prestodb · tdcmeehan · Oct 24, 2025 · Jul 16, 2025 · sourcery-ai · Sep 16, 2025
@@ -1,26 +1,30 @@
-name: 'Maven OWASP Dependency Check Scan'
-description: 'Runs OWASP dependency check Maven scan with consistent settings'
+name: Maven OWASP Dependency Check Scan
+description: Runs OWASP dependency check Maven scan with consistent settings
 inputs:
   working-directory:
-    description: 'Working directory for Maven command'
+    description: Working directory for Maven command
     required: false
-    default: '.'
+    default: .
   owasp-version:
-    description: 'OWASP dependency check plugin version'
+    description: OWASP dependency check plugin version
     required: false
-    default: '12.1.3'
+    default: 12.1.3
   data-directory:
-    description: 'OWASP data directory path'
+    description: OWASP data directory path
     required: false
-    default: '$HOME/.owasp/dependency-check-data'
+    default: /tmp/.owasp/dependency-check-data
+
 runs:
-  using: 'composite'
+  using: composite
   steps:
     - name: Run OWASP dependency check
+      env:
+        OWASP_VERSION: ${{ inputs.owasp-version }}
+        OWASP_DATA_DIRECTORY: ${{ inputs.data-directory }}
       working-directory: ${{ inputs.working-directory }}
       shell: bash
       run: |
-        mvn org.owasp:dependency-check-maven:${{ inputs.owasp-version }}:aggregate \
+        mvn org.owasp:dependency-check-maven:$OWASP_VERSION:aggregate \
           -DskipTests \
           -Dformat=JSON \
           -DprettyPrint=true \
@@ -32,4 +36,4 @@ runs:
           -DcentralAnalyzerEnabled=false \
           -DnuspecAnalyzerEnabled=false \
           -DnvdValidForHours=168 \
-          -DdataDirectory=${{ inputs.data-directory }}
+          -DdataDirectory=$OWASP_DATA_DIRECTORY
@@ -1,2 +1,2 @@
 docs:
-  - all: ['**/*.rst']
+  - all: ['**/*.rst']
@@ -2,21 +2,21 @@ staleLabel: stale
 daysUntilClose: 7
 
 pulls:
-    daysUntilStale: 180 # ~6 months
-    markComment: >
-        This pull request has been automatically marked as stale because it has not had
-        recent activity. If you'd still like this PR merged, please comment on the task,
-        make sure you've addressed reviewer comments, and rebase on the latest master.
-        Thank you for your contributions!
+  daysUntilStale: 180 # ~6 months
+  markComment: >
+    This pull request has been automatically marked as stale because it has not had
+    recent activity. If you'd still like this PR merged, please comment on the task,
+    make sure you've addressed reviewer comments, and rebase on the latest master.
+    Thank you for your contributions!
 
 issues:
-    daysUntilStale: 730 # ~2 years
-    exemptLabels:
-        - bug
-    markComment: >
-        This issue has been automatically marked as stale because it has not had
-        any activity in the last 2 years. If you feel that this issue is important,
-        just comment and the stale tag will be removed; otherwise it will be
-        closed in 7 days. This is an attempt to ensure that our open issues remain
-        valuable and relevant so that we can keep track of what needs to be done and
-        prioritize the right things.
+  daysUntilStale: 730 # ~2 years
+  exemptLabels:
+    - bug
+  markComment: >
+    This issue has been automatically marked as stale because it has not had
+    any activity in the last 2 years. If you feel that this issue is important,
+    just comment and the stale tag will be removed; otherwise it will be
+    closed in 7 days. This is an attempt to ensure that our open issues remain
+    valuable and relevant so that we can keep track of what needs to be done and
+    prioritize the right things.
@@ -3,14 +3,17 @@ name: arrow flight tests
 on:
   pull_request:
     paths-ignore:
-      - 'presto-docs/**'
+      - presto-docs/**
+
+permissions:
+  contents: read
 
 env:
   CONTINUOUS_INTEGRATION: true
-  MAVEN_OPTS: "-Xmx1024M -XX:+ExitOnOutOfMemoryError"
-  MAVEN_INSTALL_OPTS: "-Xmx2G -XX:+ExitOnOutOfMemoryError"
-  MAVEN_FAST_INSTALL: "-B -V --quiet -T 1C -DskipTests -Dair.check.skip-all --no-transfer-progress -Dmaven.javadoc.skip=true"
-  MAVEN_TEST: "-B -Dair.check.skip-all -Dmaven.javadoc.skip=true -DLogTestDurationListener.enabled=true --no-transfer-progress --fail-at-end"
+  MAVEN_OPTS: -Xmx1024M -XX:+ExitOnOutOfMemoryError
+  MAVEN_INSTALL_OPTS: -Xmx2G -XX:+ExitOnOutOfMemoryError
+  MAVEN_FAST_INSTALL: -B -V --quiet -T 1C -DskipTests -Dair.check.skip-all --no-transfer-progress -Dmaven.javadoc.skip=true
+  MAVEN_TEST: -B -Dair.check.skip-all -Dmaven.javadoc.skip=true -DLogTestDurationListener.enabled=true --no-transfer-progress --fail-at-end
   RETRY: .github/bin/retry
 
 jobs:
@@ -19,9 +22,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        java: [ 17.0.15 ]
+        java: [17.0.15]
         modules:
-          - ":presto-base-arrow-flight"  # Only run tests for the `presto-base-arrow-flight` module
+          - :presto-base-arrow-flight # Only run tests for the `presto-base-arrow-flight` module
 
     timeout-minutes: 80
     concurrency:
@@ -33,13 +36,14 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
 
