From 5f210a5c0a1f8c97545efff59b3e2fe2c5e5d96b Mon Sep 17 00:00:00 2001 From: Nick Dimiduk Date: Fri, 6 Mar 2026 10:35:15 +0100 Subject: [PATCH 1/2] HBASE-29893 Add zizmor for GitHub Actions workflows security analysis (#7742) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Dávid Paksy Signed-off-by: Duo Zhang --- .github/workflows/yetus-general-check.yml | 44 ++++++++++++++++--- .../yetus-jdk17-hadoop3-compile-check.yml | 9 ++-- .../yetus-jdk17-hadoop3-unit-check.yml | 9 ++-- 3 files changed, 47 insertions(+), 15 deletions(-) diff --git a/.github/workflows/yetus-general-check.yml b/.github/workflows/yetus-general-check.yml index b343b4d6656d..eef591ed43dc 100644 --- a/.github/workflows/yetus-general-check.yml +++ b/.github/workflows/yetus-general-check.yml @@ -23,33 +23,35 @@ name: Yetus General Check pull_request: types: [opened, synchronize, reopened] -permissions: - contents: read - statuses: write +permissions: {} jobs: general-check: runs-on: ubuntu-latest timeout-minutes: 600 + permissions: + contents: read + statuses: write env: YETUS_VERSION: '0.15.0' steps: - name: Checkout HBase - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: path: src fetch-depth: 0 + persist-credentials: false - name: Set up JDK 11 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: java-version: '11' distribution: 'temurin' - name: Maven cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.m2 key: hbase-m2-${{ hashFiles('**/pom.xml') }} @@ -104,8 +106,36 @@ jobs: - name: Publish Test Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: yetus-general-check-output path: ${{ github.workspace }}/yetus-general-check/output retention-days: 7 + + zizmor: + runs-on: ubuntu-latest + timeout-minutes: 5 + permissions: + contents: read + + steps: + - name: Check for workflow changes + id: changes + env: + GH_TOKEN: ${{ github.token }} + run: | + if gh pr diff "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" --name-only | grep -q '^\.github/workflows/'; then + echo "changed=true" >> "$GITHUB_OUTPUT" + else + echo "changed=false" >> "$GITHUB_OUTPUT" + fi + + - name: Checkout HBase + if: steps.changes.outputs.changed == 'true' + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false + + - name: Run zizmor + if: steps.changes.outputs.changed == 'true' + run: pipx run zizmor --min-severity=medium .github/workflows/ diff --git a/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml b/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml index 245e5601501e..22bd819a1f25 100644 --- a/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml +++ b/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml @@ -37,19 +37,20 @@ jobs: steps: - name: Checkout HBase - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: path: src fetch-depth: 0 + persist-credentials: false - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: java-version: '17' distribution: 'temurin' - name: Maven cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.m2 key: hbase-m2-${{ hashFiles('**/pom.xml') }} @@ -102,7 +103,7 @@ jobs: - name: Publish Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: yetus-jdk17-hadoop3-compile-check-output path: ${{ github.workspace }}/yetus-jdk17-hadoop3-compile-check/output diff --git a/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml b/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml index 0e755f321735..bb1bdbf57110 100644 --- a/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml +++ b/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml @@ -56,19 +56,20 @@ jobs: steps: - name: Checkout HBase - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: path: src fetch-depth: 0 + persist-credentials: false - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: java-version: '17' distribution: 'temurin' - name: Maven cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.m2 key: hbase-m2-${{ hashFiles('**/pom.xml') }} @@ -124,7 +125,7 @@ jobs: - name: Publish Test Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: yetus-jdk17-hadoop3-unit-check-${{ matrix.name }} path: ${{ github.workspace }}/yetus-jdk17-hadoop3-unit-check/output From 7dc3aa65713de66019dc8a40b77f9ee65ff22a01 Mon Sep 17 00:00:00 2001 From: Nick Dimiduk Date: Fri, 6 Mar 2026 10:45:36 +0100 Subject: [PATCH 2/2] Apply zizmor fixes to branch-2 specific workflows Pin action SHAs, add persist-credentials: false, and move permissions to job-level for the jdk8-hadoop2 and jdk11-hadoop3 workflows that don't exist on master. --- .../yetus-jdk11-hadoop3-compile-check.yml | 16 +++++++++------- .../workflows/yetus-jdk11-hadoop3-unit-check.yml | 16 +++++++++------- .../yetus-jdk8-hadoop2-compile-check.yml | 16 +++++++++------- .../workflows/yetus-jdk8-hadoop2-unit-check.yml | 16 +++++++++------- 4 files changed, 36 insertions(+), 28 deletions(-) diff --git