From 2a76aadc7dcab5f81712283141d680c82dce12e8 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Wed, 15 Apr 2026 11:29:39 -0700 Subject: [PATCH 1/9] Revert "Infra: Remove GitHub Actions from Dependabot configuration (#597)" This reverts commit f79f885e46f6460b3356e90288e8d69803558f57. --- .github/dependabot.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..2cc471df7 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,25 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + open-pull-requests-limit: 10 From 734cf3c65e23684335518354405470355f79336b Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Wed, 15 Apr 2026 11:30:13 -0700 Subject: [PATCH 2/9] update github-actions dependabot configs --- .github/dependabot.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2cc471df7..fc74cd299 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,8 +18,11 @@ version: 2 updates: + # Maintain dependencies for GitHub Actions - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "daily" - open-pull-requests-limit: 10 + interval: "weekly" + day: "sunday" + cooldown: + default-days: 7 From 6521aa5e837435a9264070b2a515197f190d40d4 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Wed, 15 Apr 2026 11:30:57 -0700 Subject: [PATCH 3/9] add the 3 checks --- .github/workflows/asf-allowlist-check.yml | 46 +++++++++++++++++++++++ .github/workflows/codeql.yml | 14 +++---- .github/workflows/zizmor.yml | 44 ++++++++++++++++++++++ 3 files changed, 97 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/asf-allowlist-check.yml create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/asf-allowlist-check.yml b/.github/workflows/asf-allowlist-check.yml new file mode 100644 index 000000000..65dbe8bcb --- /dev/null +++ b/.github/workflows/asf-allowlist-check.yml @@ -0,0 +1,46 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# Verifies all GitHub Actions refs are on the ASF allowlist. +# Actions not on the allowlist silently fail with "Startup failure" — no logs, +# no notifications, and PRs may appear green because no checks ran. +# See https://github.com/apache/infrastructure-actions/issues/574 +name: "ASF Allowlist Check" + +on: + pull_request: + paths: + - ".github/**" + push: + branches: + - main + paths: + - ".github/**" + +permissions: + contents: read + +jobs: + asf-allowlist-check: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: apache/infrastructure-actions/allowlist-check@4e9c961f587f72b170874b6f5cd4ac15f7f26eb8 # main diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e71958d97..fe0459aeb 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,11 +21,9 @@ name: "CodeQL" on: push: - branches: - - main + branches: [ "main" ] pull_request: - branches: - - main + branches: [ "main" ] schedule: - cron: '16 4 * * 1' @@ -43,14 +41,16 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: languages: actions - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: category: "/language:actions" diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..313835fcb --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,44 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: {} + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + with: + advanced-security: false From 538f7da204e438fd87fb72d9eb3cf597c03bb0db Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Wed, 15 Apr 2026 11:33:01 -0700 Subject: [PATCH 4/9] zizmor auto fix --- .github/workflows/cpp-linter.yml | 8 ++++++-- .github/workflows/docs.yml | 5 +++-- .github/workflows/license_check.yml | 6 ++++-- .github/workflows/pre-commit.yml | 6 ++++-- .github/workflows/rc.yml | 16 +++++++++++----- .github/workflows/sanitizer_test.yml | 4 +++- .github/workflows/test.yml | 18 +++++++++++++----- 7 files changed, 44 insertions(+), 19 deletions(-) diff --git a/.github/workflows/cpp-linter.yml b/.github/workflows/cpp-linter.yml index 26324479c..833391b9e 100644 --- a/.github/workflows/cpp-linter.yml +++ b/.github/workflows/cpp-linter.yml @@ -34,7 +34,9 @@ jobs: pull-requests: write steps: - name: Checkout iceberg-cpp - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install dependencies shell: bash run: sudo apt-get update && sudo apt-get install -y libcurl4-openssl-dev @@ -66,5 +68,7 @@ jobs: - name: Fail fast?! if: steps.linter.outputs.checks-failed != 0 run: | - echo "some linter checks failed. ${{ steps.linter.outputs.checks-failed }}" + echo "some linter checks failed. ${STEPS_LINTER_OUTPUTS_CHECKS_FAILED}" exit 1 + env: + STEPS_LINTER_OUTPUTS_CHECKS_FAILED: ${{ steps.linter.outputs.checks-failed }} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index c6ec84fd9..82d0e5ab6 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -37,11 +37,12 @@ jobs: runs-on: ubuntu-slim steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.x' diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml index 8bed66aad..17af559d1 100644 --- a/.github/workflows/license_check.yml +++ b/.github/workflows/license_check.yml @@ -28,9 +28,11 @@ jobs: runs-on: ubuntu-slim steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Check license header - uses: apache/skywalking-eyes@main + uses: apache/skywalking-eyes@61275cc80d0798a405cb070f7d3a8aaf7cf2c2c1 # v0.8.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 67f8ec586..363c234ba 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -31,6 +31,8 @@ jobs: pre-commit: runs-on: ubuntu-slim steps: - - uses: actions/checkout@v6 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 diff --git a/.github/workflows/rc.yml b/.github/workflows/rc.yml index 91ddb0e5a..75c18d3d8 100644 --- a/.github/workflows/rc.yml +++ b/.github/workflows/rc.yml @@ -34,7 +34,9 @@ jobs: timeout-minutes: 5 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Prepare for tag if: github.ref_type == 'tag' @@ -84,9 +86,11 @@ jobs: CXX: g++-14 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: archive @@ -130,9 +134,11 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: archive diff --git a/.github/workflows/sanitizer_test.yml b/.github/workflows/sanitizer_test.yml index cdb3c86bc..422257a12 100644 --- a/.github/workflows/sanitizer_test.yml +++ b/.github/workflows/sanitizer_test.yml @@ -39,7 +39,9 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout iceberg-cpp - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install dependencies shell: bash run: sudo apt-get update && sudo apt-get install -y libcurl4-openssl-dev diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c60f42b1d..b9d30e540 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -52,7 +52,9 @@ jobs: AWS_EC2_METADATA_DISABLED: "TRUE" steps: - name: Checkout iceberg-cpp - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install dependencies shell: bash run: sudo apt-get update && sudo apt-get install -y libcurl4-openssl-dev @@ -86,7 +88,9 @@ jobs: AWS_EC2_METADATA_DISABLED: "TRUE" steps: - name: Checkout iceberg-cpp - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Start MinIO shell: bash run: bash ci/scripts/start_minio.sh @@ -111,7 +115,9 @@ jobs: AWS_EC2_METADATA_DISABLED: "TRUE" steps: - name: Checkout iceberg-cpp - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install dependencies shell: cmd run: | @@ -155,11 +161,13 @@ jobs: - title: AArch64 macOS 26 runs-on: macos-26 steps: - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.x' - name: Checkout iceberg-cpp - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install build dependencies run: | python3 -m pip install --upgrade pip From ee7396d7cc5261bbe2e8343dd84d8b43be87458c Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Wed, 15 Apr 2026 11:52:30 -0700 Subject: [PATCH 5/9] zizmor ignore --- .github/workflows/test.