This is an automated email from the ASF dual-hosted git repository.
kevinjqliu pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/iceberg.git
The following commit(s) were added to refs/heads/main by this push:
new a7d2113ac1 CI: Fix zizmor security findings in PR-triggered workflows
(#15788)
a7d2113ac1 is described below
commit a7d2113ac18834dbe24cb59cfb4c6b6d20b7310d
Author: Kevin Liu <[email protected]>
AuthorDate: Fri Mar 27 11:29:14 2026 -0700
CI: Fix zizmor security findings in PR-triggered workflows (#15788)
---
.github/workflows/api-binary-compatibility.yml | 10 +++++++++-
.github/workflows/codeql.yml | 2 ++
.github/workflows/delta-conversion-ci.yml | 22 ++++++++++++++++++++--
.github/workflows/docs-ci.yml | 2 ++
.github/workflows/flink-ci.yml | 11 ++++++++++-
.github/workflows/hive-ci.yml | 11 ++++++++++-
.github/workflows/java-ci.yml | 15 ++++++++++++++-
.github/workflows/kafka-connect-ci.yml | 11 ++++++++++-
.github/workflows/license-check.yml | 2 ++
.github/workflows/open-api.yml | 4 ++++
.github/workflows/spark-ci.yml | 11 ++++++++++-
11 files changed, 93 insertions(+), 8 deletions(-)
diff --git a/.github/workflows/api-binary-compatibility.yml
b/.github/workflows/api-binary-compatibility.yml
index 274bf0398d..e2abb929e1 100644
--- a/.github/workflows/api-binary-compatibility.yml
+++ b/.github/workflows/api-binary-compatibility.yml
@@ -54,11 +54,12 @@ jobs:
#
# See https://github.com/actions/checkout/issues/124
fetch-depth: 0
+ persist-credentials: false
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
distribution: zulu
java-version: 17
- - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ - uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 #
v5
with:
path: |
~/.gradle/caches
@@ -68,6 +69,13 @@ jobs:
- run: |
echo "Using the old version tag, as per git describe, of $(git
describe)";
- run: ./gradlew revapi --rerun-tasks
+ - uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ if: github.event_name == 'push'
+ with:
+ path: |
+ ~/.gradle/caches
+ ~/.gradle/wrapper
+ key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*',
'**/gradle-wrapper.properties') }}
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
# v7
if: failure()
with:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 3c5c51245f..ccb0b56ddd 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -42,6 +42,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc
# v4
diff --git a/.github/workflows/delta-conversion-ci.yml
b/.github/workflows/delta-conversion-ci.yml
index 2b32d2a18a..ddd5776298 100644
--- a/.github/workflows/delta-conversion-ci.yml
+++ b/.github/workflows/delta-conversion-ci.yml
@@ -81,11 +81,13 @@ jobs:
SPARK_LOCAL_IP: localhost
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
distribution: zulu
java-version: ${{ matrix.jvm }}
- - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ - uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 #
v5
with:
path: |
~/.gradle/caches
@@ -94,6 +96,13 @@ jobs:
restore-keys: ${{ runner.os }}-gradle-
- run: echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' |
cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts
- run: ./gradlew -DsparkVersions=3.5 -DscalaVersion=2.12
-DkafkaVersions= -DflinkVersions= :iceberg-delta-lake:check -Pquick=true -x
javadoc
+ - uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ if: github.event_name == 'push'
+ with:
+ path: |
+ ~/.gradle/caches
+ ~/.gradle/wrapper
+ key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*',
'**/gradle-wrapper.properties') }}
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
# v7
if: failure()
with:
@@ -111,11 +120,13 @@ jobs:
SPARK_LOCAL_IP: localhost
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
distribution: zulu
java-version: ${{ matrix.jvm }}
- - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ - uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 #
v5
with:
path: |
~/.gradle/caches
@@ -124,6 +135,13 @@ jobs:
restore-keys: ${{ runner.os }}-gradle-
- run: echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' |
cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts
- run: ./gradlew -DsparkVersions=3.5 -DscalaVersion=2.13
-DkafkaVersions= -DflinkVersions= :iceberg-delta-lake:check -Pquick=true -x
javadoc
+ - uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ if: github.event_name == 'push'
+ with:
+ path: |
+ ~/.gradle/caches
+ ~/.gradle/wrapper
+ key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*',
'**/gradle-wrapper.properties') }}
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
# v7
if: failure()
with:
diff --git a/.github/workflows/docs-ci.yml b/.github/workflows/docs-ci.yml
index aa95e7c814..ff6c6bdbd8 100644
--- a/.github/workflows/docs-ci.yml
+++ b/.github/workflows/docs-ci.yml
@@ -37,6 +37,8 @@ jobs:
os: [ubuntu-latest, macos-latest]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6
with:
python-version: 3.x
diff --git a/.github/workflows/flink-ci.yml b/.github/workflows/flink-ci.yml
index 35f23c0611..65deca4523 100644
--- a/.github/workflows/flink-ci.yml
+++ b/.github/workflows/flink-ci.yml
@@ -85,11 +85,13 @@ jobs:
SPARK_LOCAL_IP: localhost
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
distribution: zulu
java-version: ${{ matrix.jvm }}
- - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ - uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
with:
path: |
~/.gradle/caches
@@ -98,6 +100,13 @@ jobs:
restore-keys: ${{ runner.os }}-gradle-
- run: echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' |
cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts
- run: ./gradlew -DsparkVersions= -DkafkaVersions= -DflinkVersions=${{
matrix.flink }} :iceberg-flink:iceberg-flink-${{ matrix.flink }}:check