a/.github/workflows/yetus-jdk11-hadoop3-compile-check.yml b/.github/workflows/yetus-jdk11-hadoop3-compile-check.yml index ee71740ff57a..1539280bcb77 100644 --- a/.github/workflows/yetus-jdk11-hadoop3-compile-check.yml +++ b/.github/workflows/yetus-jdk11-hadoop3-compile-check.yml @@ -23,33 +23,35 @@ name: Yetus JDK11 Hadoop3 Compile Check pull_request: types: [opened, synchronize, reopened] -permissions: - contents: read - statuses: write +permissions: {} jobs: jdk11-hadoop3-compile-check: runs-on: ubuntu-latest timeout-minutes: 60 + permissions: + contents: read + statuses: write env: YETUS_VERSION: '0.15.0' steps: - name: Checkout HBase - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: path: src fetch-depth: 0 + persist-credentials: false - name: Set up JDK 11 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: java-version: '11' distribution: 'temurin' - name: Maven cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.m2 key: hbase-m2-${{ hashFiles('**/pom.xml') }} @@ -102,7 +104,7 @@ jobs: - name: Publish Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: yetus-jdk11-hadoop3-compile-check-output path: ${{ github.workspace }}/yetus-jdk11-hadoop3-compile-check/output diff --git a/.github/workflows/yetus-jdk11-hadoop3-unit-check.yml b/.github/workflows/yetus-jdk11-hadoop3-unit-check.yml index f91064d9b1e0..4bcd83f8479e 100644 --- a/.github/workflows/yetus-jdk11-hadoop3-unit-check.yml +++ b/.github/workflows/yetus-jdk11-hadoop3-unit-check.yml @@ -23,14 +23,15 @@ name: Yetus JDK11 Hadoop3 Unit Check pull_request: types: [opened, synchronize, reopened] -permissions: - contents: read - statuses: write +permissions: {} jobs: jdk11-hadoop3-unit-check: runs-on: ubuntu-latest timeout-minutes: 360 + permissions: + contents: read + statuses: write strategy: fail-fast: false @@ -56,19 +57,20 @@ jobs: steps: - name: Checkout HBase - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: path: src fetch-depth: 0 + persist-credentials: false - name: Set up JDK 11 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: java-version: '11' distribution: 'temurin' - name: Maven cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.m2 key: hbase-m2-${{ hashFiles('**/pom.xml') }} @@ -124,7 +126,7 @@ jobs: - name: Publish Test Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: yetus-jdk11-hadoop3-unit-check-${{ matrix.name }} path: ${{ github.workspace }}/yetus-jdk11-hadoop3-unit-check/output diff --git a/.github/workflows/yetus-jdk8-hadoop2-compile-check.yml b/.github/workflows/yetus-jdk8-hadoop2-compile-check.yml index 42333640d04d..fc4a70bfd926 100644 --- a/.github/workflows/yetus-jdk8-hadoop2-compile-check.yml +++ b/.github/workflows/yetus-jdk8-hadoop2-compile-check.yml @@ -23,33 +23,35 @@ name: Yetus JDK8 Hadoop2 Compile Check pull_request: types: [opened, synchronize, reopened] -permissions: - contents: read - statuses: write +permissions: {} jobs: jdk8-hadoop2-compile-check: runs-on: ubuntu-latest timeout-minutes: 60 + permissions: + contents: read + statuses: write env: YETUS_VERSION: '0.15.0' steps: - name: Checkout HBase - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: path: src fetch-depth: 0 + persist-credentials: false - name: Set up JDK 8 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: java-version: '8' distribution: 'temurin' - name: Maven cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.m2 key: hbase-m2-${{ hashFiles('**/pom.xml') }} @@ -101,7 +103,7 @@ jobs: - name: Publish Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: yetus-jdk8-hadoop2-compile-check-output path: ${{ github.workspace }}/yetus-jdk8-hadoop2-compile-check/output diff --git a/.github/workflows/yetus-jdk8-hadoop2-unit-check.yml b/.github/workflows/yetus-jdk8-hadoop2-unit-check.yml index cabe3fdd4a98..2b7301a12491 100644 --- a/.github/workflows/yetus-jdk8-hadoop2-unit-check.yml +++ b/.github/workflows/yetus-jdk8-hadoop2-unit-check.yml @@ -23,14 +23,15 @@ name: Yetus JDK8 Hadoop2 Unit Check pull_request: types: [opened, synchronize, reopened] -permissions: - contents: read - statuses: write +permissions: {} jobs: jdk8-hadoop2-unit-check: runs-on: ubuntu-latest timeout-minutes: 360 + permissions: + contents: read + statuses: write strategy: fail-fast: false @@ -56,19 +57,20 @@ jobs: steps: - name: Checkout HBase - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: path: src fetch-depth: 0 + persist-credentials: false - name: Set up JDK 8 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: java-version: '8' distribution: 'temurin' - name: Maven cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.m2 key: hbase-m2-${{ hashFiles('**/pom.xml') }} @@ -123,7 +125,7 @@ jobs: - name: Publish Test Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: yetus-jdk8-hadoop2-unit-check-${{ matrix.name }} path: ${{ github.workspace }}/yetus-jdk8-hadoop2-unit-check/output