-
Notifications
You must be signed in to change notification settings - Fork 175
Release 4.0.0 — v4 major version #1011
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
ca5559f
a4497ea
e615cc8
b6510ab
2449ba7
69cd15a
e8cf0a6
7d7ea70
1e06c32
3d42fc9
4fa184c
78194c8
f522afc
3a031f1
ca43f5e
53d74e3
e6e2215
b974b59
b3424d5
6d8ff24
16bc8ea
57a6798
98ac9d4
13eb800
6f75ff6
2264e8e
7da0c8e
ec444ff
845f6ca
bbe752d
cfd3ba9
e6111b9
b5a495a
7aa2dbc
df9c408
222f6a2
f6446f6
b6dd38c
e2ed040
fd25e48
0267ec9
91e7b29
f424b01
220297a
962addf
b6cacb3
9afc8ef
8058fe8
8795d30
c0831d1
61e92fe
6ed2d1f
6b7675c
ad0df64
ec02d07
0886953
c84ed7a
196eca1
9f10837
d063324
ebfed96
43d43ca
5eba7ac
b01245f
21a8532
6a6c95d
9838b8b
a998e50
6c1fada
a72d467
1932fb5
cbd99ea
b8fc19e
3d72421
db48189
9d7bce4
4ff850c
59e045d
3c11cd3
6a58dbf
42b7566
c6d592c
af3389b
6a6dc69
c6eef36
b906f5d
f6e5156
76e7ce0
1470b68
5956c0c
96ecf8b
fc7d6fe
806bbf8
6a8b048
27cb5ed
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -33,7 +33,7 @@ jobs: | |
| echo "version=$version" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Run RL Scanner | ||
| uses: auth0/devsecops-tooling/.github/actions/rl-scan@e29f26478db18ff0bcbe4bc447a8fbd54fbeec9e # main on 2026-06-09, TODO: use a release instead | ||
| uses: auth0/devsecops-tooling/.github/actions/rl-scan@main | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Description: Check all third-party action references for unpinned tags (`@main`, `@latest`, etc.).
rg -n "uses:.*`@main`\b" .github/ --type yamlRepository: auth0/Auth0.Android Length of output: 360 🏁 Script executed: #!/bin/bash
set -euo pipefail
cat -n .github/workflows/release.yml | sed -n '1,120p'
printf '\n---\n'
cat -n .github/workflows/sca_scan.yml | sed -n '1,80p'Repository: auth0/Auth0.Android Length of output: 3389 Pin the RL Scanner action 🤖 Prompt for AI Agents |
||
| with: | ||
| artifact-name: "auth0-android" | ||
| artifact-path: "${{ github.workspace }}/auth0/build/outputs/aar/auth0-release.aar" | ||
|
|
@@ -51,7 +51,7 @@ jobs: | |
| uses: ./.github/workflows/java-release.yml | ||
| needs: rl-scanner | ||
| with: | ||
| java-version: 8.0.402-zulu | ||
| java-version: '17' | ||
| secrets: | ||
| ossr-username: ${{ secrets.OSSR_USERNAME }} | ||
| ossr-token: ${{ secrets.OSSR_TOKEN }} | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,6 +6,7 @@ on: | |
| pull_request: | ||
| branches: | ||
| - main | ||
| - v4_development | ||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This will be removed in a separate PR post merge |
||
| push: | ||
| branches: | ||
| - main | ||
|
|
@@ -27,6 +28,6 @@ jobs: | |
|
|
||
| - uses: ./.github/actions/setup | ||
|
|
||
| - run: ./gradlew clean test jacocoTestReport lint --continue --console=plain --max-workers=1 --no-daemon | ||
| - run: ./gradlew testReleaseUnitTest jacocoTestReleaseUnitTestReport lintRelease --continue --console=plain | ||
|
|
||
| - uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # pin@7.0.0 | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -96,8 +96,4 @@ gen-external-apklibs | |
| .TemporaryItems | ||
| .Trashes | ||
|
|
||
| version.txt | ||
|
|
||
| # Internal planning docs | ||
| plans/ | ||
| docs/ | ||
| version.txt | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 3.21.0 | ||
| 4.0.0-beta.1 | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. it should be 4.0.0
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This will be updated once we raise the release PR on main |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Set
persist-credentials: falseon the checkout step to prevent GITHUB_TOKEN leakage.The
actions/checkoutaction defaults topersist-credentials: true, which stores theGITHUB_TOKENin.git/config. In a CodeQL analysis workflow, this token could be exfiltrated through generated artifacts or SARIF files. No subsequent step in this job requires Git credentials, so settingpersist-credentials: falseis safe and eliminates the risk.🔒 Proposed fix
- name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 44-45: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Source: Linters/SAST tools