kevinjqliu opened a new pull request, #15757: URL: https://github.com/apache/iceberg/pull/15757
This adds a CI workflow that uses [zizmor](https://docs.zizmor.sh/) to detect unpinned third-party GitHub Actions in workflow files. We've already moved all references to pinned commit hash in #15753 Violations will trigger this CI to fail in the future ### Problem Actions referenced by mutable tag (e.g. `actions/checkout@v4`) can be silently replaced by a compromised or force-pushed tag, allowing arbitrary code execution inside CI. All `uses:` references should be pinned to a full commit SHA to make them immutable and auditable. ### Solution Add a `zizmor.yml` workflow that: - Triggers on PRs that modify `.github/workflows/**` - Runs zizmor in offline mode to check for `unpinned-uses` findings - Reports the file, line, and action for each violation - Fails the check if any unpinned actions are found -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
