Pin github actions to specific SHAs (#662)

- Pin actions to specific SHA
- Migrate to databricks hardened runners.

Sadly, this means that we will have to stop making macos and arm builds
for now

Author: stephenamar-db

.github/actions/setup-build/action.yml

@@ -0,0 +1,37 @@
+name: Setup Build Environment
+description: Sets up JDK, Node.js, and Coursier cache for building sjsonnet
+
+inputs:
+  node:
+    description: 'Whether to install Node.js'
+    required: false
+    default: 'false'
+  coursier-cache:
+    description: 'Whether to set up Coursier cache'
+    required: false
+    default: 'false'
+  sbt:
+    description: 'Whether to install sbt'
+    required: false
+    default: 'false'
+
+runs:
+  using: composite
+  steps:
+    - name: Set up JDK 21
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # 5.2.0
+      with:
+        java-version: 21
+        distribution: 'zulu'
+        cache: ${{ inputs.sbt == 'true' && 'sbt' || '' }}
+    - name: Set up sbt
+      if: inputs.sbt == 'true'
+      uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # 1.1.22
+    - name: Set up Node.js 24
+      if: inputs.node == 'true'
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      with:
+        node-version: '24'
+    - name: Cache Coursier cache
+      if: inputs.coursier-cache == 'true'
+      uses: coursier/cache-action@90c37294538be80a558fd665531fcdc2b467b475 # 8.1.0

.github/dependabot.yml

@@ -6,4 +6,6 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
+    cooldown:
+      default-days: 7

.github/workflows/pr-build.yaml

@@ -4,21 +4,18 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions: {}
+
 jobs:
   build-jvm:
-    runs-on: ubuntu-22.04
+    runs-on: linux-ubuntu-latest-hardened
     name: Sjsonnet jvm build
     steps:
-      - uses: actions/checkout@v6
-      - name: Set up JDK 21
-        uses: actions/setup-java@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+      - uses: ./.github/actions/setup-build
         with:
-          java-version: 21
-          distribution: 'zulu'
-          cache: sbt
-      - uses: sbt/setup-sbt@v1
-      - name: Cache Coursier cache
-        uses: coursier/cache-action@90c37294538be80a558fd665531fcdc2b467b475 # 8.1.0
+          sbt: 'true'
+          coursier-cache: 'true'
       - name: Check Formatting
         run: ./mill "_.jvm[_].__.checkFormat"
       - name: Run mill tests
@@ -28,43 +25,30 @@ jobs:
         timeout-minutes: 15
         run: sbt test
   build-graal:
-    runs-on: ubuntu-22.04
+    runs-on: linux-ubuntu-latest-hardened
     name: Sjsonnet Graal Native build
     steps:
-      - uses: actions/checkout@v6
-      - name: Set up JDK 21
-        uses: actions/setup-java@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+      - uses: ./.github/actions/setup-build
         with:
-          java-version: 21
-          distribution: 'zulu'
-      - name: Cache Coursier cache
-        uses: coursier/cache-action@90c37294538be80a558fd665531fcdc2b467b475 # 8.1.0
+          coursier-cache: 'true'
       - name: Run Native Image Test Suites
         timeout-minutes: 15
         run: sjsonnet/test/graalvm/run_test_suites.py
   build-other:
-    runs-on: ubuntu-22.04
+    runs-on: linux-ubuntu-latest-hardened
     strategy:
       fail-fast: false
       matrix:
         lang: ['js', 'wasm', 'native']
     name: Sjsonnet ${{ matrix.lang }} build
     steps:
-      - uses: actions/checkout@v6
-      - name: Set up JDK 21
-        uses: actions/setup-java@v5
-        with:
-          java-version: 21
-          distribution: 'zulu'
-          cache: sbt
-      - uses: sbt/setup-sbt@v1
-      - name: Set up Node.js 24
-        if: ${{ matrix.lang == 'js' || matrix.lang == 'wasm' }}
-        uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+      - uses: ./.github/actions/setup-build
         with:
-          node-version: '24'
-      - name: Cache Coursier cache
-        uses: coursier/cache-action@90c37294538be80a558fd665531fcdc2b467b475 # 8.1.0
+          node: ${{ matrix.lang == 'js' || matrix.lang == 'wasm' }}
+          sbt: 'true'
+          coursier-cache: 'true'
       - name: Check Formatting
         run: ./mill _.${{ matrix.lang }}[_].__.checkFormat
       - name: Run mill tests for ${{ matrix.lang }}

.github/workflows/push-to-central.yaml

@@ -1,24 +1,33 @@
 name: Push To Maven Central
 
 on:
-  release:
-    types: [published]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag (e.g. 0.4.14)'
+        required: true
+        type: string
+
+permissions: {}
 
 jobs:
+  validate-tag:
+    uses: ./.github/workflows/validate-tag.yaml
+    with:
+      tag: ${{ inputs.tag }}
   publish:
-    runs-on: ubuntu-22.04
+    needs: validate-tag
+    runs-on: linux-ubuntu-latest-hardened
+    permissions:
+      contents: read
+    environment: production
     steps:
-    - uses: actions/checkout@v6
-    - name: Set up JDK 21
-      uses: actions/setup-java@v5
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
       with:
-        java-version: 21
-        distribution: 'zulu'
-    - name: Set up Node.js 24
-      uses: actions/setup-node@v6
+        ref: ${{ inputs.tag }}
+    - uses: ./.github/actions/setup-build
       with:
-        node-version: '24'
-
+        node: 'true'
     - run: ./mill mill.javalib.SonatypeCentralPublishModule/
       env:
         MILL_PGP_SECRET_BASE64: ${{ secrets.MILL_PGP_SECRET_BASE64 }}

