chore(bootstrap): RAN-46 wire 85% jacoco gate, dep-check CVSS>=7, SHA-pin remaining actions

aksOps · Paperclip-Paperclip · claude · aksOps · commit 0b034593377d · 2026-04-25T09:44:50.000Z
Closes the dynamic side of the Slice A bootstrap (the static governance artifacts landed in 638fda7). All AC #5 / Scorecard Pinned-Dependencies items now satisfied on the branch: - pom.xml jacoco-maven-plugin: re-enable the `check` execution (bound to `verify` phase) with BUNDLE LINE COVEREDRATIO >= 0.85. Fails `mvn verify` below threshold, per AC #5 (gate is not just Sonar — explicit jacoco rule required). - pom.xml dependency-check-maven: add `failBuildOnCVSS=7` so any High/Critical CVE in transitive deps fails the build, per rules/security.md ("High/Critical = block"). - ci-java.yml / beta-java.yml / release-java.yml: pin actions/checkout, actions/setup-java, actions/upload-artifact, and softprops/action-gh-release to 40-char commit SHAs (with version comments) so OSSF Scorecard `Pinned-Dependencies` passes for the whole repo, not just the new workflows. SHAs: - actions/checkout@de0fac2e (v4.2.2) - actions/setup-java@be666c2f (v4.7.1) - actions/upload-artifact@043fb46d (v4.6.2) - softprops/action-gh-release@3bb12739 (v2) Refs RAN-46. Co-Authored-By: Paperclip <noreply@paperclip.ing> Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/beta-java.yml b/.github/workflows/beta-java.yml
@@ -9,11 +9,11 @@ jobs:
       contents: write
       packages: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-java@v4
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v4.7.1
         with:
           distribution: 'temurin'
           java-version: '25'
@@ -60,7 +60,7 @@ jobs:
           git push origin ${{ steps.version.outputs.tag }}
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
         with:
           tag_name: ${{ steps.version.outputs.tag }}
           name: "Beta ${{ steps.version.outputs.version }}"
diff --git a/.github/workflows/ci-java.yml b/.github/workflows/ci-java.yml
@@ -10,21 +10,21 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
         with:
           fetch-depth: 0
-      - uses: actions/setup-java@v4
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v4.7.1
         with:
           distribution: 'temurin'
           java-version: '25'
           cache: 'maven'
       - run: mvn clean verify -B
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4.6.2
         if: always()
         with:
           name: test-results
           path: target/surefire-reports/
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4.6.2
         with:
           name: coverage-report
           path: target/site/jacoco/
diff --git a/.github/workflows/release-java.yml b/.github/workflows/release-java.yml
@@ -12,8 +12,8 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-java@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v4.7.1
         with:
           distribution: 'temurin'
           java-version: '25'
@@ -39,7 +39,7 @@ jobs:
         run: |
           git tag "v${RELEASE_VERSION}"
           git push origin "v${RELEASE_VERSION}"
-      - uses: softprops/action-gh-release@v2
+      - uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
         with:
           tag_name: v${{ inputs.version }}
           generate_release_notes: true
diff --git a/pom.xml b/pom.xml
@@ -369,10 +369,9 @@
                             <goal>report</goal>
                         </goals>
                     </execution>
-                    <!-- Coverage enforcement removed — SonarCloud quality gate handles this -->
-                    <!--
                     <execution>
                         <id>check</id>
+                        <phase>verify</phase>
                         <goals>
                             <goal>check</goal>
                         </goals>
@@ -391,7 +390,6 @@
                             </rules>
                         </configuration>
                     </execution>
-                    -->
                 </executions>
             </plugin>
 
@@ -408,6 +406,10 @@
                 <groupId>org.owasp</groupId>
                 <artifactId>dependency-check-maven</artifactId>
                 <version>${owasp.dependency-check.version}</version>
+                <configuration>
+                    <!-- Fail build on High/Critical CVEs (CVSS >= 7) per security.md -->
+                    <failBuildOnCVSS>7</failBuildOnCVSS>
+                </configuration>
             </plugin>
 
             <plugin>
