This is an automated email from the ASF dual-hosted git repository.
adoroszlai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ratis.git
The following commit(s) were added to refs/heads/master by this push:
new f141e1055 RATIS-2493. Check actions with zizmor (#1426)
f141e1055 is described below
commit f141e10551a1bef69c0c7387dd184bc88e821b6d
Author: Doroszlai, Attila <[email protected]>
AuthorDate: Wed Apr 15 11:57:13 2026 +0200
RATIS-2493. Check actions with zizmor (#1426)
---
.github/dependabot.yml | 4 +--
.github/workflows/check.yaml | 29 ++++++++++-------
.github/workflows/ci.yaml | 38 +++++++++++++++-------
.github/workflows/close-stale-pr.yaml | 2 +-
.github/workflows/post-commit.yaml | 6 +++-
.github/workflows/repeat-test.yaml | 14 +++++---
.github/workflows/vulnerability-check.yaml | 15 ++++++---
.github/workflows/{post-commit.yaml => zizmor.yml} | 28 ++++++++--------
8 files changed, 86 insertions(+), 50 deletions(-)
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index d343c5a93..4ada4d982 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -23,7 +23,7 @@ updates:
interval: "cron"
cronjob: "15 9 * * *"
cooldown:
- default-days: 4
+ default-days: 7
- package-ecosystem: "maven"
directory: "/"
schedule:
@@ -31,7 +31,7 @@ updates:
interval: "cron"
cronjob: "15 10 * * *"
cooldown:
- default-days: 4
+ default-days: 7
ignore:
# requires Java 11
- dependency-name: "com.github.spotbugs:spotbugs"
diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
index cb3d31d1f..7d3834206 100644
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@@ -76,6 +76,11 @@ on:
default: 30
required: false
+ secrets:
+ DEVELOCITY_ACCESS_KEY:
+ description: 'Token for submitting build scan to Develocity'
+ required: false
+
env:
MAVEN_ARGS: --batch-mode --show-version
MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
-Dmaven.wagon.http.retryHandler.class=standard
-Dmaven.wagon.http.retryHandler.count=3
@@ -90,11 +95,13 @@ jobs:
steps:
- name: Checkout project
if: ${{ !inputs.needs-source-tarball }}
- uses: actions/checkout@v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ with:
+ persist-credentials: false
- name: Download source tarball
if: ${{ inputs.needs-source-tarball }}
- uses: actions/download-artifact@v8
+ uses:
actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ratis-src
@@ -105,7 +112,7 @@ jobs:
- name: Create cache for Maven dependencies
if: ${{ inputs.script == 'build' }}
- uses: actions/cache@v5
+ uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/.m2/repository/*/*/*
@@ -116,7 +123,7 @@ jobs:
- name: Restore cache for Maven dependencies
if: ${{ inputs.script != 'build' }}
- uses: actions/cache/restore@v5
+ uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 #
v5.0.4
with:
path: |
~/.m2/repository/*/*/*
@@ -128,7 +135,7 @@ jobs:
- name: Download Maven repo
id: download-maven-repo
if: ${{ inputs.needs-maven-repo }}
- uses: actions/download-artifact@v8
+ uses:
actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: maven-repo
path: |
@@ -136,7 +143,7 @@ jobs:
- name: Download binary tarball
if: ${{ inputs.needs-binary-tarball }}
- uses: actions/download-artifact@v8
+ uses:
actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ratis-bin
@@ -148,7 +155,7 @@ jobs:
- name: Setup java ${{ inputs.java-version }}
if: ${{ inputs.java-version }}
- uses: actions/setup-java@v5
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 #
v5.2.0
with:
distribution: 'temurin'
java-version: ${{ inputs.java-version }}
@@ -169,7 +176,7 @@ jobs:
- name: Archive build results
if: ${{ !cancelled() }}
- uses: actions/upload-artifact@v7
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
# v7.0.0
with:
name: ${{ (inputs.split && format('{0}-{1}', inputs.script,
inputs.split)) || inputs.script }}
path: target/${{ inputs.script }}
@@ -179,7 +186,7 @@ jobs:
