kevinjqliu opened a new pull request, #15790: URL: https://github.com/apache/iceberg/pull/15790
This PR addresses security findings reported by [zizmor](https://docs.zizmor.sh/), a static analysis tool for GitHub Actions workflows. ### Changes #### 1. Add `persist-credentials: false` to `actions/checkout` — fixes `artipacked` (Medium) **Files:** - `.github/workflows/jmh-benchmarks.yml` (2 jobs) - `.github/workflows/publish-iceberg-rest-fixture-docker.yml` - `.github/workflows/publish-snapshot.yml` - `.github/workflows/recurring-jmh-benchmarks.yml` **Why:** By default, `actions/checkout` persists the GitHub token in `.git/config`. If a subsequent step uploads the workspace as an artifact, the token could be exfiltrated. Setting `persist-credentials: false` ensures the token is not written to disk after checkout. See: https://docs.zizmor.sh/audits/#artipacked #### 2. Use `persist-credentials: false` with explicit `git remote set-url` — fixes `artipacked` (Medium) **Files:** - `.github/workflows/site-ci.yml` **Why:** This workflow needs push access for `mkdocs gh-deploy`. Instead of relying on persisted checkout credentials, we set `persist-credentials: false` and explicitly configure the remote URL with `$GITHUB_TOKEN` via an `env:` block scoped to the deploy step. See: https://docs.zizmor.sh/audits/#artipacked #### 3. Move `${{ }}` expressions from `run:` into step `env:` blocks — fixes `template-injection` (High) **Files:** - `.github/workflows/jmh-benchmarks.yml` (3 jobs) - `.github/workflows/publish-iceberg-rest-fixture-docker.yml` **Why:** Expressions like `${{ github.event.inputs.* }}` and `${{ github.ref }}` are expanded before the shell starts, so a crafted input can inject arbitrary shell commands. Moving them into `env:` blocks passes them as environment variables, which are treated as data, not code. See: https://docs.zizmor.sh/audits/#template-injection #### 4. Replace `actions/cache` with `actions/cache/restore` — fixes `cache-poisoning` (High) **Files:** - `.github/workflows/publish-iceberg-rest-fixture-docker.yml` **Why:** `actions/cache` both reads and writes cache entries. In a privileged workflow (triggered by `push`/`schedule`/`workflow_dispatch`), a cache written by an untrusted PR workflow could introduce poisoned dependencies. `actions/cache/restore` is read-only and never writes back. See: https://docs.zizmor.sh/audits/#cache-poisoning #### 5. Move secrets into `env:` blocks and add `environment:` to jobs — fixes `secrets-outside-env` (Medium) **Files:** - `.github/workflows/publish-iceberg-rest-fixture-docker.yml` (`environment: docker-publish`) - `.github/workflows/publish-snapshot.yml` (`environment: maven-publish`) **Why:** Inline `${{ secrets.* }}` in `run:` commands embeds secrets as literal text in shell command args. Moving them to `env:` blocks avoids this. Adding `environment:` enables GitHub's [deployment protection rules](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) (required reviewers, wait timers, branch restrictions). **Note:** The `docker-publish` and `maven-publish` environments must be created in repo settings. GitHub will auto-create them with no protection rules on first run — admins should then configure appropriate protections. See: https://docs.zizmor.sh/audits/#secrets-outside-env #### 6. Suppress `dangerous-triggers` for `labeler.yml` — acknowledged (High) **Files:** - `.github/workflows/labeler.yml` **Why:** `pull_request_target` is the only trigger that grants `pull-requests: write` for labeling PRs from forks. This is safe because the workflow never checks out PR code, has no `run:` steps, only invokes the pinned `actions/labeler`, and uses minimal permissions (`contents: read`, `pull-requests: write`). Added `# zizmor: ignore[dangerous-triggers]`. See: https://docs.zizmor.sh/audits/#dangerous-triggers ### Testing | Workflow | How to verify | |---|---| | `jmh-benchmarks.yml` | Trigger via `workflow_dispatch` with standard inputs; verify matrix computation and benchmark execution | | `recurring-jmh-benchmarks.yml` | Wait for weekly schedule or trigger manually; verify benchmarks run | | `site-ci.yml` | Push a docs change to `main`; verify mkdocs deploys to `asf-site` branch | | `publish-iceberg-rest-fixture-docker.yml` | Trigger via `workflow_dispatch` or tag push; verify Docker image is built and pushed. **Requires `docker-publish` environment in repo settings** | | `publish-snapshot.yml` | Wait for nightly schedule; verify Maven publish succeeds. **Requires `maven-publish` environment in repo settings** | | `labeler.yml` | Open a PR; verify labels are applied correctly | -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