:iceberg-flink:iceberg-flink-runtime-${{ matrix.flink }}:check -Pquick=true -x
javadoc -DtestParallelism=auto
+ - uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ if: github.event_name == 'push'
+ with:
+ path: |
+ ~/.gradle/caches
+ ~/.gradle/wrapper
+ key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*',
'**/gradle-wrapper.properties') }}
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #
v7
if: failure()
with:
diff --git a/.github/workflows/hive-ci.yml b/.github/workflows/hive-ci.yml
index 781deaf3d9..416f5b9b96 100644
--- a/.github/workflows/hive-ci.yml
+++ b/.github/workflows/hive-ci.yml
@@ -82,11 +82,13 @@ jobs:
SPARK_LOCAL_IP: localhost
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
distribution: zulu
java-version: ${{ matrix.jvm }}
- - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ - uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
with:
path: |
~/.gradle/caches
@@ -95,6 +97,13 @@ jobs:
restore-keys: ${{ runner.os }}-gradle-
- run: echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' |
cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts
- run: ./gradlew -DsparkVersions= -DflinkVersions= -DkafkaVersions=
-Pquick=true :iceberg-mr:check -x javadoc
+ - uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ if: github.event_name == 'push'
+ with:
+ path: |
+ ~/.gradle/caches
+ ~/.gradle/wrapper
+ key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*',
'**/gradle-wrapper.properties') }}
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #
v7
if: failure()
with:
diff --git a/.github/workflows/java-ci.yml b/.github/workflows/java-ci.yml
index b505baa355..45c04f651f 100644
--- a/.github/workflows/java-ci.yml
+++ b/.github/workflows/java-ci.yml
@@ -77,11 +77,13 @@ jobs:
SPARK_LOCAL_IP: localhost
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
distribution: zulu
java-version: ${{ matrix.jvm }}
- - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ - uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
with:
path: |
~/.gradle/caches
@@ -90,6 +92,13 @@ jobs:
restore-keys: ${{ runner.os }}-gradle-
- run: echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' |
cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts
- run: ./gradlew check -DsparkVersions= -DflinkVersions= -DkafkaVersions=
-Pquick=true -x javadoc
+ - uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ if: github.event_name == 'push'
+ with:
+ path: |
+ ~/.gradle/caches
+ ~/.gradle/wrapper
+ key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*',
'**/gradle-wrapper.properties') }}
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #
v7
if: failure()
with:
@@ -105,6 +114,8 @@ jobs:
jvm: [17, 21]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
distribution: zulu
@@ -119,6 +130,8 @@ jobs:
jvm: [17, 21]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
distribution: zulu
diff --git a/.github/workflows/kafka-connect-ci.yml
b/.github/workflows/kafka-connect-ci.yml
index 8eb88f8f09..a6dde767a6 100644
--- a/.github/workflows/kafka-connect-ci.yml
+++ b/.github/workflows/kafka-connect-ci.yml
@@ -82,11 +82,13 @@ jobs:
SPARK_LOCAL_IP: localhost
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
distribution: zulu
java-version: ${{ matrix.jvm }}
- - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ - uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
with:
path: |
~/.gradle/caches
@@ -101,6 +103,13 @@ jobs:
:iceberg-kafka-connect:iceberg-kafka-connect:check \
:iceberg-kafka-connect:iceberg-kafka-connect-runtime:check \
-Pquick=true -x javadoc
+ - uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ if: github.event_name == 'push'
+ with:
+ path: |
+ ~/.gradle/caches
+ ~/.gradle/wrapper
+ key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*',
'**/gradle-wrapper.properties') }}
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #
v7
if: failure()
with:
diff --git a/.github/workflows/license-check.yml
b/.github/workflows/license-check.yml
index edb2dc6019..ccd2a9a429 100644
--- a/.github/workflows/license-check.yml
+++ b/.github/workflows/license-check.yml
@@ -28,5 +28,7 @@ jobs:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- run: |
dev/check-license
diff --git a/.github/workflows/open-api.yml b/.github/workflows/open-api.yml
index 8adb42d32a..4a53bc33d8 100644
--- a/.github/workflows/open-api.yml
+++ b/.github/workflows/open-api.yml
@@ -45,8 +45,12 @@ jobs:
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- name: Install uv
uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098
+ with:
+ enable-cache: false
- name: Install dependencies
working-directory: ./open-api
run: make install
diff --git a/.github/workflows/spark-ci.yml b/.github/workflows/spark-ci.yml
index 715a82907d..f47bb17522 100644
--- a/.github/workflows/spark-ci.yml
+++ b/.github/workflows/spark-ci.yml
@@ -92,11 +92,13 @@ jobs:
SPARK_LOCAL_IP: localhost
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
distribution: zulu
java-version: ${{ matrix.jvm }}
- - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ - uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 #
v5
with:
path: |
~/.gradle/caches
@@ -113,6 +115,13 @@ jobs:
:iceberg-spark:iceberg-spark-extensions-${{ matrix.spark }}_${{
matrix.scala }}:check \
:iceberg-spark:iceberg-spark-runtime-${{ matrix.spark }}_${{
matrix.scala }}:check \
-Pquick=true -x javadoc
+ - uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+ if: github.event_name == 'push'
+ with:
+ path: |
+ ~/.gradle/caches
+ ~/.gradle/wrapper
+ key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*',
'**/gradle-wrapper.properties') }}
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
# v7
if: failure()
with:
