From 5475b83fed5f4adf39cc4c4d2451ead9c41332d1 Mon Sep 17 00:00:00 2001
From: Josep Prat <josep.prat@klaw-project.io>
Date: Fri, 21 Oct 2022 18:01:26 +0200
Subject: [PATCH] fix: Harden workflow

Signed-off-by: Josep Prat <josep.prat@klaw-project.io>
---
 .github/workflows/maven.yml | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index 54f8f3e38f..20cc2de82f 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -5,25 +5,29 @@ name: Java CI with Maven
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
+
+permissions:
+  contents: read
 
 jobs:
   build:
     strategy:
       matrix:
-        java-version: [ 11, 17 ]
-        runs-on: [ ubuntu-latest ]
+        java-version: [11, 17]
+        runs-on: [ubuntu-latest]
     name: Jdk ${{ matrix.java-version }}, os ${{ matrix.runs-on }}
     runs-on: ${{ matrix.runs-on }}
     steps:
-    - uses: actions/checkout@v3
-    - name: Set up JDK ${{ matrix.java-version }}
-      uses: actions/setup-java@v3
-      with:
-        java-version: ${{ matrix.java-version }}
-        distribution: 'temurin'
-        cache: maven
-    - name: Build and run tests with Maven
-      run: mvn --batch-mode --update-snapshots verify
+      - uses: actions/checkout@v3
+      - name: Set up JDK ${{ matrix.java-version }}
+        uses: actions/setup-java@v3
+        with:
+          java-version: ${{ matrix.java-version }}
+          distribution: "temurin"
+          cache: maven
+          persist-credentials: false
+      - name: Build and run tests with Maven
+        run: mvn --batch-mode --update-snapshots verify