kevinjqliu opened a new issue, #15742: URL: https://github.com/apache/iceberg/issues/15742
Recent supply chain attacks through github workflow (e.g. trivy) shows that we need to harden our github workflow implementation. This should apply to all subprojects of Iceberg. I've already added a few improvements, including * Add CodeQL to scan github workflow definition for potential vulnerability (https://github.com/apache/iceberg/pull/15348) * Explicitly use least-privilege workflow permission (https://github.com/apache/iceberg/pull/15409) I think we can do more by pinning ALL github actions to commit SHA (allowlisted by [infrastructure-actions](https://github.com/apache/infrastructure-actions/blob/07f5f9d2b05fe0ec9886e3ef0a9d79797817f0cb/approved_patterns.yml#L9)) And enforce this for all github workflow definitions going forward. ### Proposed Next Steps 1. **Pin all GitHub Actions to a full commit SHA** rather than mutable tags (e.g., `actions/checkout@v3`), using only actions allowlisted by [apache/infrastructure-actions](https://github.com/apache/infrastructure-actions/blob/07f5f9d2b05fe0ec9886e3ef0a9d79797817f0cb/approved_patterns.yml#L9). Pinning to a SHA ensures that a compromised or modified tag cannot silently swap in malicious code. 2. **Enforce SHA pinning going forward** via CI checks or linting on all new and modified workflow files, so the policy is maintained consistently across contributions. 3. **Disable Dependabot auto-updates for GitHub Actions.** Dependabot may automatically bump action versions that have not yet been reviewed and allowlisted by ASF Infrastructure. Until an action is on the allowlist, using it will cause workflows to silently fail with no notifications (see [infrastructure-actions#574](https://github.com/apache/infrastructure-actions/issues/574)). Any action version updates should go through the ASF allowlist process first. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
