From 8f454cef66e3b2ee884d74fc6a68d27be6f54577 Mon Sep 17 00:00:00 2001 From: Nick Dimiduk Date: Thu, 12 Feb 2026 14:13:34 +0100 Subject: [PATCH 1/2] HBASE-29893 Add zizmor for GitHub Actions workflows security analysis --- .github/workflows/yetus-general-check.yml | 26 +++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/.github/workflows/yetus-general-check.yml b/.github/workflows/yetus-general-check.yml index bb285a7b0692..777708adf757 100644 --- a/.github/workflows/yetus-general-check.yml +++ b/.github/workflows/yetus-general-check.yml @@ -106,3 +106,29 @@ jobs: name: yetus-general-check-output path: ${{ github.workspace }}/yetus-general-check/output retention-days: 7 + + zizmor: + runs-on: ubuntu-latest + timeout-minutes: 5 + + steps: + - name: Check for workflow changes + id: changes + env: + GH_TOKEN: ${{ github.token }} + run: | + if gh pr diff "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" --name-only | grep -q '^\.github/workflows/'; then + echo "changed=true" >> "$GITHUB_OUTPUT" + else + echo "changed=false" >> "$GITHUB_OUTPUT" + fi + + - name: Checkout HBase + if: steps.changes.outputs.changed == 'true' + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Run zizmor + if: steps.changes.outputs.changed == 'true' + run: pipx run zizmor .github/workflows/ From 31fa0b09093f1e87e9a2c57d0317afc09a0c5651 Mon Sep 17 00:00:00 2001 From: Nick Dimiduk Date: Thu, 12 Feb 2026 15:14:05 +0100 Subject: [PATCH 2/2] run in a less pedantic mode and address the remaining issues --- .github/workflows/yetus-general-check.yml | 22 +++++++++++-------- .../yetus-jdk17-hadoop3-compile-check.yml | 9 ++++---- .../yetus-jdk17-hadoop3-unit-check.yml | 9 ++++---- 3 files changed, 23 insertions(+), 17 deletions(-) diff --git a/.github/workflows/yetus-general-check.yml b/.github/workflows/yetus-general-check.yml index 777708adf757..b77c5cf55d87 100644 --- a/.github/workflows/yetus-general-check.yml +++ b/.github/workflows/yetus-general-check.yml @@ -23,33 +23,35 @@ name: Yetus General Check pull_request: types: [opened, synchronize, reopened] -permissions: - contents: read - statuses: write +permissions: {} jobs: general-check: runs-on: ubuntu-latest timeout-minutes: 600 + permissions: + contents: read + statuses: write env: YETUS_VERSION: '0.15.0' steps: - name: Checkout HBase - uses: actions/checkout@v4 + uses: actions/checkout@v4 # zizmor: ignore[unpinned-uses] with: path: src fetch-depth: 0 + persist-credentials: false - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@v4 # zizmor: ignore[unpinned-uses] with: java-version: '17' distribution: 'temurin' - name: Maven cache - uses: actions/cache@v4 + uses: actions/cache@v4 # zizmor: ignore[unpinned-uses] with: path: ~/.m2 key: hbase-m2-${{ hashFiles('**/pom.xml') }} @@ -101,7 +103,7 @@ jobs: - name: Publish Test Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v4 # zizmor: ignore[unpinned-uses] with: name: yetus-general-check-output path: ${{ github.workspace }}/yetus-general-check/output @@ -110,6 +112,8 @@ jobs: zizmor: runs-on: ubuntu-latest timeout-minutes: 5 + permissions: + contents: read steps: - name: Check for workflow changes @@ -125,10 +129,10 @@ jobs: - name: Checkout HBase if: steps.changes.outputs.changed == 'true' - uses: actions/checkout@v4 + uses: actions/checkout@v4 # zizmor: ignore[unpinned-uses] with: persist-credentials: false - name: Run zizmor if: steps.changes.outputs.changed == 'true' - run: pipx run zizmor .github/workflows/ + run: pipx run zizmor --min-severity=medium .github/workflows/ diff --git a/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml b/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml index 8526943c3339..6719f466873c 100644 --- a/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml +++ b/.github/workflows/yetus-jdk17-hadoop3-compile-check.yml @@ -37,19 +37,20 @@ jobs: steps: - name: Checkout HBase - uses: actions/checkout@v4 + uses: actions/checkout@v4 # zizmor: ignore[unpinned-uses] with: path: src fetch-depth: 0 + persist-credentials: false - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@v4 # zizmor: ignore[unpinned-uses] with: java-version: '17' distribution: 'temurin' - name: Maven cache - uses: actions/cache@v4 + uses: actions/cache@v4 # zizmor: ignore[unpinned-uses] with: path: ~/.m2 key: hbase-m2-${{ hashFiles('**/pom.xml') }} @@ -99,7 +100,7 @@ jobs: - name: Publish Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v4 # zizmor: ignore[unpinned-uses] with: name: yetus-jdk17-hadoop3-compile-check-output path: ${{ github.workspace }}/yetus-jdk17-hadoop3-compile-check/output diff --git a/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml b/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml index b4cc992b9a08..bc89a02f7070 100644 --- a/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml +++ b/.github/workflows/yetus-jdk17-hadoop3-unit-check.yml @@ -56,19 +56,20 @@ jobs: steps: - name: Checkout HBase - uses: actions/checkout@v4 + uses: actions/checkout@v4 # zizmor: ignore[unpinned-uses] with: path: src fetch-depth: 0 + persist-credentials: false - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@v4 # zizmor: ignore[unpinned-uses] with: java-version: '17' distribution: 'temurin' - name: Maven cache - uses: actions/cache@v4 + uses: actions/cache@v4 # zizmor: ignore[unpinned-uses] with: path: ~/.m2 key: hbase-m2-${{ hashFiles('**/pom.xml') }} @@ -122,7 +123,7 @@ jobs: - name: Publish Test Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v4 # zizmor: ignore[unpinned-uses] with: name: yetus-jdk17-hadoop3-unit-check-${{ matrix.name }} path: ${{ github.workspace }}/yetus-jdk17-hadoop3-unit-check/output