From 0d1e435d5ef88ae46be4415f4e770ab595eb1b88 Mon Sep 17 00:00:00 2001 From: Benjamin Philip Date: Tue, 30 Jun 2026 12:24:32 +0530 Subject: [PATCH 1/5] chore: Perform ASF allowlist checks on CI changes --- .github/workflows/asf-allowlist-check.yml | 55 +++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/asf-allowlist-check.yml diff --git a/.github/workflows/asf-allowlist-check.yml b/.github/workflows/asf-allowlist-check.yml new file mode 100644 index 0000000..6ca2a7f --- /dev/null +++ b/.github/workflows/asf-allowlist-check.yml @@ -0,0 +1,55 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# See https://github.com/apache/iceberg/blob/main/.github/workflows/asf-allowlist-check.yml +name: "GitHub Actions Checks" + +on: + pull_request: + paths: + - ".github/**" + push: + branches: + - main + paths: + - ".github/**" + +concurrency: + group: ${{ github.repository }}-${{ github.head_ref || github.sha }}-${{ github.workflow }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + gha: + name: "Analyze Actions" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + # Check that actions are pinned and on the ASF allowlist. + # Intentionally unpinned to always use the latest allowlist from the ASF. + - uses: apache/infrastructure-actions/allowlist-check@main # zizmor: ignore[unpinned-uses] + + # Analyze workflows with Zizmor + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false From 204aa1b393b7fba65e662ac6d5f0a0f3dd253274 Mon Sep 17 00:00:00 2001 From: Benjamin Philip Date: Tue, 30 Jun 2026 12:43:41 +0530 Subject: [PATCH 2/5] Fix indentation --- .github/workflows/asf-allowlist-check.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/asf-allowlist-check.yml b/.github/workflows/asf-allowlist-check.yml index 6ca2a7f..c505200 100644 --- a/.github/workflows/asf-allowlist-check.yml +++ b/.github/workflows/asf-allowlist-check.yml @@ -40,16 +40,16 @@ jobs: name: "Analyze Actions" runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - with: - persist-credentials: false + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - # Check that actions are pinned and on the ASF allowlist. - # Intentionally unpinned to always use the latest allowlist from the ASF. - - uses: apache/infrastructure-actions/allowlist-check@main # zizmor: ignore[unpinned-uses] + # Check that actions are pinned and on the ASF allowlist. + # Intentionally unpinned to always use the latest allowlist from the ASF. + - uses: apache/infrastructure-actions/allowlist-check@main # zizmor: ignore[unpinned-uses] - # Analyze workflows with Zizmor - - name: Run zizmor 🌈 - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 - with: - advanced-security: false + # Analyze workflows with Zizmor + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false From 3df5d1a6be37cf4a949652f1d45bab8f0ec9ee4e Mon Sep 17 00:00:00 2001 From: Benjamin Philip Date: Tue, 30 Jun 2026 12:48:26 +0530 Subject: [PATCH 3/5] Fix concurrency --- .github/workflows/asf-allowlist-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/asf-allowlist-check.yml b/.github/workflows/asf-allowlist-check.yml index c505200..b3399c3 100644 --- a/.github/workflows/asf-allowlist-check.yml +++ b/.github/workflows/asf-allowlist-check.yml @@ -29,7 +29,7 @@ on: - ".github/**" concurrency: - group: ${{ github.repository }}-${{ github.head_ref || github.sha }}-${{ github.workflow }} + group: ${{ github.repository }}-${{ github.head_ref || github.ref }}-${{ github.workflow }} cancel-in-progress: true permissions: From b969e2ce5d1ca80171f31e9a2932a370d7135405 Mon Sep 17 00:00:00 2001 From: Benjamin Philip Date: Tue, 30 Jun 2026 15:55:25 +0530 Subject: [PATCH 4/5] Remove Zizmor checks --- .github/workflows/asf-allowlist-check.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/asf-allowlist-check.yml b/.github/workflows/asf-allowlist-check.yml index b3399c3..62d6662 100644 --- a/.github/workflows/asf-allowlist-check.yml +++ b/.github/workflows/asf-allowlist-check.yml @@ -47,9 +47,3 @@ jobs: # Check that actions are pinned and on the ASF allowlist. # Intentionally unpinned to always use the latest allowlist from the ASF. - uses: apache/infrastructure-actions/allowlist-check@main # zizmor: ignore[unpinned-uses] - - # Analyze workflows with Zizmor - - name: Run zizmor 🌈 - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 - with: - advanced-security: false From 5d0ed5629e417ec576ec8d5acdebe7997be28d9d Mon Sep 17 00:00:00 2001 From: Benjamin Philip Date: Tue, 30 Jun 2026 15:57:31 +0530 Subject: [PATCH 5/5] Run on push to all branches --- .github/workflows/asf-allowlist-check.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/asf-allowlist-check.yml b/.github/workflows/asf-allowlist-check.yml index 62d6662..83f8210 100644 --- a/.github/workflows/asf-allowlist-check.yml +++ b/.github/workflows/asf-allowlist-check.yml @@ -23,8 +23,6 @@ on: paths: - ".github/**" push: - branches: - - main paths: - ".github/**"