From 18d9dd77ec0e51029add22fbf8e93c68cc9f2f1a Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Thu, 5 Feb 2026 13:27:17 -0700 Subject: [PATCH 1/6] Use SHA Hashes for spring-security-release-tools Workflows Issue gh-18648 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com> --- .github/workflows/continuous-integration-workflow.yml | 10 +++++----- .github/workflows/milestone-spring-releasetrain.yml | 2 +- .github/workflows/pr-build-workflow.yml | 2 +- .github/workflows/update-scheduled-release-version.yml | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/continuous-integration-workflow.yml b/.github/workflows/continuous-integration-workflow.yml index 97fd44d85a..7b2261a4ee 100644 --- a/.github/workflows/continuous-integration-workflow.yml +++ b/.github/workflows/continuous-integration-workflow.yml @@ -17,7 +17,7 @@ permissions: jobs: build: name: Build - uses: spring-io/spring-security-release-tools/.github/workflows/build.yml@v1 + uses: spring-io/spring-security-release-tools/.github/workflows/build.yml@7d42d82298553f123a9dad622e0eac725aaf52ef # v1.0.13 strategy: matrix: os: [ ubuntu-latest, windows-latest ] @@ -67,21 +67,21 @@ jobs: deploy-artifacts: name: Deploy Artifacts needs: [ build, test, check-samples ] - uses: spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml@v1 + uses: spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml@7d42d82298553f123a9dad622e0eac725aaf52ef # v1.0.13 with: should-deploy-artifacts: ${{ needs.build.outputs.should-deploy-artifacts }} secrets: inherit deploy-schema: name: Deploy Schema needs: [ build, test, check-samples ] - uses: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml@v1 + uses: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml@7d42d82298553f123a9dad622e0eac725aaf52ef # v1.0.13 with: should-deploy-schema: ${{ needs.build.outputs.should-deploy-artifacts }} secrets: inherit perform-release: name: Perform Release needs: [ deploy-artifacts, deploy-schema ] - uses: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml@v1 + uses: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml@7d42d82298553f123a9dad622e0eac725aaf52ef # v1.0.13 with: should-perform-release: ${{ needs.deploy-artifacts.outputs.artifacts-deployed }} project-version: ${{ needs.deploy-artifacts.outputs.project-version }} @@ -97,6 +97,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Send Notification - uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1 + uses: spring-io/spring-security-release-tools/.github/actions/send-notification@7d42d82298553f123a9dad622e0eac725aaf52ef # v1.0.13 with: webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }} diff --git a/.github/workflows/milestone-spring-releasetrain.yml b/.github/workflows/milestone-spring-releasetrain.yml index 0602ae8e73..6d373fb15a 100644 --- a/.github/workflows/milestone-spring-releasetrain.yml +++ b/.github/workflows/milestone-spring-releasetrain.yml @@ -30,6 +30,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Send Notification - uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1 + uses: spring-io/spring-security-release-tools/.github/actions/send-notification@7d42d82298553f123a9dad622e0eac725aaf52ef # v1.0.13 with: webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }} diff --git a/.github/workflows/pr-build-workflow.yml b/.github/workflows/pr-build-workflow.yml index 2ebf86c76b..170efd070d 100644 --- a/.github/workflows/pr-build-workflow.yml +++ b/.github/workflows/pr-build-workflow.yml @@ -46,6 +46,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Send Notification - uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1 + uses: spring-io/spring-security-release-tools/.github/actions/send-notification@7d42d82298553f123a9dad622e0eac725aaf52ef # v1.0.13 with: webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }} diff --git a/.github/workflows/update-scheduled-release-version.yml b/.github/workflows/update-scheduled-release-version.yml index 665b1b50b6..25328ff331 100644 --- a/.github/workflows/update-scheduled-release-version.yml +++ b/.github/workflows/update-scheduled-release-version.yml @@ -9,7 +9,7 @@ permissions: jobs: update-scheduled-release-version: name: Update Scheduled Release Version - uses: spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml@v1 + uses: spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml@7d42d82298553f123a9dad622e0eac725aaf52ef # v1.0.13 secrets: inherit send-notification: name: Send Notification @@ -18,6 +18,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Send Notification - uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1 + uses: spring-io/spring-security-release-tools/.github/actions/send-notification@7d42d82298553f123a9dad622e0eac725aaf52ef # v1.0.13 with: webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }} \ No newline at end of file From d276c943fc8ec816554ddc9229840b988c471850 Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Thu, 5 Feb 2026 13:29:49 -0700 Subject: [PATCH 2/6] Update actions/checkout to 6.0.2 Issue gh-18648 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com> --- .github/workflows/deploy-docs.yml | 2 +- .github/workflows/gradle-wrapper-upgrade-execution.yml | 2 +- .github/workflows/pr-build-workflow.yml | 4 ++-- .github/workflows/release-scheduler.