This is an automated email from the ASF dual-hosted git repository. adoroszlai pushed a commit to branch slim in repository https://gitbox.apache.org/repos/asf/ozone-docker.git
commit cfcd8d906ea8087ac9f67840a47705a4222d2c85 Author: Doroszlai, Attila <[email protected]> AuthorDate: Fri Apr 17 16:52:36 2026 +0200 HDDS-14920. Check actions with zizmor (#56) (cherry picked from commit 1ebbe2050eabd89240e5cda04bf1d6f99baa2dae) --- .github/workflows/build-and-tag.yaml | 10 +++++++--- .github/workflows/build.yaml | 9 +++++---- .github/workflows/zizmor.yml | 36 ++++++++++++++++++++++++++++++++++++ 3 files changed, 48 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-and-tag.yaml b/.github/workflows/build-and-tag.yaml index 4f37825..03fd284 100644 --- a/.github/workflows/build-and-tag.yaml +++ b/.github/workflows/build-and-tag.yaml @@ -24,13 +24,14 @@ on: branches: - 'ozone-**' -permissions: - contents: read - packages: write +permissions: { } jobs: build: uses: ./.github/workflows/build.yaml + permissions: + contents: read + packages: write tag: needs: build @@ -39,6 +40,9 @@ jobs: DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }} IMAGE_ID: ${{ needs.build.outputs.image-id }} REGISTRIES: ghcr.io # docker.io is appended dynamically + permissions: + contents: read + packages: write steps: - name: Generate tags uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d65fcba..edecb0f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -35,16 +35,17 @@ concurrency: group: ${{ github.sha }} cancel-in-progress: false -permissions: - contents: read - packages: write - env: OZONE_RUNNER_IMAGE: ghcr.io/apache/ozone-runner +permissions: { } + jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + packages: write outputs: image-id: ${{ steps.meta.outputs.tags }} steps: diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..6b7263f --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: zizmor + +on: + push: + pull_request: + +permissions: { } + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout project + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
