kevinjqliu opened a new pull request, #15788: URL: https://github.com/apache/iceberg/pull/15788
### What Fix security findings reported by [zizmor](https://woodruffw.github.io/zizmor/) in all 11 workflows that are triggered on `pull_request`. ### Changes #### 1. Add `persist-credentials: false` to `actions/checkout` — fixes `artipacked` (Medium) **Files:** - `.github/workflows/api-binary-compatibility.yml` - `.github/workflows/codeql.yml` - `.github/workflows/delta-conversion-ci.yml` - `.github/workflows/docs-ci.yml` - `.github/workflows/flink-ci.yml` - `.github/workflows/hive-ci.yml` - `.github/workflows/java-ci.yml` (3 jobs) - `.github/workflows/kafka-connect-ci.yml` - `.github/workflows/license-check.yml` - `.github/workflows/open-api.yml` - `.github/workflows/spark-ci.yml` **Why zizmor recommends this:** By default, `actions/checkout` persists the GitHub token in the local git config (`.git/config`) of the checked-out repository. If a subsequent step uploads the workspace as an artifact, the token is included, potentially allowing an attacker to extract it and push malicious code. Setting `persist-credentials: false` ensures the token is not written to disk after checkout. See: https://woodruffw.github.io/zizmor/audits/#artipacked #### 2. Replace `actions/cache` with `actions/cache/restore` — fixes `cache-poisoning` (High) **Files:** - `.github/workflows/api-binary-compatibility.yml` - `.github/workflows/delta-conversion-ci.yml` (2 jobs) - `.github/workflows/flink-ci.yml` - `.github/workflows/hive-ci.yml` - `.github/workflows/java-ci.yml` - `.github/workflows/kafka-connect-ci.yml` - `.github/workflows/spark-ci.yml` **Why zizmor recommends this:** `actions/cache` both restores *and* saves the cache. In workflows triggered by `pull_request`, a malicious PR could poison the shared cache by injecting compromised content that is then saved and restored by subsequent trusted runs (e.g., on `push` to `main`). These workflows already used `lookup-only: true` to skip saving, but zizmor still flags `actions/cache` because the action *itself* has implicit save behavior in its post step. Using `actions/cache/restore` explicitly limits the step to restore-only, eliminating the save surface entirely and making the read-only intent unambiguous. See: https://woodruffw.github.io/zizmor/audits/#cache-poisoning #### 3. Add `enable-cache: false` to `astral-sh/setup-uv` — fixes `cache-poisoning` (High) **Files:** - `.github/workflows/open-api.yml` **Why zizmor recommends this:** `astral-sh/setup-uv` uses `actions/cache` internally when caching is enabled. The same cache-poisoning risk applies: a PR-triggered workflow could save a poisoned uv cache. Disabling the built-in cache eliminates this vector. ### Scope Only the 11 workflows triggered on `pull_request` are included in this PR. The remaining 6 workflows (labeler, jmh-benchmarks, publish-iceberg-rest-fixture-docker, publish-snapshot, recurring-jmh-benchmarks, site-ci) are not triggered by PRs and will be addressed separately. ### Testing These changes are behavioral no-ops: - `persist-credentials: false` — no workflow step relies on the persisted git credentials - `actions/cache/restore` — equivalent to `actions/cache` with `lookup-only: true` (which was already set); the `lookup-only` parameter is removed since `cache/restore` never saves by definition -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
