This is an automated email from the ASF dual-hosted git repository.
jiayu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sedona.git
The following commit(s) were added to refs/heads/master by this push:
new 179ccd2eed [GH-1977] Add zizmor with pre-commit (#2582)
179ccd2eed is described below
commit 179ccd2eede2f2430c7807977ecd08db6ee84b51
Author: John Bampton <[email protected]>
AuthorDate: Fri Jan 9 15:18:47 2026 +1000
[GH-1977] Add zizmor with pre-commit (#2582)
Co-authored-by: Aashish Jha <[email protected]>
---
.../{workflows/labeler.yml => linters/zizmor.yml} | 27 ++++++++++------------
.github/workflows/codeql.yml | 2 ++
.github/workflows/docker-build.yml | 2 ++
.github/workflows/docs.yml | 4 ++++
.github/workflows/example.yml | 2 ++
.github/workflows/java.yml | 2 ++
.github/workflows/labeler.yml | 2 +-
.github/workflows/pre-commit.yml | 2 ++
.github/workflows/pyflink.yml | 5 ++++
.github/workflows/python-extension.yml | 2 ++
.github/workflows/python-wheel.yml | 5 ++++
.github/workflows/python.yml | 2 ++
.github/workflows/r.yml | 5 ++++
.pre-commit-config.yaml | 9 ++++++++
14 files changed, 55 insertions(+), 16 deletions(-)
diff --git a/.github/workflows/labeler.yml b/.github/linters/zizmor.yml
similarity index 69%
copy from .github/workflows/labeler.yml
copy to .github/linters/zizmor.yml
index 136b950336..08d06108ff 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/linters/zizmor.yml
@@ -15,18 +15,15 @@
# specific language governing permissions and limitations
# under the License.
-# https://github.com/actions/labeler
-name: Pull Request Labeler
-on:
- - pull_request_target
-jobs:
- triage:
- permissions:
- contents: read
- pull-requests: write
- runs-on: ubuntu-latest
- steps:
- - uses: actions/labeler@v6
- with:
- repo-token: '${{ secrets.GITHUB_TOKEN }}'
- sync-labels: true
+rules:
+ unpinned-uses:
+ config:
+ policies:
+ actions/*: any
+ astral-sh/setup-uv: any
+ docker/setup-qemu-action: any
+ github/*: any
+ pypa/cibuildwheel: any
+ r-lib/actions/check-r-package: any
+ r-lib/actions/setup-r: any
+ r-lib/actions/setup-r-dependencies: any
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 49bac483c6..b7bc53d7de 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -41,6 +41,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v6
+ with:
+ persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
diff --git a/.github/workflows/docker-build.yml
b/.github/workflows/docker-build.yml
index ae4fdfca14..42306f9ee1 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -60,6 +60,8 @@ jobs:
shell: bash
steps:
- uses: actions/checkout@v6
+ with:
+ persist-credentials: false
- uses: actions/setup-java@v5
with:
distribution: 'zulu'
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 4e5a53cbef..d9f806d3c8 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -26,6 +26,9 @@ on:
branches:
- '*'
+permissions:
+ contents: write
+
env:
MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=60
@@ -40,6 +43,7 @@ jobs:
- uses: actions/checkout@v6
with:
fetch-depth: 0
+ persist-credentials: false
- name: Set up Java
uses: actions/setup-java@v5
with:
diff --git a/.github/workflows/example.yml b/.github/workflows/example.yml
index f98f5e4858..6d16137a83 100644
--- a/.github/workflows/example.yml
+++ b/.github/workflows/example.yml
@@ -59,6 +59,8 @@ jobs:
hadoop: 3.3.4
steps:
- uses: actions/checkout@v6
+ with:
+ persist-credentials: false
- uses: actions/setup-java@v5
with:
distribution: 'zulu'
diff --git a/.github/workflows/java.yml b/.github/workflows/java.yml
index bf835f8e6f..76834c9d63 100644
--- a/.github/workflows/java.yml
+++ b/.github/workflows/java.yml
@@ -86,6 +86,8 @@ jobs:
skipTests: ''
steps:
- uses: actions/checkout@v6
+ with:
+ persist-credentials: false
- uses: actions/setup-java@v5