       # Set up Java and dependencies for the build environment
       - uses: actions/setup-java@v4
         with:
-          distribution: 'temurin'
+          distribution: temurin
           java-version: ${{ matrix.java }}
-          cache: 'maven'
+          cache: maven
       - name: Download nodejs to maven cache
         run: .github/bin/download_nodejs
 
@@ -61,8 +65,12 @@ jobs:
       CCACHE_DIR: "${{ github.workspace }}/ccache"
       DEPENDENCY_DIR: "${{ github.workspace }}/adapter-deps/download"
       INSTALL_PREFIX: "${{ github.workspace }}/adapter-deps/install"
+    permissions:
+      actions: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Fix git permissions
         # Usually actions/checkout does this but as we run in a container
@@ -150,7 +158,7 @@ jobs:
       fail-fast: false
       matrix:
         modules:
-          - ":presto-base-arrow-flight"  # Only run tests for the `presto-base-arrow-flight` module
+          - :presto-base-arrow-flight # Only run tests for the `presto-base-arrow-flight` module
 
     timeout-minutes: 80
     concurrency:
@@ -159,6 +167,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Fix git permissions
         # Usually actions/checkout does this but as we run in a container
@@ -187,16 +197,16 @@ jobs:
       - name: Install OpenJDK8
         uses: actions/setup-java@v4
         with:
-          distribution: 'temurin'
+          distribution: temurin
           java-version: 17.0.15
-          cache: 'maven'
+          cache: maven
       - name: Download nodejs to maven cache
         run: .github/bin/download_nodejs
 
       - name: Maven install
         env:
           # Use different Maven options to install.
-          MAVEN_OPTS: "-Xmx2G -XX:+ExitOnOutOfMemoryError"
+          MAVEN_OPTS: -Xmx2G -XX:+ExitOnOutOfMemoryError
         run: |
           export MAVEN_OPTS="${MAVEN_INSTALL_OPTS}"
           ./mvnw install ${MAVEN_FAST_INSTALL} -am -pl ${{ matrix.modules }}

@@ -9,15 +9,19 @@ on:
 jobs:
   codenotify:
     runs-on: ubuntu-latest
-    name: "Label and notify"
+    name: Label and notify
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           show-progress: false
-      - uses: sourcegraph/codenotify@v0.6.4
+          persist-credentials: false
+      - uses: sourcegraph/codenotify@54e4320f0d93f162a371d8d9dc1fb11018199746 # v0.6.4
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - uses: actions/labeler@v4.3.0
         with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -1,5 +1,5 @@
-name: 'Dependency Review'
-on: [pull_request]
+name: Dependency Review
+on: pull_request
 
 permissions:
   contents: read
@@ -9,15 +9,17 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - name: 'Checkout Repository'
+      - name: Checkout Repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
-      - name: 'Dependency Review'
+      - name: Dependency Review
         uses: actions/dependency-review-action@v4
         with:
           fail-on-severity: high
           fail-on-scopes: runtime, unknown, development
           comment-summary-in-pr: always
           show-openssf-scorecard: true
           warn-on-openssf-scorecard-level: 5
-          retry-on-snapshot-warnings: true
+          retry-on-snapshot-warnings: true
@@ -3,25 +3,27 @@ name: docs
 on:
   pull_request:
     paths:
-      - 'presto-docs/**'
+      - presto-docs/**
 
 env:
   # An envar that signals to tests we are executing in the CI environment
   CONTINUOUS_INTEGRATION: true
-  MAVEN_OPTS: "-Xmx1024M -XX:+ExitOnOutOfMemoryError"
-  MAVEN_INSTALL_OPTS: "-Xmx2G -XX:+ExitOnOutOfMemoryError"
-  MAVEN_FAST_INSTALL: "-B -V --quiet -T 1C -DskipTests -Dair.check.skip-all --no-transfer-progress -Dmaven.javadoc.skip=true"
-  MAVEN_TEST: "-B -Dair.check.skip-all -Dmaven.javadoc.skip=true -DLogTestDurationListener.enabled=true --no-transfer-progress --fail-at-end"
+  MAVEN_OPTS: -Xmx1024M -XX:+ExitOnOutOfMemoryError
+  MAVEN_INSTALL_OPTS: -Xmx2G -XX:+ExitOnOutOfMemoryError
+  MAVEN_FAST_INSTALL: -B -V --quiet -T 1C -DskipTests -Dair.check.skip-all --no-transfer-progress -Dmaven.javadoc.skip=true
+  MAVEN_TEST: -B -Dair.check.skip-all -Dmaven.javadoc.skip=true -DLogTestDurationListener.enabled=true --no-transfer-progress --fail-at-end
   RETRY: .github/bin/retry
 
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
         modules:
-          - ":presto-docs"
+          - :presto-docs
     timeout-minutes: 80
     concurrency:
       group: ${{ github.workflow }}-test-${{ matrix.modules }}-${{ github.event.pull_request.number }}
@@ -30,15 +32,16 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - name: Install LaTeX dependencies
         run: |
           sudo apt-get update
           sudo apt-get install -y texlive-fonts-recommended texlive-latex-recommended texlive-latex-extra latexmk tex-gyre texlive-xetex fonts-freefont-otf xindy
       - uses: actions/setup-java@v4
         with:
-          distribution: 'temurin'
+          distribution: temurin
           java-version: 17.0.15
-          cache: 'maven'
+          cache: maven
       - name: Maven Install
         run: |
           export MAVEN_OPTS="${MAVEN_INSTALL_OPTS}"