From 20205b10da515fb99de37a77e13245a502498535 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 09:55:21 -0700 Subject: [PATCH 1/8] add ASF Allowlist Check --- .github/workflows/asf-allowlist-check.yml | 47 +++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/asf-allowlist-check.yml diff --git a/.github/workflows/asf-allowlist-check.yml b/.github/workflows/asf-allowlist-check.yml new file mode 100644 index 0000000000..d4e84c5922 --- /dev/null +++ b/.github/workflows/asf-allowlist-check.yml @@ -0,0 +1,47 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# Verifies all GitHub Actions refs are on the ASF allowlist. +# Actions not on the allowlist silently fail with "Startup failure" — no logs, +# no notifications, and PRs may appear green because no checks ran. +# See https://github.com/apache/infrastructure-actions/issues/574 +name: "ASF Allowlist Check" + +on: + pull_request: + paths: + - ".github/**" + push: + branches: + - main + paths: + - ".github/**" + +permissions: + contents: read + +jobs: + asf-allowlist-check: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + # Intentionally unpinned to always use the latest allowlist from the ASF. + - uses: apache/infrastructure-actions/allowlist-check@main # zizmor: ignore[unpinned-uses] From a8d2af64fe99466881c407ff46e2eb201612d72b Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 09:55:29 -0700 Subject: [PATCH 2/8] Revert "Infra: Remove GitHub Actions from Dependabot configuration (#3187)" This reverts commit ef75a1f0cd0a2b8de926eec2be6faa99e1ecaf4f. --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index bd5b4d870e..4416fc89bc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -26,3 +26,7 @@ updates: open-pull-requests-limit: 50 ignore: - dependency-name: "datafusion" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" From c0885f4167c46040bfc8ea18ecb294084341871f Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 09:56:02 -0700 Subject: [PATCH 3/8] add cooldown --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4416fc89bc..4207b660d4 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -26,7 +26,11 @@ updates: open-pull-requests-limit: 50 ignore: - dependency-name: "datafusion" + cooldown: + default-days: 7 - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" + cooldown: + default-days: 7 From de9564cec8fa2d43ff817b5a4c1618a6f938fbe6 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 10:23:19 -0700 Subject: [PATCH 4/8] use tag for now --- .github/workflows/nightly-pypi-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-pypi-build.yml b/.github/workflows/nightly-pypi-build.yml index fbd81257b9..a74baca70d 100644 --- a/.github/workflows/nightly-pypi-build.yml +++ b/.github/workflows/nightly-pypi-build.yml @@ -86,7 +86,7 @@ jobs: - name: Publish to TestPyPI id: publish-testpypi continue-on-error: true - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 + uses: pypa/gh-action-pypi-publish@release/v1 # zizmor: ignore[unpinned-uses] -- until asf-infra publishes new allowlist with commit hash with: repository-url: https://test.pypi.org/legacy/ skip-existing: true From 226f4dc1a0e3462f904bac35fb22bc64608b09ce Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 10:34:41 -0700 Subject: [PATCH 5/8] add zizmor --- .github/workflows/zizmor.yml | 43 ++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..0045c69d39 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,43 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 From b64fcf82afa6076c39f78b62257ec151200239fd Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sun, 29 Mar 2026 14:04:23 -0700 Subject: [PATCH 6/8] disable advanced-security so ci will error --- .github/workflows/zizmor.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 0045c69d39..f7400d253b 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -41,3 +41,5 @@ jobs: - name: Run zizmor 🌈 uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + with: + advanced-security: false From e1911fd1ee5058452834b4d59c7a6e3bfad5a1bf Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Mon, 30 Mar 2026 08:45:41 -0700 Subject: [PATCH 7/8] fix pypa --- .github/workflows/nightly-pypi-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-pypi-build.yml b/.github/workflows/nightly-pypi-build.yml index a74baca70d..724885659c 100644 --- a/.github/workflows/nightly-pypi-build.yml +++ b/.github/workflows/nightly-pypi-build.yml @@ -86,7 +86,7 @@ jobs: - name: Publish to TestPyPI id: publish-testpypi continue-on-error: true - uses: pypa/gh-action-pypi-publish@release/v1 # zizmor: ignore[unpinned-uses] -- until asf-infra publishes new allowlist with commit hash + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: repository-url: https://test.pypi.org/legacy/ skip-existing: true From 2f534be42566618314772d330ece5ffbfc9c709e Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Mon, 30 Mar 2026 08:51:26 -0700 Subject: [PATCH 8/8] copy over changes --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/zizmor.yml | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 75c10c7eaf..81bc6b16f8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -46,11 +46,11 @@ jobs: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 + uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4 with: languages: actions - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 + uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4 with: category: "/language:actions" diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index f7400d253b..313835fcbe 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -31,8 +31,7 @@ jobs: zizmor: name: Run zizmor 🌈 runs-on: ubuntu-latest - permissions: - security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + permissions: {} steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2