From a6ff7eb72b92c7621d435b029a509549c569b326 Mon Sep 17 00:00:00 2001 From: John Bampton Date: Fri, 9 Jan 2026 05:56:43 +1000 Subject: [PATCH] [GH-1977] Add zizmor with pre-commit refs: https://github.com/apache/sedona/pull/1982 Co-authored-by: Aashish Jha --- .github/linters/zizmor.yml | 29 ++++++++++++++++++++++++++ .github/workflows/codeql.yml | 2 ++ .github/workflows/docker-build.yml | 2 ++ .github/workflows/docs.yml | 4 ++++ .github/workflows/example.yml | 2 ++ .github/workflows/java.yml | 2 ++ .github/workflows/labeler.yml | 2 +- .github/workflows/pre-commit.yml | 2 ++ .github/workflows/pyflink.yml | 5 +++++ .github/workflows/python-extension.yml | 2 ++ .github/workflows/python-wheel.yml | 5 +++++ .github/workflows/python.yml | 2 ++ .github/workflows/r.yml | 5 +++++ .pre-commit-config.yaml | 9 ++++++++ 14 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 .github/linters/zizmor.yml diff --git a/.github/linters/zizmor.yml b/.github/linters/zizmor.yml new file mode 100644 index 0000000000..08d06108ff --- /dev/null +++ b/.github/linters/zizmor.yml @@ -0,0 +1,29 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +rules: + unpinned-uses: + config: + policies: + actions/*: any + astral-sh/setup-uv: any + docker/setup-qemu-action: any + github/*: any + pypa/cibuildwheel: any + r-lib/actions/check-r-package: any + r-lib/actions/setup-r: any + r-lib/actions/setup-r-dependencies: any diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 49bac483c6..b7bc53d7de 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,6 +41,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@v4 diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index ae4fdfca14..42306f9ee1 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -60,6 +60,8 @@ jobs: shell: bash steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-java@v5 with: distribution: 'zulu' diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 4e5a53cbef..d9f806d3c8 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -26,6 +26,9 @@ on: branches: - '*' +permissions: + contents: write + env: MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=60 @@ -40,6 +43,7 @@ jobs: - uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - name: Set up Java uses: actions/setup-java@v5 with: diff --git a/.github/workflows/example.yml b/.github/workflows/example.yml index f98f5e4858..6d16137a83 100644 --- a/.github/workflows/example.yml +++ b/.github/workflows/example.yml @@ -59,6 +59,8 @@ jobs: hadoop: 3.3.4 steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-java@v5 with: distribution: 'zulu' diff --git a/.github/workflows/java.yml b/.github/workflows/java.yml index bf835f8e6f..76834c9d63 100644 --- a/.github/workflows/java.yml +++ b/.github/workflows/java.yml @@ -86,6 +86,8 @@ jobs: skipTests: '' steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-java@v5 with: distribution: 'zulu' diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 136b950336..d6be9f21f2 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -18,7 +18,7 @@ # https://github.com/actions/labeler name: Pull Request Labeler on: - - pull_request_target + - pull_request_target # zizmor: ignore[dangerous-triggers] jobs: triage: permissions: diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 517db5e21c..6f3898d8b0 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -33,6 +33,8 @@ jobs: steps: - name: 'Checkout ${{ github.ref }} ( ${{ github.sha }} )' uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-python@v6 # https://www.python.org/ with: python-version: '3.10' # Version range or exact version of a Python version to use, using SemVer's version range syntax diff --git a/.github/workflows/pyflink.yml b/.github/workflows/pyflink.yml index b72ffa4b5a..9b86d74ab7 100644 --- a/.github/workflows/pyflink.yml +++ b/.github/workflows/pyflink.yml @@ -39,6 +39,9 @@ on: - 'python/**' - '.github/workflows/pyflink.yml' +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -51,6 +54,8 @@ jobs: python: ['3.11', '3.10'] steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-java@v5 with: distribution: 'zulu' diff --git a/.github/workflows/python-extension.yml b/.github/workflows/python-extension.yml index b7a1e5a2cf..c4eb20a881 100644 --- a/.github/workflows/python-extension.yml +++ b/.github/workflows/python-extension.yml @@ -59,6 +59,8 @@ jobs: working-directory: python steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-python@v6 with: python-version: ${{ matrix.python }} diff --git a/.github/workflows/python-wheel.yml b/.github/workflows/python-wheel.yml index 013105b827..28cd25ee74 100644 --- a/.github/workflows/python-wheel.yml +++ b/.github/workflows/python-wheel.yml @@ -39,6 +39,9 @@ on: - 'python/**' - '.github/workflows/python-wheel.yml' +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} @@ -54,6 +57,8 @@ jobs: shell: bash steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up QEMU if: runner.os == 'Linux' uses: docker/setup-qemu-action@v3 diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index b7e20423cf..05782bbae9 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -113,6 +113,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-java@v5 with: distribution: 'zulu' diff --git a/.github/workflows/r.yml b/.github/workflows/r.yml index 5177baf2d5..14565278fc 100644 --- a/.github/workflows/r.yml +++ b/.github/workflows/r.yml @@ -39,6 +39,9 @@ on: - 'R/**' - '.github/workflows/r.yml' +permissions: + contents: read + env: MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=60 JAI_CORE_VERSION: '1.1.3' @@ -84,6 +87,8 @@ jobs: sudo apt-get -y remove --purge default-jdk adoptopenjdk-11-hotspot || : shell: bash - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: r-lib/actions/setup-r@v2.11.4 with: r-version: ${{ matrix.r }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 246687331f..84b10f4918 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -309,6 +309,15 @@ repos: - id: gitleaks name: run gitleaks description: check for secrets with gitleaks + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.20.0 + hooks: + - id: zizmor + name: run zizmor + description: zizmor is a static analysis tool for GitHub Actions + args: [--config=.github/linters/zizmor.yml] + files: ^\.github/workflows/.*$ + types: [yaml] - repo: https://github.com/pre-commit/pygrep-hooks rev: v1.10.0 hooks: