Skip to content

chore(ci): CI/release hygiene batch (Dependabot, CODEOWNERS, SECURITY.md, concurrency, action pinning)#350

Open
hampsterx wants to merge 6 commits intofloci-io:mainfrom
hampsterx:chore/ci-hygiene
Open

chore(ci): CI/release hygiene batch (Dependabot, CODEOWNERS, SECURITY.md, concurrency, action pinning)#350
hampsterx wants to merge 6 commits intofloci-io:mainfrom
hampsterx:chore/ci-hygiene

Conversation

@hampsterx
Copy link
Copy Markdown
Contributor

@hampsterx hampsterx commented Apr 11, 2026

Summary

Batch of low-risk CI/release hygiene improvements surfaced during a second-opinion scan with Codex and Gemini. Each commit stands alone and can be cherry-picked if any item draws pushback.

Stacked on #348. This branch includes the semver-restore commit from that PR. Once #348 merges, the diff here reduces to just the 5 hygiene commits. Review can happen in parallel.

Changes (5 commits)

1. Dependabot config (.github/dependabot.yml)

Weekly updates for Maven and GitHub Actions ecosystems. Patch/minor updates grouped per ecosystem to reduce PR noise, majors still land individually so breaking changes get surfaced on their own. No Docker base image scanning (can be added later).

2. CODEOWNERS (.github/CODEOWNERS)

Scopes .github/**, .releaserc.json, /pom.xml, and the Dockerfiles to @hectorvent so any change to CI, release automation, or the container build surface always pings the maintainer for review. No global owner, so the rest of the tree falls through to normal review rules. Expand with more owners as the maintainer roster grows.

3. SECURITY.md (root)

Surfaces the existing "Reporting Security Issues" section from CONTRIBUTING.md at the repo root so GitHub's Security tab exposes the policy UI and private vulnerability reporting flow. Supported-versions wording is deliberately unpinned ("current stable release line") so it doesn't drift as new minors land.

4. Concurrency groups and timeouts (all workflows)

Adds concurrency blocks to every workflow and timeout-minutes to every job. Currently only the compatibility matrix has a timeout, so a stuck job in ci/edge/release/semver could burn up to 6h of runner time before GitHub kills it.

  • ci, compatibility, docs, edge: per-workflow+ref group with cancel-in-progress: true, so pushing a new commit to a branch cancels the prior PR run instead of letting both finish.
  • release: per-tag group (workflow+ref), so back-to-back tag pushes (e.g. 1.5.3 and 1.6.0 landing minutes apart) run in parallel rather than cancelling each other. Re-runs of the same tag still supersede.
  • semver: semver-${ref} static-prefixed group on the ref, so racing version bumps on main serialize rather than both trying to tag and push back.

Timeouts sized above current observed runtimes (native builds ~15min, JVM builds ~3min) with headroom for transient slowdowns.

5. Pin third-party actions to SHAs

Pins every third-party GitHub Action to an immutable commit SHA with the original version tag preserved as a trailing comment:

  • cycjimmy/semantic-release-action@16ca923e6ccbb50770c415a0ccd43709a8c5f7a4 (v4.2.2)
  • docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 (v6)
  • docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 (v3)
  • docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f (v3)
  • test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 (v2)
  • graalvm/setup-graalvm@60c26726de13f8b90771df4bc1641a52a3159994 (v1)

actions/* (checkout, setup-java, setup-python, upload-artifact, download-artifact) are intentionally left on version tags. They are maintained by GitHub itself, have a much smaller attack surface than third-party marketplace actions, and the dependabot github-actions ecosystem will keep SHA-pinned third-party actions current automatically. Happy to pin them too if the maintainer prefers consistent hygiene.

Not included

These came up in the scan but are M-effort tool/policy choices the maintainer should decide on rather than having forced on them in a drive-by PR:

  • JaCoCo + Codecov coverage integration
  • SpotBugs / Checkstyle / PMD static analysis
  • Trivy / Grype image scanning
  • cyclonedx-maven-plugin SBOM generation
  • SLSA provenance attestations

Happy to open these as separate issues if there's interest.

Review passes done locally

  • Codex (agentic review vs fix/restore-semantic-release): flagged SECURITY.md email fallback (no address) and hardcoded 1.5.x version. Both addressed before opening this PR. Confirmed release-tag concurrency semantics correct.
  • Gemini (agentic review vs fix/restore-semantic-release): flagged missing pom.xml in CODEOWNERS and missing SECURITY.md email address. Both addressed. Verified all six pinned SHAs against upstream tags and confirmed they match.

