Security: Update sbt-github-actions plugin to v0.25.0 to fix CVE-2024-42471 (#183)

* Security: Fix CVE-2024-42471 and update all GitHub Actions to latest versions

Fixes:
- CVE-2024-42471: Updated actions/download-artifact@v2 to v4.3.0
  Eliminates arbitrary file write vulnerability during artifact extraction
  that could lead to remote code execution, secret leakage, or workflow
  manipulation

Updated all vulnerable actions to latest stable versions:
- actions/checkout: v2 → v4.2.2
- actions/setup-java: v2 → v4.7.1
- actions/cache: v2 → v4.2.3
- actions/upload-artifact: v2 → v4.6.2
- actions/download-artifact: v2 → v4.3.0

This addresses high-risk security vulnerabilities while maintaining
full workflow functionality and improving CI/CD pipeline security.

* Fix CVE-2024-42471: Update sbt-github-actions to use secure action versions

Properly configures sbt-github-actions plugin to generate workflows with
secure action versions instead of manually editing the generated ci.yml file.

Changes:
- Override githubWorkflowJobSetup with secure action versions:
  * actions/checkout: v2 → v4.2.2
  * actions/setup-java: v2 → v4.7.1
  * actions/cache: v2 → v4.2.3
- Override githubWorkflowGeneratedUploadSteps and githubWorkflowGeneratedDownloadSteps:
  * actions/upload-artifact: v2 → v4.6.2
  * actions/download-artifact: v2 → v4.3.0 (fixes CVE-2024-42471)

This approach ensures the security fixes persist through future workflow
regeneration and prevents the workflow check from failing.

* Update sbt-github-actions to v0.25.0 to fix CVE-2024-42471

- Updated plugin from v0.14.2 to v0.25.0 which uses secure action versions by default
- Removed custom security overrides since new plugin has secure defaults
- Now uses actions/download-artifact@v4 which fixes CVE-2024-42471
- Also updated to latest versions: checkout@v4, setup-java@v4, upload-artifact@v4

Fixes: CVE-2024-42471 (arbitrary file write vulnerability)

* Update Java version to temurin@11

- Changed from zulu@8 to temurin@11 as requested
- Updated build.sbt with explicit Java version specification
- Regenerated workflows with new Java version

Author: amitksingh1490

.github/workflows/ci.yml

@@ -28,40 +28,32 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout current branch (full)
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Setup Java (temurin@11)
         if: matrix.java == 'temurin@11'
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v4
         with:
           distribution: temurin
           java-version: 11
+          cache: sbt
 
-      - name: Cache sbt
-        uses: actions/cache@v2
-        with:
-          path: |
-            ~/.sbt
-            ~/.ivy2/cache
-            ~/.coursier/cache/v1
-            ~/.cache/coursier/v1
-            ~/AppData/Local/Coursier/Cache/v1
-            ~/Library/Caches/Coursier/v1
-          key: ${{ runner.os }}-sbt-cache-v2-${{ hashFiles('**/*.sbt') }}-${{ hashFiles('project/build.properties') }}
+      - name: Setup sbt
+        uses: sbt/setup-sbt@v1
 
       - name: Check that workflows are up to date
-        run: sbt ++${{ matrix.scala }} githubWorkflowCheck
+        run: sbt '++ ${{ matrix.scala }}' githubWorkflowCheck
 
       - name: Build project
-        run: sbt ++${{ matrix.scala }} test
+        run: sbt '++ ${{ matrix.scala }}' test
 
       - name: Compress target directories
         run: tar cf targets.tar target compose-examples/target compose/target compose-macros/target compose-graphql/target project/target
 
       - name: Upload target directories
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: target-${{ matrix.os }}-${{ matrix.scala }}-${{ matrix.java }}
           path: targets.tar
@@ -78,31 +70,23 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout current branch (full)
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Setup Java (temurin@11)
         if: matrix.java == 'temurin@11'
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v4
         with:
           distribution: temurin
           java-version: 11
+          cache: sbt
 
-      - name: Cache sbt
-        uses: actions/cache@v2
-        with:
-          path: |
-            ~/.sbt
-            ~/.ivy2/cache
-            ~/.coursier/cache/v1
-            ~/.cache/coursier/v1
-            ~/AppData/Local/Coursier/Cache/v1
-            ~/Library/Caches/Coursier/v1
-          key: ${{ runner.os }}-sbt-cache-v2-${{ hashFiles('**/*.sbt') }}-${{ hashFiles('project/build.properties') }}
+      - name: Setup sbt
+        uses: sbt/setup-sbt@v1
 
       - name: Download target directories (2.13.8)
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
           name: target-${{ matrix.os }}-2.13.8-${{ matrix.java }}
 
@@ -116,4 +100,4 @@ jobs:
           PGP_SECRET: ${{ secrets.PGP_SECRET }}
           SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
           SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
-        run: sbt ++${{ matrix.scala }} ci-release
+        run: sbt ci-release

.github/workflows/clean.yml

@@ -17,6 +17,7 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Delete artifacts
+        shell: bash {0}
         run: |
           # Customize those three lines with your repository and credentials:
           REPO=${GITHUB_API_URL}/repos/${{ github.repository }}
@@ -25,7 +26,7 @@ jobs:
           ghapi() { curl --silent --location --user _:$GITHUB_TOKEN "$@"; }
 
           # A temporary file which receives HTTP response headers.
-          TMPFILE=/tmp/tmp.$$
+          TMPFILE=$(mktemp)
 
           # An associative array, key: artifact name, value: number of artifacts of that name.
           declare -A ARTCOUNT

build.sbt

@@ -13,9 +13,10 @@ Global / scalacOptions            := Seq(
 Global / scalaVersion             := "2.13.8"
 ThisBuild / versionScheme         := Some("early-semver")
 ThisBuild / testFrameworks += new TestFramework("zio.test.sbt.ZTestFramework")
+ThisBuild / githubWorkflowJavaVersions := Seq(JavaSpec.temurin("11"))
 ThisBuild / githubWorkflowTargetTags ++= Seq("v*")
 ThisBuild / githubWorkflowPublishTargetBranches += RefPredicate.StartsWith(Ref.Tag("v"))
-ThisBuild / githubWorkflowPublish := Seq(WorkflowStep.Sbt(List("ci-release")))
+
 ThisBuild / githubWorkflowPublish := Seq(WorkflowStep.Sbt(
   List("ci-release"),
   env = Map(

forge.yaml

@@ -0,0 +1 @@
+model: anthropic/claude-sonnet-4

project/plugins.sbt

@@ -1,4 +1,4 @@
 addSbtPlugin("ch.epfl.scala"  % "sbt-scalafix"       % "0.10.4")
 addSbtPlugin("org.scalameta"  % "sbt-scalafmt"       % "2.5.0")
-addSbtPlugin("com.codecommit" % "sbt-github-actions" % "0.14.2")
+addSbtPlugin("com.github.sbt" % "sbt-github-actions" % "0.25.0")
 addSbtPlugin("com.github.sbt" % "sbt-ci-release"     % "1.5.11")