Skip to content

HBASE-29893 Add zizmor for GitHub Actions workflows security analysis #7742

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ndimiduk wants to merge 2 commits into
base: master
Choose a base branch
from
+47 −15
Open

HBASE-29893 Add zizmor for GitHub Actions workflows security analysis #7742

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8f454ce
HBASE-29893 Add zizmor for GitHub Actions workflows security analysis
ndimiduk Feb 12, 2026
31fa0b0
run in a less pedantic mode and address the remaining issues
ndimiduk Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 37 additions & 7 deletions .github/workflows/yetus-general-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,33 +23,35 @@ name: Yetus General Check
pull_request:
types: [opened, synchronize, reopened]

permissions:
contents: read
statuses: write
permissions: {}

jobs:
general-check:
runs-on: ubuntu-latest
timeout-minutes: 600
permissions:
contents: read
statuses: write

env:
YETUS_VERSION: '0.15.0'

steps:
- name: Checkout HBase
uses: actions/checkout@v4
uses: actions/checkout@v4 # zizmor: ignore[unpinned-uses]
with:
path: src
fetch-depth: 0
persist-credentials: false

- name: Set up JDK 17
uses: actions/setup-java@v4
uses: actions/setup-java@v4 # zizmor: ignore[unpinned-uses]
with:
java-version: '17'
distribution: 'temurin'

- name: Maven cache
uses: actions/cache@v4
uses: actions/cache@v4 # zizmor: ignore[unpinned-uses]
with:
path: ~/.m2
key: hbase-m2-${{ hashFiles('**/pom.xml') }}
Expand Down Expand Up @@ -101,8 +103,36 @@ jobs:

- name: Publish Test Results
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v4 # zizmor: ignore[unpinned-uses]
with:
name: yetus-general-check-output
path: ${{ github.workspace }}/yetus-general-check/output
retention-days: 7

zizmor:
runs-on: ubuntu-latest
timeout-minutes: 5
permissions:
contents: read

steps:
- name: Check for workflow changes
id: changes
env:
GH_TOKEN: ${{ github.token }}
run: |
if gh pr diff "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" --name-only | grep -q '^\.github/workflows/'; then
echo "changed=true" >> "$GITHUB_OUTPUT"
else
echo "changed=false" >> "$GITHUB_OUTPUT"
fi

- name: Checkout HBase
if: steps.changes.outputs.changed == 'true'
uses: actions/checkout@v4 # zizmor: ignore[unpinned-uses]
with:
persist-credentials: false

- name: Run zizmor
if: steps.changes.outputs.changed == 'true'
run: pipx run zizmor --min-severity=medium .github/workflows/
9 changes: 5 additions & 4 deletions .github/workflows/yetus-jdk17-hadoop3-compile-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,19 +37,20 @@ jobs:

steps:
- name: Checkout HBase
uses: actions/checkout@v4
uses: actions/checkout@v4 # zizmor: ignore[unpinned-uses]
with:
path: src
fetch-depth: 0
persist-credentials: false

- name: Set up JDK 17
uses: actions/setup-java@v4
uses: actions/setup-java@v4 # zizmor: ignore[unpinned-uses]
with:
java-version: '17'
distribution: 'temurin'

- name: Maven cache
uses: actions/cache@v4
uses: actions/cache@v4 # zizmor: ignore[unpinned-uses]
with:
path: ~/.m2
key: hbase-m2-${{ hashFiles('**/pom.xml') }}
Expand Down Expand Up @@ -99,7 +100,7 @@ jobs:

- name: Publish Results
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v4 # zizmor: ignore[unpinned-uses]
with:
name: yetus-jdk17-hadoop3-compile-check-output
path: ${{ github.workspace }}/yetus-jdk17-hadoop3-compile-check/output
Expand Down
9 changes: 5 additions & 4 deletions .github/workflows/yetus-jdk17-hadoop3-unit-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,19 +56,20 @@ jobs:

steps:
- name: Checkout HBase
uses: actions/checkout@v4
uses: actions/checkout@v4 # zizmor: ignore[unpinned-uses]
with:
path: src
fetch-depth: 0
persist-credentials: false

- name: Set up JDK 17
uses: actions/setup-java@v4
uses: actions/setup-java@v4 # zizmor: ignore[unpinned-uses]
with:
java-version: '17'
distribution: 'temurin'

- name: Maven cache
uses: actions/cache@v4
uses: actions/cache@v4 # zizmor: ignore[unpinned-uses]
with:
path: ~/.m2
key: hbase-m2-${{ hashFiles('**/pom.xml') }}
Expand Down Expand Up @@ -122,7 +123,7 @@ jobs:

- name: Publish Test Results
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v4 # zizmor: ignore[unpinned-uses]
with:
name: yetus-jdk17-hadoop3-unit-check-${{ matrix.name }}
path: ${{ github.workspace }}/yetus-jdk17-hadoop3-unit-check/output
Expand Down