.github/workflows/release-build.yaml

@@ -1,28 +1,34 @@
 name: Release Build
 
 on:
-  push:
-    tags:
-      - "*.*.*"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag (e.g. 0.4.14)'
+        required: true
+        type: string
+
+permissions: {}
 
 jobs:
+  validate-tag:
+    uses: ./.github/workflows/validate-tag.yaml
+    with:
+      tag: ${{ inputs.tag }}
   release:
+    needs: validate-tag
     permissions:
-      contents: write
-    runs-on: ubuntu-22.04
+      contents: read
+    runs-on: linux-ubuntu-latest-hardened
     env:
       LANG: C
     steps:
-      - uses: actions/checkout@v6
-      - name: Set up JDK 21
-        uses: actions/setup-java@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
         with:
-          java-version: 21
-          distribution: 'zulu'
-      - name: Set up Node.js 24
-        uses: actions/setup-node@v6
+          ref: ${{ inputs.tag }}
+      - uses: ./.github/actions/setup-build
         with:
-          node-version: '24'
+          node: 'true'
       - name: Set up environment variables
         run: |
           echo "VERSION=$(cat sjsonnet/version)" >> $GITHUB_ENV
@@ -48,71 +54,26 @@ jobs:
           cp ./out/sjsonnet/jvm/$SCALA_VERSION/client/assembly.dest/out.jar ./release/sjsonnet-client-$VERSION.jar
           cp ./out/sjsonnet/jvm/$SCALA_VERSION/server/assembly.dest/out.jar ./release/sjsonnet-server-$VERSION.jar
           cp ./out/playground/bundle.dest/index.html ./release/sjsonnet-playground-$VERSION.html
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         name: Upload Artifacts
         with:
           name: sjsonnet-${{ env.VERSION }}-jvmjswasm
           path: release/*
           retention-days: 1
           if-no-files-found: error
-  release-native:
-    permissions:
-      contents: write
-    strategy:
-      matrix:
-        platform:
-          - name: linux-x86_64
-            os: ubuntu-22.04
-          - name: linux-arm64
-            os: ubuntu-22.04-arm
-          - name: darwin-x86_64
-            os: macos-15-intel
-          - name: darwin-arm64
-            os: macos-15
-    runs-on: ${{ matrix.platform.os }}
-    env:
-      LANG: C
-    steps:
-      - uses: actions/checkout@v6
-      - name: Set up JDK 21
-        uses: actions/setup-java@v5
-        with:
-          java-version: 21
-          distribution: 'zulu'
-      - name: Set up environment variables
-        run: |
-          echo "VERSION=$(cat sjsonnet/version)" >> $GITHUB_ENV
-          echo "SCALA_VERSION=3.3.7" >> $GITHUB_ENV
-      - name: Native Binary Build
-        run: ./mill "sjsonnet.native[$SCALA_VERSION].nativeLink"
-      - name: GraalVM Binary Build
-        run: ./mill "sjsonnet.graal.nativeImage"
-      - name: Rename Artifacts
-        run: |
-          mkdir release
-          cp ./out/sjsonnet/native/$SCALA_VERSION/nativeLink.dest/out ./release/sjsonnet-$VERSION-${{ matrix.platform.name }}
-          cp ./out/sjsonnet/graal/nativeImage.dest/native-executable ./release/sjsonnet-graalvm-$VERSION-${{ matrix.platform.name }}
-      - uses: actions/upload-artifact@v7
-        name: Upload Native Binary
-        with:
-          name: sjsonnet-${{ env.VERSION }}-${{ matrix.platform.name }}
-          path: release/*
-          retention-days: 1
-          if-no-files-found: error
   create-release-package:
     permissions:
-      contents: write
+      contents: read
     needs:
       - release
-      - release-native
-    runs-on: ubuntu-22.04
+    runs-on: linux-ubuntu-latest-hardened
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
       - name: Set up environment variables
         run: |
           echo "VERSION=$(cat sjsonnet/version)" >> $GITHUB_ENV
           mkdir -p release
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
         name: Download Artifacts
         with:
           path: release
@@ -123,7 +84,7 @@ jobs:
           ls -la
           sha256sum sjsonnet-* > sums.sha256
           popd
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         name: Upload Package
         with:
           name: sjsonnet-${{ env.VERSION }}-release

.github/workflows/validate-tag.yaml

@@ -0,0 +1,27 @@
+name: Validate Tag
+
+on:
+  workflow_call:
+    inputs:
+      tag:
+        description: 'Tag to validate'
+        required: true
+        type: string
+
+permissions: {}
+
+jobs:
+  validate-tag:
+    runs-on: linux-ubuntu-latest-hardened
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          fetch-depth: 0
+      - name: Validate tag exists
+        run: |
+          if ! git tag --list | grep -qx '${{ inputs.tag }}'; then
+            echo "::error::Tag '${{ inputs.tag }}' does not exist"
+            exit 1
+          fi