Merge pull request #6338 from planetf1/issue6337

Update CodeQL scan & add permissions

.github/workflows/merge-gradle.yml

@@ -21,7 +21,7 @@ jobs:
         uses: actions/setup-java@v2
         with:
           java-version: '11'
-          distribution: 'adopt'
+          distribution: 'temurin'
       # Build first - lombok & other pre-processing may be needed. safer...
       - name: build
         if: ${{ github.repository == 'odpi/egeria' && github.ref == 'refs/heads/master'}}

.github/workflows/merge-maven.yml

@@ -23,7 +23,7 @@ jobs:
         with:
           # Java 11 is used for merge builds (PRs do check Java latest)
           java-version: '11'
-          distribution: 'adopt'
+          distribution: 'temurin'
           # Publishing attributes for maven central (this step adds to setting.xml)
           server-id: ossrh
           server-username: MAVEN_USERNAME

.github/workflows/pr-codeql.yml

@@ -19,8 +19,13 @@ on:
 
 jobs:
   analyze:
+    if: ${{ github.repository == 'odpi/egeria'}}
     name: CodeQL Build
     runs-on: ubuntu-latest
+    permissions:
+       actions: read
+       contents: read
+       security-events: write
 
     strategy:
       fail-fast: false
@@ -32,13 +37,13 @@ jobs:
         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
 
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
       - name: Setup Java JDK
         uses: actions/setup-java@v2
         with:
-          distribution: 'adopt'
+          distribution: 'temurin'
           java-version: '11'
-      - name: Checkout repository
-        uses: actions/checkout@v2
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/pr-gradle.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Set up JDK 11
         uses: actions/setup-java@v2
         with:
-          distribution: 'adopt'
+          distribution: 'temurin'
           java-version: '11'
       - name: Cache Gradle packages
         uses: actions/cache@v2.1.7

.github/workflows/pr-maven-latest.yml

@@ -16,7 +16,7 @@ jobs:
       - name: Set up JDK 17
         uses: actions/setup-java@v2
         with:
-          distribution: 'adopt'
+          distribution: 'temurin'
           java-version: '17'
       - name: Cache Maven packages
         uses: actions/cache@v2.1.7

.github/workflows/pr-maven-prod.yml

@@ -16,7 +16,7 @@ jobs:
       - name: Set up JDK 11
         uses: actions/setup-java@v2
         with:
-          distribution: 'adopt'
+          distribution: 'temurin'
           java-version: '11'
       - name: Cache Maven packages
         uses: actions/cache@v2.1.7

.github/workflows/release.yml

@@ -37,7 +37,7 @@ jobs:
       - name: Set up JDK 11
         uses: actions/setup-java@v2
         with:
-          distribution: 'adopt'
+          distribution: 'temurin'
           java-version: '11'
           # Publishing attributes for maven central (this step adds to setting.xml)
           server-id: ossrh