adoroszlai opened a new pull request, #1426: URL: https://github.com/apache/ratis/pull/1426
## What changes were proposed in this pull request? - Validate GitHub Actions workflow with [zizmor](https://docs.zizmor.sh/) [action](https://docs.zizmor.sh/integrations/#via-zizmorcorezizmor-action) - Fix violations - increase dependabot cooldown period - pin actions by SHA - do not persist credentials - avoid template injection (see [GitHub doc](https://docs.github.com/en/actions/reference/security/secure-use#use-an-intermediate-environment-variable), also RATIS-2373) - restrict permissions - use secrets from apache org (see [INFRA-27775](https://issues.apache.org/jira/browse/INFRA-27775?focusedCommentId=18069097&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-18069097) for details) - explicitly pass specific secrets to reusable workflow instead of inheriting all secrets https://issues.apache.org/jira/browse/RATIS-2493 ## How was this patch tested? - zizmor: https://github.com/adoroszlai/ratis/actions/runs/24119787627 - CI: https://github.com/adoroszlai/ratis/actions/runs/24119787661 - vulnerability check: https://github.com/adoroszlai/ratis/actions/runs/24120945037 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
