RATIS-2493. Check actions with zizmor (#1426)

Author: adoroszlai

.github/dependabot.yml

@@ -23,15 +23,15 @@ updates:
       interval: "cron"
       cronjob: "15 9 * * *"
     cooldown:
-      default-days: 4
+      default-days: 7
   - package-ecosystem: "maven"
     directory: "/"
     schedule:
       # 'daily' only runs on weekdays
       interval: "cron"
       cronjob: "15 10 * * *"
     cooldown:
-      default-days: 4
+      default-days: 7
     ignore:
       # requires Java 11
       - dependency-name: "com.github.spotbugs:spotbugs"

.github/workflows/check.yaml

@@ -76,6 +76,11 @@ on:
         default: 30
         required: false
 
+    secrets:
+      DEVELOCITY_ACCESS_KEY:
+        description: 'Token for submitting build scan to Develocity'
+        required: false
+
 env:
   MAVEN_ARGS: --batch-mode --show-version
   MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3
@@ -90,11 +95,13 @@ jobs:
     steps:
       - name: Checkout project
         if: ${{ !inputs.needs-source-tarball }}
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Download source tarball
         if: ${{ inputs.needs-source-tarball }}
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: ratis-src
 
@@ -105,7 +112,7 @@ jobs:
 
       - name: Create cache for Maven dependencies
         if: ${{ inputs.script == 'build' }}
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: |
             ~/.m2/repository/*/*/*
@@ -116,7 +123,7 @@ jobs:
 
       - name: Restore cache for Maven dependencies
         if: ${{ inputs.script != 'build' }}
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: |
             ~/.m2/repository/*/*/*
@@ -128,15 +135,15 @@ jobs:
       - name: Download Maven repo
         id: download-maven-repo
         if: ${{ inputs.needs-maven-repo }}
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: maven-repo
           path: |
             ~/.m2/repository/org/apache/ratis
 
       - name: Download binary tarball
         if: ${{ inputs.needs-binary-tarball }}
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: ratis-bin
 
@@ -148,7 +155,7 @@ jobs:
 
       - name: Setup java ${{ inputs.java-version }}
         if: ${{ inputs.java-version }}
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
           distribution: 'temurin'
           java-version: ${{ inputs.java-version }}
@@ -169,7 +176,7 @@ jobs:
 
       - name: Archive build results
         if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: ${{ (inputs.split && format('{0}-{1}', inputs.script, inputs.split)) || inputs.script }}
           path: target/${{ inputs.script }}
@@ -179,7 +186,7 @@ jobs:
       # to avoid the need for 3 more inputs.
       - name: Store binaries for tests
         if: ${{ inputs.script == 'build' && !cancelled() }}
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: ratis-bin
           path: |
@@ -188,7 +195,7 @@ jobs:
 
       - name: Store source tarball for compilation
         if: ${{ inputs.script == 'build' && !cancelled() }}
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: ratis-src
           path: |
@@ -197,7 +204,7 @@ jobs:
 
       - name: Store Maven repo for tests
         if: ${{ inputs.script == 'build' && !cancelled() }}
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: maven-repo
           path: |

.github/workflows/ci.yaml

@@ -23,6 +23,15 @@ on:
         description: Ratis git ref (branch, tag or commit hash)
         default: ''
         required: false
+    secrets:
+      DEVELOCITY_ACCESS_KEY:
+        description: 'Token for submitting build scan to Develocity'
+        required: false
+      SONARCLOUD_TOKEN:
+        description: 'Token for submitting coverage data to SonarCloud'
+        required: false
+
+permissions: { }
 
 jobs:
   build:
@@ -31,7 +40,8 @@ jobs:
       script: build
       script-args: -Prelease
       timeout-minutes: 30
-    secrets: inherit
+    secrets:
+      DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
   compile:
     needs:
@@ -48,14 +58,16 @@ jobs:
       script-args: -Dmaven.compiler.release=${{ matrix.java }}
       split: ${{ matrix.java }}
       timeout-minutes: 30
-    secrets: inherit
+    secrets:
+      DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
   release:
     uses: ./.github/workflows/check.yaml
     with:
       script: release
       timeout-minutes: 30
-    secrets: inherit
+    secrets:
+      DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
   repro:
     needs:
@@ -66,7 +78,8 @@ jobs:
       script: repro
       script-args: -Prelease
       timeout-minutes: 30
-    secrets: inherit
+    secrets:
+      DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
   basic:
     strategy:
@@ -81,7 +94,8 @@ jobs:
     with:
       script: ${{ matrix.check }}
       timeout-minutes: 30
-    secrets: inherit
+    secrets:
+      DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
   unit:
     strategy:
@@ -98,7 +112,8 @@ jobs:
       script-args: -P${{ matrix.profile }}-tests
       split: ${{ matrix.profile }}
       timeout-minutes: 60
-    secrets: inherit
+    secrets:
+      DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
   coverage:
     needs:
@@ -109,11 +124,12 @@ jobs:
     if: github.event_name != 'pull_request'
     steps:
         - name: Checkout project
-          uses: actions/checkout@v6
+          uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
           with:
             fetch-depth: 0
+            persist-credentials: false
         - name: Cache for maven dependencies
-          uses: actions/cache/restore@v5
+          uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
           with:
             path: |
               ~/.m2/repository
@@ -122,12 +138,12 @@ jobs:
             restore-keys: |
               maven-repo-
         - name: Setup java 17
-          uses: actions/setup-java@v5
+          uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
           with:
             distribution: 'temurin'
             java-version: 17
         - name: Download artifacts
-          uses: actions/download-artifact@v8
+          uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
           with:
             path: target/artifacts
         - name: Untar binaries
@@ -143,7 +159,7 @@ jobs:
             SONAR_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}
             GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         - name: Archive build results
-          uses: actions/upload-artifact@v7
+          uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
           if: always()
           with:
             name: ${{ github.job }}

.github/workflows/close-stale-pr.yaml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-slim
     steps:
       - name: Close Stale PRs
-        uses: actions/stale@v10
+        uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
         with:
           stale-pr-label: 'stale'
           exempt-draft-pr: false

.github/workflows/post-commit.yaml

@@ -27,10 +27,14 @@ concurrency:
   group: ci-${{ github.event.pull_request.number || case(github.repository == 'apache/ratis', github.sha, github.ref_name) }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' || github.repository != 'apache/ratis' }}
 
+permissions: { }
+
 jobs:
   CI:
     if: github.event_name == 'pull_request'
       || github.repository == 'apache/ratis'
       || github.ref_name != 'master'
     uses: ./.github/workflows/ci.yaml
-    secrets: inherit
+    secrets:
+      DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+      SONARCLOUD_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}

.github/workflows/repeat-test.yaml

@@ -49,6 +49,9 @@ env:
   FAIL_FAST: ${{ github.event.inputs.fail-fast }}
   SPLITS: ${{ github.event.inputs.splits }}
 run-name: ${{ github.event_name == 'workflow_dispatch' && format('{0}#{1}[{2}]-{3}x{4}', inputs.test-class, inputs.test-method, inputs.ref, inputs.splits, inputs.iterations) || '' }}
+
+permissions: { }
+
 jobs:
   prepare:
     runs-on: ubuntu-24.04
@@ -95,11 +98,12 @@ jobs:
         split: ${{ fromJson(needs.prepare.outputs.matrix) }}
       fail-fast: ${{ fromJson(github.event.inputs.fail-fast) }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           ref: ${{ needs.prepare.outputs.ref }}
       - name: Cache for maven dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: |
             ~/.m2/repository
@@ -108,7 +112,7 @@ jobs:
           restore-keys: |
             maven-repo-
       - name: Setup java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
           distribution: 'temurin'
           java-version: 8
@@ -121,7 +125,7 @@ jobs:
         run: dev-support/checks/_summary.sh target/unit/summary.txt
         if: ${{ !cancelled() }}
       - name: Archive build results
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: ${{ failure() }}
         with:
           name: result-${{ github.run_number }}-${{ github.run_id }}-split-${{ matrix.split }}
@@ -132,7 +136,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Download build results
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       - name: Count failures
         run: |
           failures=$(find . -name 'summary.txt' | grep -v 'iteration' | xargs grep -v 'exit code: 0' | wc -l)

.github/workflows/vulnerability-check.yaml

@@ -29,15 +29,19 @@ env:
   MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3
   MAVEN_ARGS: --batch-mode --no-transfer-progress
 
+permissions: { }
+
 jobs:
   dependency-check:
     if: ${{ github.event_name == 'workflow_dispatch' || github.repository == 'apache/ratis' }}
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up JDK 11
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
           distribution: corretto
           java-version: 11
@@ -52,13 +56,14 @@ jobs:
 
       - name: Generate report date for artifact name
         run: |
-          utc_time="${{ github.run_started_at }}"
           target_time=$(TZ=Asia/Shanghai date -d "$utc_time" +"%Y-%m-%d")
           echo "REPORT_DATE=$target_time" >> $GITHUB_ENV
+        env:
+          utc_time: ${{ github.run_started_at }}
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: vulnerability-check-result-${{ env.REPORT_DATE }}
           path: target/dependency-check-report.html
-          retention-days: 15
+          retention-days: 15

.github/workflows/zizmor.yml

@@ -0,0 +1,36 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: zizmor
+
+on:
+  push:
+  pull_request:
+
+permissions: { }
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+    - name: Checkout project
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
+
+    - name: Run zizmor
+      uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3