Test plan

  • CI runs on the PR itself (ci.yml path filter excludes this PR since only .github/workflows/ci.yml is touched, so this may no-op, which is expected)
  • Dependabot schedule picks up the new config on the next Monday run after merge
  • After fix(ci): restore semantic-release workflow and enable on main #348 lands and a merge to main triggers semver.yml, verify the new concurrency group serializes correctly and the pinned cycjimmy/semantic-release-action SHA is picked up
  • SECURITY.md shows up in the GitHub Security tab and private reporting flow works
  • CODEOWNERS: touching any scoped path in a subsequent PR auto-requests review from @hectorvent

@hampsterx
fix(ci): restore semantic-release workflow and enable on main
f939e70 
Commit 494cff2 ("chore: release 1.5.2") moved .github/workflows/semver.yml
to .github/semver.yml as part of a manual version bump, which silently
disabled semantic-release. GitHub Actions only picks up workflow files
under .github/workflows/. Every merge to main since 1.5.2 has lacked
CHANGELOG.md coverage because no bot ran.

Also add `main` to the branches list in .releaserc.json and the workflow
push trigger so semantic-release actually runs on main going forward.
Work has been landing directly on main and needs a corresponding release
path.

The next run will generate CHANGELOG entries for everything merged since
1.5.2 and emit a new tag (likely 1.6.0, driven by the `feat:` appconfig
commit in the backlog).
@hampsterx
chore(ci): add Dependabot config for Maven and Actions
29bcd9e 
Weekly Dependabot updates for the Maven and GitHub Actions ecosystems.
Minor/patch updates are grouped into a single PR per ecosystem to keep
review noise low, majors still land as individual PRs so breaking
changes get surfaced on their own.
@hampsterx
chore(ci): add CODEOWNERS for release-sensitive paths
178652a 
Scopes .github/, .releaserc.json, and the Dockerfiles to @hectorvent so
any change to CI, release automation, or the container build surface
always pings the maintainer for review. Other paths are left unscoped
and fall through to the repo's normal review rules.
@hampsterx
docs: add SECURITY.md with vulnerability reporting path
ac6c196 
Adds a root-level security policy so GitHub's Security tab exposes the
private vulnerability reporting flow and supported-versions UI. The
content mirrors the existing "Reporting Security Issues" section in
CONTRIBUTING.md and links back to it to avoid drift.
@hampsterx
chore(ci): add concurrency groups and timeouts to workflows
3cb0fa7 
Adds a concurrency block to every workflow and a timeout-minutes to every
job. Previously only the compatibility matrix had a timeout, so a stuck
job in ci/edge/release/semver could burn the full 6h runner budget
before GitHub killed it.

- ci, compatibility, docs, edge: cancel-in-progress on
  workflow+ref, so pushing a new commit to a branch cancels the prior
  PR run instead of letting both finish.
- release: per-tag group (workflow+ref), so back-to-back tag pushes
  (e.g. 1.5.3 and 1.6.0 landing minutes apart) run in parallel rather
  than cancelling each other. Re-runs of the same tag still supersede.
- semver: semver-${ref} group, so racing version bumps on main
  serialize rather than both trying to tag and push back.

Timeouts are sized above current observed runtimes (native builds
~15min, JVM builds ~3min) with headroom for transient slowdowns.
@hampsterx
chore(ci): pin third-party actions to immutable commit SHAs
bac033c 
Pins every third-party GitHub Action to a full commit SHA with the
original version tag preserved in a trailing comment. Actions maintained
by GitHub itself (actions/checkout, actions/setup-java, actions/setup-python,
actions/upload-artifact, actions/download-artifact) are intentionally
left on version tags because the risk/effort trade-off is different.

Pins:
- cycjimmy/semantic-release-action v4.2.2 (semver.yml)
- docker/build-push-action v6 (compatibility, edge, release)
- docker/login-action v3 (edge, release)
- docker/setup-buildx-action v3 (compatibility, edge, release)
- test-summary/action v2 (compatibility)
- graalvm/setup-graalvm v1 (release)

Closes a supply-chain risk where a compromised or retagged third-party
action could silently execute new code in a privileged workflow (release
and semver both hold secrets). Dependabot's github-actions ecosystem
updates SHA-pinned actions automatically, so this doesn't create manual
upgrade work.
hectorvent
hectorvent reviewed Apr 11, 2026
View reviewed changes
.github/workflows/semver.yml
on:
push:
branches:
- 'main'
Copy link
Copy Markdown
Collaborator

@hectorvent hectorvent Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hampsterx please check comment on PR #348

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hectorvent hectorvent hectorvent left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hampsterx @hectorvent