Djaytan · Djaytan · Jan 6, 2024 · Jan 6, 2024
@@ -1,14 +1,15 @@
-name: Maven - CI
+name: CI
 
 on:
   workflow_dispatch:
   push:
-    # Re-execute the CI on default branch only for status while ensuring it remains stable in any circumstances
     branches:
       - 'main'
   pull_request:
     branches:
       - 'main'
+  schedule:
+    - cron: '28 14 * * *' # At 14:28 every day
 
 permissions: {}
 
@@ -18,7 +19,9 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
+      actions: read
       contents: read
+      security-events: write
 
     steps:
       - name: Harden runner
@@ -28,6 +31,9 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             github.com:443
+            api.github.com:443
+            uploads.github.com:443
+            objects.githubusercontent.com:443
             repo.maven.apache.org:443
             jitpack.io:443
             repo.papermc.io:443
@@ -43,8 +49,15 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
-          # SonarQube - Shallow clones should be disabled for a better relevancy of analysis
+          # Required by SonarCloud & Cocogitto
           fetch-depth: 0
+          # Pick the PR HEAD instead of the merge commit (required by Cocogitto)
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Conventional commits check
+        uses: cocogitto/cocogitto-action@ac6260150ee57e3164cd95b47fc84cdee9e3444c # v3.5
+        with:
+          check-latest-tag-only: true
 
       - name: Set up JDK 17
         uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
@@ -63,6 +76,11 @@ jobs:
           key: sonar
           restore-keys: sonar
 
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
+        with:
+          languages: java
+
       - name: Maven build & SonarCloud quality scan
         env:
           GITHUB_TOKEN: ${{ github.token }}
@@ -76,3 +94,8 @@ jobs:
             -Dsonar.host.url="${SONAR_HOST_URL}" \
             -Dsonar.organization="${SONAR_ORGANIZATION}" \
             -Dsonar.projectKey="${SONAR_PROJECT_KEY}"
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
+        with:
+          category: /language:java
@@ -1,4 +1,4 @@
-name: Security Scan - Scorecard
+name: OpenSSF Scorecard - Scan
 
 on:
   workflow_dispatch: