HIVE-29553: Pin third-party GitHub Actions (#6417)

okumin · web-flow · commit 01d9111da5e6 · 2026-04-11T16:19:18.000+09:00
* HIVE-29553: Pin third-party GitHub Actions * test * Narrow down permission * Remove workflow_dispatch * Add .github/workflows/asf-allowlist-check.yml * Use not main but master
diff --git a/.github/workflows/asf-allowlist-check.yml b/.github/workflows/asf-allowlist-check.yml
@@ -0,0 +1,39 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "ASF Allowlist Check"
+
+on:
+  pull_request:
+    paths:
+      - ".github/**"
+  push:
+    branches:
+      - master
+    paths:
+      - ".github/**"
+
+permissions:
+  contents: read
+
+jobs:
+  asf-allowlist-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: apache/infrastructure-actions/allowlist-check@main
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -24,6 +24,9 @@ on:
     branches:
       - 'master'
 
+permissions:
+  contents: read
+
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,53 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '16 5 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze Actions
+    runs-on: ubuntu-slim
+    permissions:
+      contents: read
+      security-events: write
+      packages: read
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v6
+      with:
+        persist-credentials: false
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: actions
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
+      with:
+        category: "/language:actions"
diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml
@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: Build and Publish docker images for Hive GA
+name: Build and Publish docker images
 
 on:
   create:
@@ -37,6 +37,9 @@ on:
         required: true
         default: '0.10.2'
 
+permissions:
+  contents: read
+
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
@@ -115,16 +118,16 @@ jobs:
           ls ./standalone-metastore/packaging/src/docker/
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
 
       - name: Build Hive Image locally
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
         with:
           context: ./packaging/src/docker/
           file: ./packaging/src/docker/Dockerfile
@@ -139,7 +142,7 @@ jobs:
             BUILD_ENV=${{ env.BUILD_ENV }}
 
       - name: Build Standalone Metastore Image locally
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
         with:
           context: ./standalone-metastore/packaging/src/docker/
           file: ./standalone-metastore/packaging/src/docker/Dockerfile
@@ -153,10 +156,10 @@ jobs:
             BUILD_ENV=${{ env.BUILD_ENV }}
 
       - name: Create k8s cluster
-        uses: helm/kind-action@v1
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2
 
       - name: Load images
         run: kind load docker-image hive:test hive:standalone-metastore-test --name chart-testing
@@ -181,7 +184,7 @@ jobs:
           kind delete cluster --name chart-testing
 
       - name: Build and push Hive Image to docker hub
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
         with:
           context: ./packaging/src/docker/
           file: ./packaging/src/docker/Dockerfile
@@ -196,7 +199,7 @@ jobs:
             BUILD_ENV=${{ env.BUILD_ENV }}
 
       - name: Build and push Standalone Metastore Image to docker hub
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
         with:
           context: ./standalone-metastore/packaging/src/docker/
           file: ./standalone-metastore/packaging/src/docker/Dockerfile
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -19,6 +19,11 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest
