IBM · dnwe · Oct 25, 2023 · Oct 25, 2023 · Oct 25, 2023 · Oct 25, 2023
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -25,3 +25,63 @@ updates:
       golang-org-x:
         patterns:
           - "golang.org/x/*"
+
+  - package-ecosystem: gomod
+    directory: /examples/consumergroup
+    schedule:
+      interval: daily
+      time: "23:00"
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: chore
+      include: "scope"
+    groups:
+      golang-org-x:
+        patterns:
+          - "golang.org/x/*"
+
+  - package-ecosystem: gomod
+    directory: /examples/exactly_once
+    schedule:
+      interval: daily
+      time: "23:00"
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: chore
+      include: "scope"
+    groups:
+      golang-org-x:
+        patterns:
+          - "golang.org/x/*"
+
+  - package-ecosystem: gomod
+    directory: /examples/interceptors
+    schedule:
+      interval: daily
+      time: "23:00"
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: chore
+      include: "scope"
+    groups:
+      golang-org-x:
+        patterns:
+          - "golang.org/x/*"
+
+  - package-ecosystem: gomod
+    directory: /examples/txn_producer
+    schedule:
+      interval: daily
+      time: "23:00"
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: chore
+      include: "scope"
+    groups:
+      golang-org-x:
+        patterns:
+          - "golang.org/x/*"
diff --git a/.github/workflows/apidiff.yml b/.github/workflows/apidiff.yml
@@ -11,29 +11,33 @@ on:
     - "**"
     paths-ignore:
     - '**/*.md'
+
+permissions:
+  contents: read  # for actions/checkout to fetch code
+
 jobs:
   apidiff:
     runs-on: ubuntu-latest
     if: github.base_ref
     steps:
     - name: Setup Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: 1.21.x
     - name: Add GOBIN to PATH
       run: echo "$(go env GOPATH)/bin" >>$GITHUB_PATH
     - name: Install apidiff cmd
       run: go install golang.org/x/exp/cmd/apidiff@latest
     - name: Checkout base code
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         ref: ${{ github.base_ref }}
         path: "base"
     - name: Capture apidiff baseline
       run: apidiff -m -w ../baseline.bin .
       working-directory: "base"
     - name: Checkout updated code
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         path: "updated"
     - name: Run apidiff check

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,25 +11,32 @@ on:
     - "**"
     paths-ignore:
     - '**/*.md'
+
+permissions:
+  contents: read  # for actions/checkout to fetch code
+
 jobs:
   lint:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: Linting with Go ${{ matrix.go-version }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         go-version: [1.21.x]
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         cache: false # golangci-lint-action has its own cache
         go-version: ${{ matrix.go-version }}
     - name: golangci-lint
       env:
         GOFLAGS: -tags=functional
-      uses: golangci/golangci-lint-action@v3
+      uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
       with:
         version: v1.54.2
   test:
@@ -43,9 +50,9 @@ jobs:
       DEBUG: true
       GOFLAGS: -trimpath
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: ${{ matrix.go-version }}
     - name: Test (Unit)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -13,30 +13,34 @@ on:
     - '**/*.md'
   schedule:
   - cron: "39 12 * * 1"
+
+permissions:
+  contents: read  # for actions/checkout to fetch code
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
-      actions: read
-      contents: read
-      security-events: write
+      actions: read  # for github/codeql-action to list actions
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action to report security issues
     strategy:
       fail-fast: false
       matrix:
         language: ["go"]
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
       with:
         languages: ${{ matrix.language }}
     - name: Setup Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: 1.21.x
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,22 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read  # for actions/checkout to fetch code
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
@@ -11,16 +11,20 @@ on:
     - "**"
     paths-ignore:
     - '**/*.md'
+
+permissions:
+  contents: read  # for actions/checkout to fetch code
+
 jobs:
   test:
     name: Fuzz
     runs-on: ubuntu-latest
     env:
       GOFLAGS: -trimpath
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: 1.21.x
     - name: Run any fuzzing tests

diff --git a/.github/workflows/fvt-main.yml b/.github/workflows/fvt-main.yml
@@ -6,6 +6,10 @@ on:
     - main
     paths-ignore:
     - '**/*.md'
+
+permissions:
+  contents: read  # for actions/checkout to fetch code
+
 jobs:
   fvt:
     name: Test with Kafka ${{ matrix.kafka-version }}

diff --git a/.github/workflows/fvt-pr.yml b/.github/workflows/fvt-pr.yml
@@ -5,6 +5,10 @@ on:
     - "**"
     paths-ignore:
     - '**/*.md'
+
+permissions:
+  contents: read  # for actions/checkout to fetch code
+
 jobs:
   fvt:
     name: Test with Kafka ${{ matrix.kafka-version }}

diff --git a/.github/workflows/fvt.yml b/.github/workflows/fvt.yml
@@ -14,6 +14,10 @@ on:
         required: false
         type: string
         default: 2.13
+
+permissions:
+  contents: read  # for actions/checkout to fetch code
+
 jobs:
   fvt:
     name: Test with Kafka ${{ inputs.kafka-version }}
@@ -24,12 +28,12 @@ jobs:
       KAFKA_VERSION: ${{ inputs.kafka-version }}
       SCALA_VERSION: ${{ inputs.scala-version }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup Docker
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
       id: buildx
     - name: Build FVT Docker Image
-      uses: docker/bake-action@master
+      uses: docker/bake-action@cff93986225aa60b529e85c83a08f7df996a8d48 # master
       with:
         builder: ${{ steps.buildx.outputs.name }}
         files: docker-compose.yml
@@ -38,7 +42,7 @@ jobs:
           *.cache-from=type=gha,scope=${{ github.workflow }}
           *.cache-to=type=gha,scope=${{ github.workflow }},mode=max
     - name: Setup Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: ${{ inputs.go-version }}
     - name: Setup Docker Compose
@@ -59,7 +63,7 @@ jobs:
         if [ -f "fvt-kafka-${{ inputs.kafka-version }}.pcap" ]; then sudo chmod a+r "fvt-kafka-${{ inputs.kafka-version }}.pcap"; fi
     - name: Upload pcap file
       if: always()
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: fvt-kafka-${{ inputs.kafka-version }}.pcap
         path: fvt-kafka-${{ inputs.kafka-version }}.pcap

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -4,11 +4,19 @@ on:
   schedule:
   - cron: "0 */2 * * *"
   workflow_dispatch:
+
+permissions:
+  contents: read  # for actions/checkout to fetch code
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@main # make use of https://github.com/actions/stale/pull/1033
+      # pinned to main commit to make use of https://github.com/actions/stale/pull/1033
+    - uses: actions/stale@b69b346013879cedbf50c69f572cd85439a41936 # main
       with:
         ascending: true
         days-before-stale: 90

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -31,3 +31,11 @@ repos:
         language: golang
         files: \.go$
         args: []
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.3
+    hooks:
+      - id: gitleaks
+  - repo: https://github.com/golangci/golangci-lint
+    rev: v1.52.2
+    hooks:
+      - id: golangci-lint