ${{ inputs.CF_API }} -u ${{ inputs.CF_USERNAME }} -p ${{ inputs.CF_PASSWORD }} -o ${{ inputs.CF_ORG }} -s ${{ inputs.CF_SPACE }} && break + cf api "$CF_API" && \ + cf auth && \ + cf target -o "$CF_ORG" -s "$CF_SPACE" && break echo "cf login failed, retrying ($i/5)..." sleep 10 if [ "$i" -eq 5 ]; then @@ -53,11 +61,11 @@ runs: fi done - - uses: actions/checkout@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Use Node.js ${{ inputs.NODE_VERSION}} - uses: actions/setup-node@v6 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ inputs.NODE_VERSION }} - run: npm i -g @sap/cds-dk diff --git a/.github/workflows/check-changelog.yml b/.github/workflows/check-changelog.yml index fb1569e0..7e6b57c7 100644 --- a/.github/workflows/check-changelog.yml +++ b/.github/workflows/check-changelog.yml @@ -13,6 +13,10 @@ jobs: name: Check Changelog Action runs-on: ubuntu-latest steps: - - uses: tarides/changelog-check-action@v3 + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + - uses: tarides/changelog-check-action@0189fc7eedec3ef3e9648c713908f6f2a6e99057 # v3 with: changelog: CHANGELOG.md diff --git a/.github/workflows/issue.yml b/.github/workflows/issue.yml index 42b2d675..438f698e 100644 --- a/.github/workflows/issue.yml +++ b/.github/workflows/issue.yml @@ -12,6 +12,10 @@ jobs: label-issues: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit - run: gh issue edit "$NUMBER" --add-label "$LABELS" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -19,7 +23,7 @@ jobs: NUMBER: ${{ github.event.issue.number }} LABELS: New - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | github.rest.issues.createComment({ diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index cebfdf35..123e9096 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -17,14 +17,22 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/setup-node@v6 - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 - run: npm i - run: npm run lint prettier: runs-on: ubuntu-latest steps: - - uses: actions/setup-node@v6 - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 - run: npx prettier . --check diff --git a/.github/workflows/prevent-issue-labeling.yml b/.github/workflows/prevent-issue-labeling.yml index dac7a41b..dfbf07b0 100644 --- a/.github/workflows/prevent-issue-labeling.yml +++ b/.github/workflows/prevent-issue-labeling.yml @@ -11,6 +11,10 @@ jobs: remove_new_label: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit - name: Remove "New" label if applied by non-bot user if: > contains(github.event.issue.labels.*.name, 'New') && diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9e3ffffe..364bf997 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,8 +22,12 @@ jobs: runs-on: ubuntu-latest environment: npm steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 24 registry-url: https://registry.npmjs.org/ @@ -41,11 +45,11 @@ jobs: uses: martinbeentjes/npm-get-version-action@v1.2.3 - name: Parse changelog id: parse-changelog - uses: schwma/parse-changelog-action@v1.0.0 + uses: schwma/parse-changelog-action@69a9f9ab4cf2f2e736108ab41396fc3c55f65e40 # v1.0.0 with: version: "${{ steps.package-version.outputs.current-version }}" - name: Create a GitHub release - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0 with: tag: "v${{ steps.package-version.outputs.current-version }}" body: "${{ steps.parse-changelog.outputs.body }}" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6738ead4..57c7242a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,11 +29,15 @@ jobs: matrix: node-version: [20.x, 22.x] steps: - - uses: actions/checkout@v5 + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} - run: npm i -g @sap/cds-dk @@ -53,6 +57,10 @@ jobs: hyperscaler: [AWS, AZURE, GCP] scanner-auth: [basic, mtls] steps: + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit - name: Checkout repository uses: actions/checkout@v5 with: @@ -92,11 +100,15 @@ jobs: --health-timeout 5s --health-retries 5 steps: - - uses: actions/checkout@v5 + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix['node-version'] }} - run: npm i -g @sap/cds-dk From 854e630c862752c2d8e5a9f4e7c8af2d9a171142 Mon Sep 17 00:00:00 2001 From: I569192 Date: Mon, 4 May 2026 12:57:58 +0200 Subject: [PATCH 3/8] remove debug --- .github/actions/integration-tests/action.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/actions/integration-tests/action.yml b/.github/actions/integration-tests/action.yml index 7cf258c5..09ca847e 100644 --- a/.github/actions/integration-tests/action.yml +++ b/.github/actions/integration-tests/action.yml @@ -48,7 +48,6 @@ runs: CF_ORG: ${{ inputs.CF_ORG }} CF_SPACE: ${{ inputs.CF_SPACE }} run: | - echo "::debug::CF_API=${{ inputs.CF_API }}" for i in {1..5}; do cf api "$CF_API" && \ cf auth && \ From 5d333819a913a4a86cbb575dc48d5396c9c0aeda Mon Sep 17 00:00:00 2001 From: I569192 Date: Mon, 4 May 2026 12:59:05 +0200 Subject: [PATCH 4/8] update checkout sha --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 57c7242a..49e56ac7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -62,7 +62,7 @@ jobs: with: egress-policy: audit - name: Checkout repository - uses: actions/checkout@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Integration tests (HANA) From 658cb4b4759e657b1a7d0c88db382b03760f7901 Mon Sep 17 00:00:00 2001 From: Simon Kobler <32038731+KoblerS@users.noreply.github.com> Date: Tue, 5 May 2026 10:08:44 +0200 Subject: [PATCH 5/8] Update test.yml --- .github/workflows/test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 49e56ac7..8fcb8cbe 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -62,11 +62,11 @@ jobs: with: egress-policy: audit - name: Checkout repository - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Integration tests (HANA) - uses: ./.github/actions/integration-tests + uses: ./.github/actions/integration-tests@main with: CF_API: ${{ secrets[format('CF_API_{0}', matrix.hyperscaler)] }} CF_USERNAME: ${{ secrets['CF_USERNAME'] }} From b13188aa4f943fc8d8346958ea6e38c108700c8c Mon Sep 17 00:00:00 2001 From: I569192 Date: Tue, 5 May 2026 13:04:01 +0200 Subject: [PATCH 6/8] test something out, revert later --- .github/actions/integration-tests/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/integration-tests/action.yml b/.github/actions/integration-tests/action.yml index 09ca847e..830b77b8 100644 --- a/.github/actions/integration-tests/action.yml +++ b/.github/actions/integration-tests/action.yml @@ -28,6 +28,7 @@ inputs: runs: using: "composite" steps: + - run: echo "Hello World" - name: Install dependencies and Cloud Foundry CLI (v8.9.0) shell: bash run: | From 6283a33e39b0cd379a60ba155c57572fffd30a8b Mon Sep 17 00:00:00 2001 From: I569192 Date: Tue, 5 May 2026 13:42:37 +0200 Subject: [PATCH 7/8] amend for last --- .github/actions/integration-tests/action.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/actions/integration-tests/action.yml b/.github/actions/integration-tests/action.yml index 830b77b8..091fe6a5 100644 --- a/.github/actions/integration-tests/action.yml +++ b/.github/actions/integration-tests/action.yml @@ -28,7 +28,9 @@ inputs: runs: using: "composite" steps: - - run: echo "Hello World" + - name: Hello world step + shell: bash + run: echo "Hello World" - name: Install dependencies and Cloud Foundry CLI (v8.9.0) shell: bash run: | From e51919572975b86613636f4b4df57bae042dcfcf Mon Sep 17 00:00:00 2001 From: I569192 Date: Tue, 5 May 2026 14:19:12 +0200 Subject: [PATCH 8/8] revert try --- .github/actions/integration-tests/action.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/actions/integration-tests/action.yml b/.github/actions/integration-tests/action.yml index 091fe6a5..09ca847e 100644 --- a/.github/actions/integration-tests/action.yml +++ b/.github/actions/integration-tests/action.yml @@ -28,9 +28,6 @@ inputs: runs: using: "composite" steps: - - name: Hello world step - shell: bash - run: echo "Hello World" - name: Install dependencies and Cloud Foundry CLI (v8.9.0) shell: bash run: |