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml index 25381d0f82..05912c63fd 100644 --- a/.github/workflows/deploy-docs.yml +++ b/.github/workflows/deploy-docs.yml @@ -17,7 +17,7 @@ jobs: if: github.repository_owner == 'spring-projects' steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: docs-build fetch-depth: 1 diff --git a/.github/workflows/gradle-wrapper-upgrade-execution.yml b/.github/workflows/gradle-wrapper-upgrade-execution.yml index 8207edddef..11d193afdc 100644 --- a/.github/workflows/gradle-wrapper-upgrade-execution.yml +++ b/.github/workflows/gradle-wrapper-upgrade-execution.yml @@ -19,7 +19,7 @@ jobs: git config --global user.name 'github-actions[bot]' git config --global user.email 'github-actions[bot]@users.noreply.github.com' - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up JDK 17 uses: actions/setup-java@v4 with: diff --git a/.github/workflows/pr-build-workflow.yml b/.github/workflows/pr-build-workflow.yml index 170efd070d..dd771a9dd2 100644 --- a/.github/workflows/pr-build-workflow.yml +++ b/.github/workflows/pr-build-workflow.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.repository == 'spring-projects/spring-security' }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up gradle uses: spring-io/spring-gradle-build-action@v2 with: @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.repository == 'spring-projects/spring-security' }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up gradle uses: spring-io/spring-gradle-build-action@v2 with: diff --git a/.github/workflows/release-scheduler.yml b/.github/workflows/release-scheduler.yml index 8b2f0f1eac..cfd1ca3ad7 100644 --- a/.github/workflows/release-scheduler.yml +++ b/.github/workflows/release-scheduler.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 - name: Dispatch From 5c3b8c513b8705f3b21a2d8248a6e41be9d754f2 Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Thu, 5 Feb 2026 13:32:19 -0700 Subject: [PATCH 3/6] Update spring-gradle-build-action to 2.0.5 Issue gh-18648 --- .github/workflows/pr-build-workflow.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-build-workflow.yml b/.github/workflows/pr-build-workflow.yml index dd771a9dd2..807d6d1ef6 100644 --- a/.github/workflows/pr-build-workflow.yml +++ b/.github/workflows/pr-build-workflow.yml @@ -13,7 +13,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up gradle - uses: spring-io/spring-gradle-build-action@v2 + uses: spring-io/spring-gradle-build-action@efc55f07f4dfa22f2afd97f9ea1be4212eeed737 # v2.0.5 with: java-version: '17' distribution: 'temurin' @@ -26,7 +26,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up gradle - uses: spring-io/spring-gradle-build-action@v2 + uses: spring-io/spring-gradle-build-action@efc55f07f4dfa22f2afd97f9ea1be4212eeed737 # v2.0.5 with: java-version: '17' distribution: 'temurin' From 63162eb5f162e13c50c37141fb251ceac4d5ce1e Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Thu, 5 Feb 2026 13:34:27 -0700 Subject: [PATCH 4/6] Update to setup-java 5.2.0 Issue gh-18648 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com> --- .github/workflows/gradle-wrapper-upgrade-execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gradle-wrapper-upgrade-execution.yml b/.github/workflows/gradle-wrapper-upgrade-execution.yml index 11d193afdc..30e7b539a9 100644 --- a/.github/workflows/gradle-wrapper-upgrade-execution.yml +++ b/.github/workflows/gradle-wrapper-upgrade-execution.yml @@ -21,7 +21,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: '17' distribution: 'temurin' From 8432df498e31ce176bc90ba3a783160165d4ef18 Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Thu, 5 Feb 2026 13:36:03 -0700 Subject: [PATCH 5/6] Update upload-artifact to 6.0.0 Issue gh-18648 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com> --- .github/workflows/pr-build-workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-build-workflow.yml b/.github/workflows/pr-build-workflow.yml index 807d6d1ef6..b419967a44 100644 --- a/.github/workflows/pr-build-workflow.yml +++ b/.github/workflows/pr-build-workflow.yml @@ -34,7 +34,7 @@ jobs: run: ./gradlew -PbuildSrc.skipTests=true :spring-security-docs:antora - name: Upload Docs id: upload - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: docs path: docs/build/site From 46a95144201eb2a2f7bdfa674a8076c78d0f79cf Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Thu, 5 Feb 2026 13:39:02 -0700 Subject: [PATCH 6/6] Update to setup-gradle 5.0.1 note that gradle/gradle-build-action is superceded by setup-gradle. Issue gh-18648 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com> --- .github/workflows/gradle-wrapper-upgrade-execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gradle-wrapper-upgrade-execution.yml b/.github/workflows/gradle-wrapper-upgrade-execution.yml index 30e7b539a9..d5e9d084b6 100644 --- a/.github/workflows/gradle-wrapper-upgrade-execution.yml +++ b/.github/workflows/gradle-wrapper-upgrade-execution.yml @@ -26,7 +26,7 @@ jobs: java-version: '17' distribution: 'temurin' - name: Set up Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/setup-gradle@f29f5a9d7b09a7c6b29859002d29d24e1674c884 # v5.0.1 - name: Upgrade Wrappers run: ./gradlew clean upgradeGradleWrapperAll --continue -Porg.gradle.java.installations.auto-download=false env: