This is an automated email from the ASF dual-hosted git repository.
ndimiduk pushed a commit to branch branch-2.5
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/branch-2.5 by this push:
new aafb5b875cc HBASE-29893 Add zizmor for GitHub Actions workflows
security analysis (#7742)
aafb5b875cc is described below
commit aafb5b875cc3d923e03ef1d7bd64c464d48680d4
Author: Nick Dimiduk <[email protected]>
AuthorDate: Fri Mar 6 13:12:09 2026 +0100
HBASE-29893 Add zizmor for GitHub Actions workflows security analysis
(#7742)
* HBASE-29893 Add zizmor for GitHub Actions workflows security analysis
(#7742)
Signed-off-by: Dávid Paksy <[email protected]>
Signed-off-by: Duo Zhang <[email protected]>
* Apply zizmor fixes to branch-2 specific workflows
Pin action SHAs, add persist-credentials: false, and move
permissions to job-level for the jdk8-hadoop2 and jdk11-hadoop3
workflows that don't exist on master.
---------
Signed-off-by: Dávid Paksy <[email protected]>
Signed-off-by: Duo Zhang <[email protected]>
---
.github/workflows/yetus-general-check.yml | 44 ++++++++++++++++++----
.../yetus-jdk11-hadoop3-compile-check.yml | 16 ++++----
.../workflows/yetus-jdk11-hadoop3-unit-check.yml | 16 ++++----
.../yetus-jdk17-hadoop3-compile-check.yml | 9 +++--
.../workflows/yetus-jdk17-hadoop3-unit-check.yml | 9 +++--
.../workflows/yetus-jdk8-hadoop2-compile-check.yml | 16 ++++----
.../workflows/yetus-jdk8-hadoop2-unit-check.yml | 16 ++++----
7 files changed, 83 insertions(+), 43 deletions(-)
diff --git a/.github/workflows/yetus-general-check.yml
b/.github/workflows/yetus-general-check.yml
index b343b4d6656..eef591ed43d 100644
--- a/.github/workflows/yetus-general-check.yml
+++ b/.github/workflows/yetus-general-check.yml
@@ -23,33 +23,35 @@ name: Yetus General Check
pull_request:
types: [opened, synchronize, reopened]
-permissions:
- contents: read
- statuses: write
+permissions: {}
jobs:
general-check:
runs-on: ubuntu-latest
timeout-minutes: 600
+ permissions:
+ contents: read
+ statuses: write
env:
YETUS_VERSION: '0.15.0'
steps:
- name: Checkout HBase
- uses: actions/checkout@v4
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #
v4.3.1
with:
path: src
fetch-depth: 0
+ persist-credentials: false
- name: Set up JDK 11
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #
v4.8.0
with:
java-version: '11'
distribution: 'temurin'
- name: Maven cache
- uses: actions/cache@v4
+ uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ~/.m2
key: hbase-m2-${{ hashFiles('**/pom.xml') }}
@@ -104,8 +106,36 @@ jobs:
- name: Publish Test Results
if: always()
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
# v4.6.2
with:
name: yetus-general-check-output
path: ${{ github.workspace }}/yetus-general-check/output
retention-days: 7
+
+ zizmor:
+ runs-on: ubuntu-latest
+ timeout-minutes: 5
+ permissions:
+ contents: read
+
+ steps:
+ - name: Check for workflow changes
+ id: changes
+ env:
+ GH_TOKEN: ${{ github.token }}
+ run: |
+ if gh pr diff "${{ github.event.pull_request.number }}" --repo "${{
github.repository }}" --name-only | grep -q '^\.github/workflows/'; then
+ echo "changed=true" >> "$GITHUB_OUTPUT"
+ else
+ echo "changed=false" >> "$GITHUB_OUTPUT"
+ fi
+
+ - name: Checkout HBase
+ if: steps.changes.outputs.changed == 'true'
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #
v4.3.1
+ with:
+ persist-credentials: false
+
+ - name: Run zizmor
+ if: steps.changes.outputs.changed == 'true'
+ run: pipx run zizmor --min-severity=medium .github/workflows/
diff --git a/.github/workflows/yetus-jdk11-hadoop3-compile-check.yml
b/.github/workflows/yetus-jdk11-hadoop3-compile-check.yml
index ee71740ff57..1539280bcb7 100644
--- a/.github/workflows/yetus-jdk11-hadoop3-compile-check.yml
+++ b/.github/workflows/yetus-jdk11-hadoop3-compile-check.yml
@@ -23,33 +23,35 @@ name: Yetus JDK11 Hadoop3 Compile Check
pull_request:
types: [opened, synchronize, reopened]
-permissions:
- contents: read
- statuses: write
+permissions: {}
jobs:
jdk11-hadoop3-compile-check:
runs-on: ubuntu-latest
timeout-minutes: 60
+ permissions:
+ contents: read
+ statuses: write
env:
YETUS_VERSION: '0.15.0'
steps:
- name: Checkout HBase
- uses: actions/checkout@v4
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #
v4.3.1
with:
path: src
fetch-depth: 0
+ persist-credentials: false
- name: Set up JDK 11
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #
v4.8.0
with:
java-version: '11'
distribution: 'temurin'
- name: Maven cache
- uses: actions/cache@v4
+ uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ~/.m2
key: hbase-m2-${{ hashFiles('**/pom.xml') }}
@@ -102,7 +104,7 @@ jobs:
- name: Publish Results
if: always()
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
# v4.6.2
with:
name: yetus-jdk11-hadoop3-compile-check-output
path: ${{ github.workspace
}}/yetus-jdk11-hadoop3-compile-check/output
diff --git a/.github/workflows/yetus-jdk11-hadoop3-unit-check.yml
b/.github/workflows/yetus-jdk11-hadoop3-unit-check.yml
index f91064d9b1e..4bcd83f8479 100644
--- a/.github/workflows/yetus-jdk11-hadoop3-unit-check.yml
+++ b/.github/workflows/yetus-jdk11-hadoop3-unit-check.yml
@@ -23,14 +23,15 @@ name: Yetus JDK11 Hadoop3 Unit Check
pull_request:
types: [opened, synchronize, reopened]
-permissions:
- contents: read
- statuses: write
+permissions: {}
jobs:
jdk11-hadoop3-unit-check:
runs-on: ubuntu-latest
timeout-minutes: 360
+ permissions:
+ contents: read
+ statuses: write
strategy:
fail-fast: false
@@ -56,19 +57,20 @@ jobs:
steps:
- name: Checkout HBase
- uses: actions/checkout@v4
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #
v4.3.1
with:
path: src
fetch-depth: 0
+ persist-credentials: false
- name: Set up JDK 11
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #
v4.8.0
with:
java-version: '11'
distribution: 'temurin'
- name: Maven cache
- uses: actions/cache@v4
+ uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ~/.m2
key: hbase-m2-${{ hashFiles('**/pom.xml') }}
@@ -124,7 +126,7 @@ jobs:
- name: Publish Test Results
if: always()
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
# v4.6.2
with:
name: yetus-jdk11-hadoop3-unit-check-${{ matrix.name }}
path: ${{ github.workspace }}/yetus-jdk11-hadoop3-unit-check/output
diff --git a/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml
b/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml
index 245e5601501..22bd819a1f2 100644
--- a/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml
+++ b/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml
@@ -37,19 +37,20 @@ jobs:
steps:
- name: Checkout HBase
- uses: actions/checkout@v4
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #
v4.3.1
with:
path: src
fetch-depth: 0
+ persist-credentials: false
- name: Set up JDK 17
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #
v4.8.0
with:
java-version: '17'
distribution: 'temurin'
- name: Maven cache
- uses: actions/cache@v4
+ uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ~/.m2
key: hbase-m2-${{ hashFiles('**/pom.xml') }}
@@ -102,7 +103,7 @@ jobs:
- name: Publish Results
if: always()
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
# v4.6.2
with:
name: yetus-jdk17-hadoop3-compile-check-output
path: ${{ github.workspace
}}/yetus-jdk17-hadoop3-compile-check/output
diff --git a/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml
b/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml
index 0e755f32173..bb1bdbf5711 100644
--- a/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml
+++ b/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml
@@ -56,19 +56,20 @@ jobs:
steps:
- name: Checkout HBase
- uses: actions/checkout@v4
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #
v4.3.1
with:
path: src
fetch-depth: 0
+ persist-credentials: false
- name: Set up JDK 17
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #
v4.8.0
with:
java-version: '17'
distribution: 'temurin'
- name: Maven cache
- uses: actions/cache@v4
+ uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ~/.m2
key: hbase-m2-${{ hashFiles('**/pom.xml') }}
@@ -124,7 +125,7 @@ jobs:
- name: Publish Test Results
if: always()
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
# v4.6.2
with:
name: yetus-jdk17-hadoop3-unit-check-${{ matrix.name }}
path: ${{ github.workspace }}/yetus-jdk17-hadoop3-unit-check/output
diff --git a/.github/workflows/yetus-jdk8-hadoop2-compile-check.yml
b/.github/workflows/yetus-jdk8-hadoop2-compile-check.yml
index 42333640d04..fc4a70bfd92 100644
--- a/.github/workflows/yetus-jdk8-hadoop2-compile-check.yml
+++ b/.github/workflows/yetus-jdk8-hadoop2-compile-check.yml
@@ -23,33 +23,35 @@ name: Yetus JDK8 Hadoop2 Compile Check
pull_request:
types: [opened, synchronize, reopened]
-permissions:
- contents: read
- statuses: write
+permissions: {}
jobs:
jdk8-hadoop2-compile-check:
runs-on: ubuntu-latest
timeout-minutes: 60
+ permissions:
+ contents: read
+ statuses: write
env:
YETUS_VERSION: '0.15.0'
steps:
- name: Checkout HBase
- uses: actions/checkout@v4
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #
v4.3.1
with:
path: src
fetch-depth: 0
+ persist-credentials: false
- name: Set up JDK 8
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #
v4.8.0
with:
java-version: '8'
distribution: 'temurin'
- name: Maven cache
- uses: actions/cache@v4
+ uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ~/.m2
key: hbase-m2-${{ hashFiles('**/pom.xml') }}
@@ -101,7 +103,7 @@ jobs:
- name: Publish Results
if: always()
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
# v4.6.2
with:
name: yetus-jdk8-hadoop2-compile-check-output
path: ${{ github.workspace }}/yetus-jdk8-hadoop2-compile-check/output
diff --git a/.github/workflows/yetus-jdk8-hadoop2-unit-check.yml
b/.github/workflows/yetus-jdk8-hadoop2-unit-check.yml
index cabe3fdd4a9..2b7301a1249 100644
--- a/.github/workflows/yetus-jdk8-hadoop2-unit-check.yml
+++ b/.github/workflows/yetus-jdk8-hadoop2-unit-check.yml
@@ -23,14 +23,15 @@ name: Yetus JDK8 Hadoop2 Unit Check
pull_request:
types: [opened, synchronize, reopened]
-permissions:
- contents: read
- statuses: write
+permissions: {}
jobs:
jdk8-hadoop2-unit-check:
runs-on: ubuntu-latest
timeout-minutes: 360
+ permissions:
+ contents: read
+ statuses: write
strategy:
fail-fast: false
@@ -56,19 +57,20 @@ jobs:
steps:
- name: Checkout HBase
- uses: actions/checkout@v4
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #
v4.3.1
with:
path: src
fetch-depth: 0
+ persist-credentials: false
- name: Set up JDK 8
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #
v4.8.0
with:
java-version: '8'
distribution: 'temurin'
- name: Maven cache
- uses: actions/cache@v4
+ uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ~/.m2
key: hbase-m2-${{ hashFiles('**/pom.xml') }}
@@ -123,7 +125,7 @@ jobs:
- name: Publish Test Results
if: always()
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
# v4.6.2
with:
name: yetus-jdk8-hadoop2-unit-check-${{ matrix.name }}
path: ${{ github.workspace }}/yetus-jdk8-hadoop2-unit-check/output