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b9d30e540..ae6174675 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -119,7 +119,7 @@ jobs: with: persist-credentials: false - name: Install dependencies - shell: cmd + shell: pwsh run: | vcpkg install zlib:x64-windows nlohmann-json:x64-windows nanoarrow:x64-windows roaring:x64-windows cpr:x64-windows - name: Setup sccache @@ -128,19 +128,19 @@ jobs: shell: bash run: bash ci/scripts/start_minio.sh - name: Build Iceberg - shell: cmd + shell: pwsh env: SCCACHE_GHA_ENABLED: "true" run: | - call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvarsall.bat" x64 - bash -c "ci/scripts/build_iceberg.sh $(pwd) OFF ON" - if %errorlevel% neq 0 exit /b %errorlevel% + $ErrorActionPreference = "Stop" + cmd /c "call \"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvarsall.bat\" x64 && bash -lc \"ci/scripts/build_iceberg.sh `$(pwd) OFF ON\"" + if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } sccache --show-stats - name: Build Example - shell: cmd + shell: pwsh run: | - call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvarsall.bat" x64 - bash -c "ci/scripts/build_example.sh $(pwd)/example" + $ErrorActionPreference = "Stop" + cmd /c "call \"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvarsall.bat\" x64 && bash -lc \"ci/scripts/build_example.sh `$(pwd)/example\"" meson: name: Meson - ${{ matrix.title }} runs-on: ${{ matrix.runs-on }} From a58ea19cd2bbd97eb363fe02eeb9b199c4800eef Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Wed, 15 Apr 2026 12:01:59 -0700 Subject: [PATCH 6/9] fix --- .github/workflows/test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ae6174675..37f98bd05 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -133,14 +133,14 @@ jobs: SCCACHE_GHA_ENABLED: "true" run: | $ErrorActionPreference = "Stop" - cmd /c "call \"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvarsall.bat\" x64 && bash -lc \"ci/scripts/build_iceberg.sh `$(pwd) OFF ON\"" + cmd /c "call `"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvarsall.bat`" x64 && bash -lc `"ci/scripts/build_iceberg.sh `$(pwd) OFF ON`"" if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } sccache --show-stats - name: Build Example shell: pwsh run: | $ErrorActionPreference = "Stop" - cmd /c "call \"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvarsall.bat\" x64 && bash -lc \"ci/scripts/build_example.sh `$(pwd)/example\"" + cmd /c "call `"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvarsall.bat`" x64 && bash -lc `"ci/scripts/build_example.sh `$(pwd)/example`"" meson: name: Meson - ${{ matrix.title }} runs-on: ${{ matrix.runs-on }} From e58d73ed708e1eb9362896960e0bdf1dba935fab Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Wed, 15 Apr 2026 12:17:24 -0700 Subject: [PATCH 7/9] add tag --- .github/workflows/cpp-linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cpp-linter.yml b/.github/workflows/cpp-linter.yml index 833391b9e..51a8f4d63 100644 --- a/.github/workflows/cpp-linter.yml +++ b/.github/workflows/cpp-linter.yml @@ -48,7 +48,7 @@ jobs: mkdir build && cd build cmake .. -G Ninja -DCMAKE_EXPORT_COMPILE_COMMANDS=ON cmake --build . - - uses: cpp-linter/cpp-linter-action@0f6d1b8d7e38b584cbee606eb23d850c217d54f8 + - uses: cpp-linter/cpp-linter-action@0f6d1b8d7e38b584cbee606eb23d850c217d54f8 # v2.15.1 id: linter continue-on-error: true env: From a435dd5b72e7b8520f336523e0dd0a6c6d1d6af8 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Thu, 16 Apr 2026 08:29:06 -0700 Subject: [PATCH 8/9] ubuntu-24.04 --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 313835fcb..5ac3f30ea 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -30,7 +30,7 @@ permissions: {} jobs: zizmor: name: Run zizmor 🌈 - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: {} steps: - name: Checkout repository From ff490eac2aec239e365a3dbc847b9e5d6b3a4d28 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Thu, 16 Apr 2026 08:42:09 -0700 Subject: [PATCH 9/9] ignore mozilla-actions/sccache-action --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 37f98bd05..40b429541 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -123,7 +123,7 @@ jobs: run: | vcpkg install zlib:x64-windows nlohmann-json:x64-windows nanoarrow:x64-windows roaring:x64-windows cpr:x64-windows - name: Setup sccache - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 + uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 # zizmor: ignore[cache-poisoning] -- only used for build caching, no artifacts published - name: Start MinIO shell: bash run: bash ci/scripts/start_minio.sh