Add permission

.github/workflows/comment-pr.yml

@@ -0,0 +1,58 @@
+# Description: This workflow is triggered when the `receive-pr` workflow completes to post suggestions on the PR.
+# Since this pull request has write permissions on the target repo, we should **NOT** execute any untrusted code.
+# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+---
+name: comment-pr
+
+on:
+  workflow_run:
+    workflows: ["receive-pr"]
+    types:
+      - completed
+permissions:
+  actions: read
+
+jobs:
+  post-suggestions:
+    # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    env:
+      # https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token
+      ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{github.event.workflow_run.head_branch}}
+          repository: ${{github.event.workflow_run.head_repository.full_name}}
+
+      - name: Download the patch.
+        uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4
+        with:
+          name: patch
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+      - name: Apply patch
+        run: |
+          git apply git-diff.patch --allow-empty
+          rm git-diff.patch
+
+      - name: Download the PR number.
+        uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4
+        with:
+          name: pr_number
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+      - name: Read pr_number.txt
+        run: |
+          PR_NUMBER=$(cat pr_number.txt)
+          echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
+          rm pr_number.txt
+
+      - name: Post suggestions as a comment on the PR.
+        uses: googleapis/code-suggester@589b3ac11ac2575fd561afa45034907f301a375b # v3.4.4
+        with:
+          command: review
+          pull_number: ${{ env.PR_NUMBER }}
+          git_dir: '.'

.github/workflows/receive-pr.yml

@@ -0,0 +1,56 @@
+# Description: This workflow runs OpenRewrite recipes against opened pull request and upload the patch.
+# Since this pull request receives untrusted code, we should **NOT** have any secrets in the environment.
+# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+---
+name: receive-pr
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches:
+      - master
+permissions:
+  actions: read
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.ref }}'
+  cancel-in-progress: true
+
+jobs:
+  upload-patch:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: XXX add name.
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{github.event.pull_request.head.ref}}
+          repository: ${{github.event.pull_request.head.repo.full_name}}
+      - name: Check out code and set up JDK and Maven
+        uses: s4u/setup-maven-action@489441643219d2b93ee2a127b2402eb640a1b947 # v1.13.0
+        with:
+          java-version: 17.0.10
+          java-distribution: temurin
+          maven-version: 3.9.9
+
+      # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow
+      - name: Capture the PR number.
+        run: echo "${{ github.event.number }}" > pr_number.txt
+      - name: Upload `pr_number.txt`.
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        with:
+          name: pr_number
+          path: pr_number.txt
+      - name: Remove pr_number.txt
+        run: rm -f pr_number.txt
+
+      - name: Run Error Prone and Error Prone Support.
+        run: ./apply-error-prone-suggestions.sh
+
+      - name: Capture the diff and create the patch.
+        run: |
+          git diff | tee git-diff.patch
+      - name: Upload the diff.
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        with:
+          name: patch
+          path: git-diff.patch

error-prone-contrib/src/main/java/tech/picnic/errorprone/refasterrules/PreconditionsRules.java

@@ -9,6 +9,7 @@ import static com.google.errorprone.refaster.ImportPolicy.STATIC_IMPORT_ALWAYS;
 import static java.util.Objects.requireNonNull;
 
 import com.google.common.base.Preconditions;
+import com.google.errorprone.refaster.ImportPolicy;
 import com.google.errorprone.refaster.annotation.AfterTemplate;
 import com.google.errorprone.refaster.annotation.BeforeTemplate;
 import com.google.errorprone.refaster.annotation.UseImportPolicy;
@@ -30,7 +31,7 @@ final class PreconditionsRules {
     }
 
     @AfterTemplate
-    @UseImportPolicy(STATIC_IMPORT_ALWAYS)
+    @UseImportPolicy(ImportPolicy.STATIC_IMPORT_ALWAYS)
     void after(boolean condition) {
       checkArgument(!condition);
     }