This is an automated email from the ASF dual-hosted git repository.
ndimiduk pushed a commit to branch branch-3
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/branch-3 by this push:
new 986eef48e20 HBASE-29893 Add zizmor for GitHub Actions workflows
security analysis (#7742)
986eef48e20 is described below
commit 986eef48e205c55e4e27b441948c9bb0d40c8d20
Author: Nick Dimiduk <[email protected]>
AuthorDate: Fri Mar 6 10:35:15 2026 +0100
HBASE-29893 Add zizmor for GitHub Actions workflows security analysis
(#7742)
Signed-off-by: Dávid Paksy <[email protected]>
Signed-off-by: Duo Zhang <[email protected]>
---
.github/workflows/yetus-general-check.yml | 44 ++++++++++++++++++----
.../yetus-jdk17-hadoop3-compile-check.yml | 9 +++--
.../workflows/yetus-jdk17-hadoop3-unit-check.yml | 9 +++--
3 files changed, 47 insertions(+), 15 deletions(-)
diff --git a/.github/workflows/yetus-general-check.yml
b/.github/workflows/yetus-general-check.yml
index ecaf94c1942..7b81b69ca46 100644
--- a/.github/workflows/yetus-general-check.yml
+++ b/.github/workflows/yetus-general-check.yml
@@ -23,33 +23,35 @@ name: Yetus General Check
pull_request:
types: [opened, synchronize, reopened]
-permissions:
- contents: read
- statuses: write
+permissions: {}
jobs:
general-check:
runs-on: ubuntu-latest
timeout-minutes: 600
+ permissions:
+ contents: read
+ statuses: write
env:
YETUS_VERSION: '0.15.0'
steps:
- name: Checkout HBase
- uses: actions/checkout@v4
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #
v4.3.1
with:
path: src
fetch-depth: 0
+ persist-credentials: false
- name: Set up JDK 17
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #
v4.8.0
with:
java-version: '17'
distribution: 'temurin'
- name: Maven cache
- uses: actions/cache@v4
+ uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ~/.m2
key: hbase-m2-${{ hashFiles('**/pom.xml') }}
@@ -101,8 +103,36 @@ jobs:
- name: Publish Test Results
if: always()
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
# v4.6.2
with:
name: yetus-general-check-output
path: ${{ github.workspace }}/yetus-general-check/output
retention-days: 7
+
+ zizmor:
+ runs-on: ubuntu-latest
+ timeout-minutes: 5
+ permissions:
+ contents: read
+
+ steps:
+ - name: Check for workflow changes
+ id: changes
+ env:
+ GH_TOKEN: ${{ github.token }}
+ run: |
+ if gh pr diff "${{ github.event.pull_request.number }}" --repo "${{
github.repository }}" --name-only | grep -q '^\.github/workflows/'; then
+ echo "changed=true" >> "$GITHUB_OUTPUT"
+ else
+ echo "changed=false" >> "$GITHUB_OUTPUT"
+ fi
+
+ - name: Checkout HBase
+ if: steps.changes.outputs.changed == 'true'
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #
v4.3.1
+ with:
+ persist-credentials: false
+
+ - name: Run zizmor
+ if: steps.changes.outputs.changed == 'true'
+ run: pipx run zizmor --min-severity=medium .github/workflows/
diff --git a/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml
b/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml
index 8d41b86b99e..624a393d3ab 100644
--- a/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml
+++ b/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml
@@ -37,19 +37,20 @@ jobs:
steps:
- name: Checkout HBase
- uses: actions/checkout@v4
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #
v4.3.1
with:
path: src
fetch-depth: 0
+ persist-credentials: false
- name: Set up JDK 17
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #
v4.8.0
with:
java-version: '17'
distribution: 'temurin'
- name: Maven cache
- uses: actions/cache@v4
+ uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ~/.m2
key: hbase-m2-${{ hashFiles('**/pom.xml') }}
@@ -99,7 +100,7 @@ jobs:
- name: Publish Results
if: always()
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
# v4.6.2
with:
name: yetus-jdk17-hadoop3-compile-check-output
path: ${{ github.workspace
}}/yetus-jdk17-hadoop3-compile-check/output
diff --git a/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml
b/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml
index f29acabb529..35e5b976e3c 100644
--- a/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml
+++ b/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml
@@ -56,19 +56,20 @@ jobs:
steps:
- name: Checkout HBase
- uses: actions/checkout@v4
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #
v4.3.1
with:
path: src
fetch-depth: 0
+ persist-credentials: false
- name: Set up JDK 17
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #
v4.8.0
with:
java-version: '17'
distribution: 'temurin'
- name: Maven cache
- uses: actions/cache@v4
+ uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ~/.m2
key: hbase-m2-${{ hashFiles('**/pom.xml') }}
@@ -121,7 +122,7 @@ jobs:
- name: Publish Test Results
if: always()
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
# v4.6.2
with:
name: yetus-jdk17-hadoop3-unit-check-${{ matrix.name }}
path: ${{ github.workspace }}/yetus-jdk17-hadoop3-unit-check/output
