Skip to content

Apply zizmor findings#45408

Merged
potiuk merged 8 commits intoapache:mainfrom
gopidesupavan:apply-zizmor-findings
Jan 5, 2025
Merged

Apply zizmor findings#45408
potiuk merged 8 commits intoapache:mainfrom
gopidesupavan:apply-zizmor-findings

Conversation

@gopidesupavan
Copy link
Member

@gopidesupavan gopidesupavan commented Jan 5, 2025

We have nice tool available to find issues in github workflows/actions files.
https://woodruffw.github.io/zizmor/

Thanks to zizmor and @assignUser for sharing the details

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

@gopidesupavan
Copy link
Member Author

gopidesupavan commented Jan 5, 2025

going to run for all combinations just to make sure syntax are working :)

@gopidesupavan gopidesupavan added canary When set on PR running from apache repo - behave as canary run all versions If set, the CI build will be forced to use all versions of Python/K8S/DBs labels Jan 5, 2025
@gopidesupavan gopidesupavan reopened this Jan 5, 2025
potiuk
potiuk reviewed Jan 5, 2025
View reviewed changes
potiuk
potiuk reviewed Jan 5, 2025
View reviewed changes
potiuk
potiuk reviewed Jan 5, 2025
View reviewed changes
potiuk
potiuk reviewed Jan 5, 2025
View reviewed changes
@gopidesupavan
Copy link
Member Author

gopidesupavan commented Jan 5, 2025

Oops will update all the quotes :)

potiuk
potiuk reviewed Jan 5, 2025
View reviewed changes
potiuk
potiuk reviewed Jan 5, 2025
View reviewed changes
potiuk
potiuk reviewed Jan 5, 2025
View reviewed changes
potiuk
potiuk approved these changes Jan 5, 2025
View reviewed changes
Copy link
Member

@potiuk potiuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few nits

hussein-awala
hussein-awala approved these changes Jan 5, 2025
View reviewed changes
Copy link
Member

@hussein-awala hussein-awala left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice one!

@potiuk potiuk merged commit c5049d0 into apache:main Jan 5, 2025
@potiuk
Copy link
Member

potiuk commented Jan 5, 2025

Nice one!

Indeed :)

@gopidesupavan gopidesupavan deleted the apply-zizmor-findings branch January 5, 2025 20:47
amoghrajesh
amoghrajesh reviewed Jan 6, 2025
View reviewed changes
Copy link
Contributor

@amoghrajesh amoghrajesh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty cool!

HariGS-DB pushed a commit to HariGS-DB/airflow that referenced this pull request Jan 16, 2025
@gopidesupavan @HariGS-DB
Apply zizmor findings (apache#45408)
2c1a2b2
got686-yandex pushed a commit to got686-yandex/airflow that referenced this pull request Jan 30, 2025
@gopidesupavan @got686-yandex
Apply zizmor findings (apache#45408)
93ebbd7
@yihong0618 yihong0618 mentioned this pull request Mar 22, 2025
Merged
Xuanwo pushed a commit to apache/iceberg-rust that referenced this pull request Mar 24, 2025
@yihong0618
fix: safety ci using static check zizmor (#1123)
4185e37 
## Which issue does this PR close?

<!--
We generally require a GitHub issue to be filed for all bug fixes and
enhancements and this helps us generate change logs for our releases.
You can link an issue to this PR using the GitHub syntax. For example
`Closes #123` indicates that this PR will close issue #123.
-->

this patch make ci more safety using static check zizmor: to avoid code
injection

more: 
- apache/airflow#45408
- astral-sh/ruff#14844

and github actions safety is more and more important:

link:
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

Signed-off-by: yihong0618 <zouzou0208@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@potiuk potiuk potiuk approved these changes

@amoghrajesh amoghrajesh amoghrajesh left review comments

@hussein-awala hussein-awala hussein-awala approved these changes

@ashb ashb Awaiting requested review from ashb ashb is a code owner

@jedcunningham jedcunningham Awaiting requested review from jedcunningham jedcunningham is a code owner

@kaxil kaxil Awaiting requested review from kaxil kaxil is a code owner

@romsharon98 romsharon98 Awaiting requested review from romsharon98

@eladkal eladkal Awaiting requested review from eladkal

@shahar1 shahar1 Awaiting requested review from shahar1

@jscheffl jscheffl Awaiting requested review from jscheffl jscheffl is a code owner

Assignees

No one assigned

Labels

all versions If set, the CI build will be forced to use all versions of Python/K8S/DBs area:dev-tools canary When set on PR running from apache repo - behave as canary run

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gopidesupavan @potiuk @hussein-awala @amoghrajesh