with:
distribution: 'zulu'
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 136b950336..d6be9f21f2 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -18,7 +18,7 @@
# https://github.com/actions/labeler
name: Pull Request Labeler
on:
- - pull_request_target
+ - pull_request_target # zizmor: ignore[dangerous-triggers]
jobs:
triage:
permissions:
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 517db5e21c..6f3898d8b0 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -33,6 +33,8 @@ jobs:
steps:
- name: 'Checkout ${{ github.ref }} ( ${{ github.sha }} )'
uses: actions/checkout@v6
+ with:
+ persist-credentials: false
- uses: actions/setup-python@v6 # https://www.python.org/
with:
python-version: '3.10' # Version range or exact version of a Python
version to use, using SemVer's version range syntax
diff --git a/.github/workflows/pyflink.yml b/.github/workflows/pyflink.yml
index b72ffa4b5a..9b86d74ab7 100644
--- a/.github/workflows/pyflink.yml
+++ b/.github/workflows/pyflink.yml
@@ -39,6 +39,9 @@ on:
- 'python/**'
- '.github/workflows/pyflink.yml'
+permissions:
+ contents: read
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
@@ -51,6 +54,8 @@ jobs:
python: ['3.11', '3.10']
steps:
- uses: actions/checkout@v6
+ with:
+ persist-credentials: false
- uses: actions/setup-java@v5
with:
distribution: 'zulu'
diff --git a/.github/workflows/python-extension.yml
b/.github/workflows/python-extension.yml
index b7a1e5a2cf..c4eb20a881 100644
--- a/.github/workflows/python-extension.yml
+++ b/.github/workflows/python-extension.yml
@@ -59,6 +59,8 @@ jobs:
working-directory: python
steps:
- uses: actions/checkout@v6
+ with:
+ persist-credentials: false
- uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python }}
diff --git a/.github/workflows/python-wheel.yml
b/.github/workflows/python-wheel.yml
index 013105b827..28cd25ee74 100644
--- a/.github/workflows/python-wheel.yml
+++ b/.github/workflows/python-wheel.yml
@@ -39,6 +39,9 @@ on:
- 'python/**'
- '.github/workflows/python-wheel.yml'
+permissions:
+ contents: read
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
@@ -54,6 +57,8 @@ jobs:
shell: bash
steps:
- uses: actions/checkout@v6
+ with:
+ persist-credentials: false
- name: Set up QEMU
if: runner.os == 'Linux'
uses: docker/setup-qemu-action@v3
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
index b7e20423cf..05782bbae9 100644
--- a/.github/workflows/python.yml
+++ b/.github/workflows/python.yml
@@ -113,6 +113,8 @@ jobs:
steps:
- uses: actions/checkout@v6
+ with:
+ persist-credentials: false
- uses: actions/setup-java@v5
with:
distribution: 'zulu'
diff --git a/.github/workflows/r.yml b/.github/workflows/r.yml
index 5177baf2d5..14565278fc 100644
--- a/.github/workflows/r.yml
+++ b/.github/workflows/r.yml
@@ -39,6 +39,9 @@ on:
- 'R/**'
- '.github/workflows/r.yml'
+permissions:
+ contents: read
+
env:
MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=60
JAI_CORE_VERSION: '1.1.3'
@@ -84,6 +87,8 @@ jobs:
sudo apt-get -y remove --purge default-jdk adoptopenjdk-11-hotspot
|| :
shell: bash
- uses: actions/checkout@v6
+ with:
+ persist-credentials: false
- uses: r-lib/actions/[email protected]
with:
r-version: ${{ matrix.r }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 2c14404352..a0859c794c 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -310,6 +310,15 @@ repos:
- id: gitleaks
name: run gitleaks
description: check for secrets with gitleaks
+ - repo: https://github.com/zizmorcore/zizmor-pre-commit
+ rev: v1.20.0
+ hooks:
+ - id: zizmor
+ name: run zizmor
+ description: zizmor is a static analysis tool for GitHub Actions
+ args: [--config=.github/linters/zizmor.yml]
+ files: ^\.github/workflows/.*$
+ types: [yaml]
- repo: https://github.com/pre-commit/pygrep-hooks
rev: v1.10.0
hooks:
