potiuk commented on code in PR #7742:
URL: https://github.com/apache/hbase/pull/7742#discussion_r2804924409
##########
.github/workflows/yetus-general-check.yml:
##########
@@ -23,33 +23,35 @@ name: Yetus General Check
pull_request:
types: [opened, synchronize, reopened]
-permissions:
- contents: read
- statuses: write
+permissions: {}
jobs:
general-check:
runs-on: ubuntu-latest
timeout-minutes: 600
+ permissions:
+ contents: read
+ statuses: write
env:
YETUS_VERSION: '0.15.0'
steps:
- name: Checkout HBase
- uses: actions/checkout@v4
+ uses: actions/checkout@v4 # zizmor: ignore[unpinned-uses]
Review Comment:
BTW. we are using octopin `prek` hook from eclipse that is keeping actions
updated to have hash-commits
https://github.com/apache/airflow/blob/a9df1220b8a62aff9e6c0004de0624051a937a91/.pre-commit-config.yaml#L33
- this is nice because it keeps the "tag" version in comment and will propose
an update when we run it and then we can review the changes coming and commit
it.
Also zizmor can be configured to ignore certain actions or relax their rules
https://docs.zizmor.sh/audits/#rulesunpinned-usesconfigpolicies - they even
have example how to configure it to skip pinning for github-owned "/actions/"
- which is fine according to ASF rules, but we opted not to do it as octopin
makes it super easy to keep hash-commit for all actions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
