This is an automated email from the ASF dual-hosted git repository.
adoroszlai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ratis-thirdparty.git
The following commit(s) were added to refs/heads/master by this push:
new 1387aa2 RATIS-2493. Check actions with zizmor (#103)
1387aa2 is described below
commit 1387aa297cf8c897b34994dcc92b63b310958249
Author: Doroszlai, Attila <[email protected]>
AuthorDate: Fri Apr 3 16:07:57 2026 +0200
RATIS-2493. Check actions with zizmor (#103)
---
.github/dependabot.yml | 4 +--
.github/workflows/ci.yaml | 24 +++++++++-----
.github/{dependabot.yml => workflows/zizmor.yml} | 41 ++++++++++++------------
3 files changed, 38 insertions(+), 31 deletions(-)
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 5189672..a8a50aa 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -23,7 +23,7 @@ updates:
interval: "cron"
cronjob: "15 7 * * *"
cooldown:
- default-days: 4
+ default-days: 7
- package-ecosystem: "maven"
directory: "/"
schedule:
@@ -31,7 +31,7 @@ updates:
interval: "cron"
cronjob: "15 8 * * *"
cooldown:
- default-days: 4
+ default-days: 7
ignore:
- dependency-name: "com.google.protobuf:protobuf-java"
update-types: ["version-update:semver-major"]
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 6022214..134a3a2 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -27,25 +27,27 @@ concurrency:
group: ci-${{ github.event.pull_request.number || case(github.repository ==
'apache/ratis-thirdparty', github.sha, github.ref_name) }}
cancel-in-progress: ${{ github.event_name == 'pull_request' ||
github.repository != 'apache/ratis-thirdparty' }}
+permissions: { }
+
jobs:
build:
runs-on: ubuntu-24.04
+ environment: org # see https://issues.apache.org/jira/browse/INFRA-27775
if: github.event_name == 'pull_request'
|| github.repository == 'apache/ratis-thirdparty'
|| github.ref_name != 'master'
steps:
- name: Checkout project
- uses: actions/checkout@v6
- - name: Cache for Maven dependencies
- uses: actions/cache@v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ with:
+ persist-credentials: false
+ - name: Restore Maven repo
+ uses:
apache/infrastructure-actions/stash/restore@2245ffcb262ea1723462729b032d1d5c71290dfc
with:
path: ~/.m2/repository
- key: maven-repo-${{ hashFiles('**/pom.xml') }}-${{ github.job }}
- restore-keys: |
- maven-repo-${{ hashFiles('**/pom.xml') }}
- maven-repo-
+ key: maven-repo
- name: Setup Java
- uses: actions/setup-java@v5
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 #
v5.2.0
with:
distribution: 'temurin'
java-version: 8
@@ -60,3 +62,9 @@ jobs:
- name: Delete temporary build artifacts
run: rm -rf ~/.m2/repository/org/apache/ratis
if: always()
+ - name: Save Maven repo
+ uses:
apache/infrastructure-actions/stash/save@2245ffcb262ea1723462729b032d1d5c71290dfc
+ with:
+ path: ~/.m2/repository
+ key: maven-repo
+ retention-days: 90
diff --git a/.github/dependabot.yml b/.github/workflows/zizmor.yml
similarity index 59%
copy from .github/dependabot.yml
copy to .github/workflows/zizmor.yml
index 5189672..4170281 100644
--- a/.github/dependabot.yml
+++ b/.github/workflows/zizmor.yml
@@ -13,25 +13,24 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-version: 2
+name: zizmor
-updates:
- - package-ecosystem: "github-actions"
- directory: "/"
- schedule:
- # 'daily' only runs on weekdays
- interval: "cron"
- cronjob: "15 7 * * *"
- cooldown:
- default-days: 4
- - package-ecosystem: "maven"
- directory: "/"
- schedule:
- # 'daily' only runs on weekdays
- interval: "cron"
- cronjob: "15 8 * * *"
- cooldown:
- default-days: 4
- ignore:
- - dependency-name: "com.google.protobuf:protobuf-java"
- update-types: ["version-update:semver-major"]
+on:
+ push:
+ pull_request:
+
+permissions: { }
+
+jobs:
+ zizmor:
+ runs-on: ubuntu-latest
+ permissions:
+ security-events: write
+ steps:
+ - name: Checkout project
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
+
+ - name: Run zizmor
+ uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8
# v0.5.2
