Align GitHub Actions setup on Hibernate Search

.github/workflows/build.yml → .github/workflows/ci.yml

@@ -9,7 +9,7 @@
 # See https://docs.github.com/en/actions
 # for more information about GitHub actions.
 
-name: GitHub Actions Build
+name: GH Actions CI
 
 on:
   push:
@@ -24,9 +24,7 @@ on:
       - '!dependabot/**'
     tags:
       - '**'
-  # WARNING: Using pull_request_target to access secrets, but we check out the merge commit.
-  # See checkout action for details.
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
     branches:
       # Pattern order matters: the last matching inclusion/exclusion wins
@@ -43,14 +41,14 @@ on:
 
 concurrency:
   group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}"
-  cancel-in-progress: ${{ github.event_name == 'pull_request_target' || github.repository != 'hibernate/hibernate-validator' }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || github.repository != 'hibernate/hibernate-validator' }}
 
 defaults:
   run:
     shell: bash
 
 env:
-  MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end"
+  MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end -Pci-build --no-transfer-progress"
   TESTCONTAINERS_REUSE_ENABLE: true
 
 jobs:
@@ -68,7 +66,7 @@ jobs:
               version: 17
             },
             maven: {
-              args: '-Pci-build --no-transfer-progress'
+              args: ''
             }
           }
           - {
@@ -78,27 +76,16 @@ jobs:
               version: 17
             },
             maven: {
-              args: '-Pci-build --no-transfer-progress'
+              args: ''
             }
           }
     steps:
       - name: Support longpaths on Windows
         if: "startsWith(matrix.os.runs-on, 'windows')"
         run: git config --global core.longpaths true
-      - name: Check out commit already pushed to branch
-        if: "! github.event.pull_request.number"
-        uses: actions/checkout@v4
-      - name: Check out PR head
-        uses: actions/checkout@v4
-        if: github.event.pull_request.number
+      - uses: actions/checkout@v4
         with:
-          # WARNING: This is potentially dangerous since we're checking out unreviewed code,
-          # and since we're using the pull_request_target event we can use secrets.
-          # Thus, we must be extra careful to never expose secrets to steps that execute this code,
-          # and to strictly limit our set of secrets to those that only pose minor security threats.
-          # This means in particular we won't expose Develocity credentials to the main maven executions,
-          # but instead will execute maven a third time just to push build scans to Develocity; (once we have scans enabled)
-          ref: "refs/pull/${{ github.event.pull_request.number }}/head"
+          persist-credentials: false
       - name: Set up Java ${{ matrix.os.java.version }}
         uses: actions/setup-java@v4
         with:
@@ -109,9 +96,10 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          # use a different key than workflows running in trusted mode
+          key: ${{ github.event_name == 'push' && 'trusted' || 'untrusted' }}-${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
-            ${{ runner.os }}-maven-
+            ${{ github.event_name == 'push' && 'trusted' || 'untrusted' }}-${{ runner.os }}-maven-
       - name: Set up Maven
         run: ./mvnw -v
 
@@ -144,3 +132,6 @@ jobs:
           name: ${{ format('build-reports-{0}', matrix.os.name ) }}
           path: ${{ env.buildReportPaths }}
           retention-days: 7
+
+      - name: Omit produced artifacts from build cache
+        run: rm -r ~/.m2/repository/org/hibernate/validator