# to avoid the need for 3 more inputs.
- name: Store binaries for tests
if: ${{ inputs.script == 'build' && !cancelled() }}
- uses: actions/upload-artifact@v7
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
# v7.0.0
with:
name: ratis-bin
path: |
@@ -188,7 +195,7 @@ jobs:
- name: Store source tarball for compilation
if: ${{ inputs.script == 'build' && !cancelled() }}
- uses: actions/upload-artifact@v7
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
# v7.0.0
with:
name: ratis-src
path: |
@@ -197,7 +204,7 @@ jobs:
- name: Store Maven repo for tests
if: ${{ inputs.script == 'build' && !cancelled() }}
- uses: actions/upload-artifact@v7
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
# v7.0.0
with:
name: maven-repo
path: |
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 272cb33d9..d8f9f8365 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -23,6 +23,15 @@ on:
description: Ratis git ref (branch, tag or commit hash)
default: ''
required: false
+ secrets:
+ DEVELOCITY_ACCESS_KEY:
+ description: 'Token for submitting build scan to Develocity'
+ required: false
+ SONARCLOUD_TOKEN:
+ description: 'Token for submitting coverage data to SonarCloud'
+ required: false
+
+permissions: { }
jobs:
build:
@@ -31,7 +40,8 @@ jobs:
script: build
script-args: -Prelease
timeout-minutes: 30
- secrets: inherit
+ secrets:
+ DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
compile:
needs:
@@ -48,14 +58,16 @@ jobs:
script-args: -Dmaven.compiler.release=${{ matrix.java }}
split: ${{ matrix.java }}
timeout-minutes: 30
- secrets: inherit
+ secrets:
+ DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
release:
uses: ./.github/workflows/check.yaml
with:
script: release
timeout-minutes: 30
- secrets: inherit
+ secrets:
+ DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
repro:
needs:
@@ -66,7 +78,8 @@ jobs:
script: repro
script-args: -Prelease
timeout-minutes: 30
- secrets: inherit
+ secrets:
+ DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
basic:
strategy:
@@ -81,7 +94,8 @@ jobs:
with:
script: ${{ matrix.check }}
timeout-minutes: 30
- secrets: inherit
+ secrets:
+ DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
unit:
strategy:
@@ -98,7 +112,8 @@ jobs:
script-args: -P${{ matrix.profile }}-tests
split: ${{ matrix.profile }}
timeout-minutes: 60
- secrets: inherit
+ secrets:
+ DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
coverage:
needs:
@@ -109,11 +124,12 @@ jobs:
if: github.event_name != 'pull_request'
steps:
- name: Checkout project
- uses: actions/checkout@v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
with:
fetch-depth: 0
+ persist-credentials: false
- name: Cache for maven dependencies
- uses: actions/cache/restore@v5
+ uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7
# v5.0.4
with:
path: |
~/.m2/repository
@@ -122,12 +138,12 @@ jobs:
restore-keys: |
maven-repo-
- name: Setup java 17
- uses: actions/setup-java@v5
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 #
v5.2.0
with:
distribution: 'temurin'
java-version: 17
- name: Download artifacts
- uses: actions/download-artifact@v8
+ uses:
actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
path: target/artifacts
- name: Untar binaries
@@ -143,7 +159,7 @@ jobs:
SONAR_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Archive build results
- uses: actions/upload-artifact@v7
+ uses:
actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: ${{ github.job }}
diff --git a/.github/workflows/close-stale-pr.yaml
b/.github/workflows/close-stale-pr.yaml
index 6c24bf0e5..010f0c955 100644
--- a/.github/workflows/close-stale-pr.yaml
+++ b/.github/workflows/close-stale-pr.yaml
@@ -26,7 +26,7 @@ jobs:
runs-on: ubuntu-slim
steps:
- name: Close Stale PRs
- uses: actions/stale@v10
+ uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
with:
stale-pr-label: 'stale'
exempt-draft-pr: false
diff --git a/.github/workflows/post-commit.yaml
b/.github/workflows/post-commit.yaml
index 1d1ba06fd..4a946f862 100644
--- a/.github/workflows/post-commit.yaml
+++ b/.github/workflows/post-commit.yaml
@@ -27,10 +27,14 @@ concurrency:
group: ci-${{ github.event.pull_request.number || case(github.repository ==
'apache/ratis', github.sha, github.ref_name) }}
cancel-in-progress: ${{ github.event_name == 'pull_request' ||
github.repository != 'apache/ratis' }}
+permissions: { }
+
jobs:
CI:
if: github.event_name == 'pull_request'
|| github.repository == 'apache/ratis'
|| github.ref_name != 'master'
uses: ./.github/workflows/ci.yaml
- secrets: inherit
+ secrets:
+ DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+ SONARCLOUD_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}
diff --git a/.github/workflows/repeat-test.yaml
b/.github/workflows/repeat-test.yaml
index 9a985fd23..26fef26f7 100644
--- a/.github/workflows/repeat-test.yaml
+++ b/.github/workflows/repeat-test.yaml
@@ -49,6 +49,9 @@ env:
FAIL_FAST: ${{ github.event.inputs.fail-fast }}
SPLITS: ${{ github.event.inputs.splits }}
run-name: ${{ github.event_name == 'workflow_dispatch' &&
format('{0}#{1}[{2}]-{3}x{4}', inputs.test-class, inputs.test-method,
inputs.ref, inputs.splits, inputs.iterations) || '' }}
+
+permissions: { }
+
jobs:
prepare:
runs-on: ubuntu-24.04
@@ -95,11 +98,12 @@ jobs:
split: ${{ fromJson(needs.prepare.outputs.matrix) }}
fail-fast: ${{ fromJson(github.event.inputs.fail-fast) }}
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
with:
+ persist-credentials: false
ref: ${{ needs.prepare.outputs.ref }}
- name: Cache for maven dependencies
- uses: actions/cache@v5
+ uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/.m2/repository
@@ -108,7 +112,7 @@ jobs:
restore-keys: |
maven-repo-
- name: Setup java
- uses: actions/setup-java@v5
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 #
v5.2.0
with:
distribution: 'temurin'
java-version: 8
@@ -121,7 +125,7 @@ jobs:
run: dev-support/checks/_summary.sh target/unit/summary.txt
if: ${{ !cancelled() }}
- name: Archive build results
- uses: actions/upload-artifact@v7
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
# v7.0.0
if: ${{ failure() }}
with:
name: result-${{ github.run_number }}-${{ github.run_id }}-split-${{
matrix.split }}
@@ -132,7 +136,7 @@ jobs:
runs-on: ubuntu-24.04
steps:
- name: Download build results
- uses: actions/download-artifact@v8
+ uses:
actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- name: Count failures
run: |
failures=$(find . -name 'summary.txt' | grep -v 'iteration' | xargs
grep -v 'exit code: 0' | wc -l)
diff --git a/.github/workflows/vulnerability-check.yaml
b/.github/workflows/vulnerability-check.yaml
index a0146f14d..336332a84 100644
--- a/.github/workflows/vulnerability-check.yaml
+++ b/.github/workflows/vulnerability-check.yaml
@@ -29,15 +29,19 @@ env:
MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
-Dmaven.wagon.http.retryHandler.class=standard
-Dmaven.wagon.http.retryHandler.count=3
MAVEN_ARGS: --batch-mode --no-transfer-progress
+permissions: { }
+
jobs:
dependency-check:
if: ${{ github.event_name == 'workflow_dispatch' || github.repository ==
'apache/ratis' }}
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v6
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ with:
+ persist-credentials: false
- name: Set up JDK 11
- uses: actions/setup-java@v5
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 #
v5.2.0
with:
distribution: corretto
java-version: 11
@@ -52,13 +56,14 @@ jobs:
- name: Generate report date for artifact name
run: |
- utc_time="${{ github.run_started_at }}"
target_time=$(TZ=Asia/Shanghai date -d "$utc_time" +"%Y-%m-%d")
echo "REPORT_DATE=$target_time" >> $GITHUB_ENV
+ env:
+ utc_time: ${{ github.run_started_at }}
- name: Upload Artifact
- uses: actions/upload-artifact@v7
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
# v7.0.0
with:
name: vulnerability-check-result-${{ env.REPORT_DATE }}
path: target/dependency-check-report.html
- retention-days: 15
\ No newline at end of file
+ retention-days: 15
diff --git a/.github/workflows/post-commit.yaml b/.github/workflows/zizmor.yml
similarity index 61%
copy from .github/workflows/post-commit.yaml
copy to .github/workflows/zizmor.yml
index 1d1ba06fd..6b7263f91 100644
--- a/.github/workflows/post-commit.yaml
+++ b/.github/workflows/zizmor.yml
@@ -13,24 +13,24 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-name: build-branch
+name: zizmor
on:
push:
- branches-ignore:
- - 'dependabot/**'
- tags:
- - '**'
pull_request:
-concurrency:
- group: ci-${{ github.event.pull_request.number || case(github.repository ==
'apache/ratis', github.sha, github.ref_name) }}
- cancel-in-progress: ${{ github.event_name == 'pull_request' ||
github.repository != 'apache/ratis' }}
+permissions: { }
jobs:
- CI:
- if: github.event_name == 'pull_request'
- || github.repository == 'apache/ratis'
- || github.ref_name != 'master'
- uses: ./.github/workflows/ci.yaml
- secrets: inherit
+ zizmor:
+ runs-on: ubuntu-latest
+ permissions:
+ security-events: write
+ steps:
+ - name: Checkout project
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
+
+ - name: Run zizmor
+ uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e
# v0.5.3
