Hey folks, I've recently added CodeQL Github actions to all the apache/iceberg* repos based on Apache Infra's recommendation [1]. CodeQL scans the repo for vulnerabilities in Github Action workflows. Given the recent automated scans on public repos [2], I think it's a good idea to add this check.
I've opened PRs against all apache/datafusion* repos [3] using this script [4] Please take a look at the PRs. Once merged, CodeQL will scan for vulnerabilities and we can fix forward. https://github.com/apache/datafusion/pull/20636 https://github.com/apache/datafusion-ballista/pull/1484 https://github.com/apache/datafusion-comet/pull/3617 https://github.com/apache/datafusion-python/pull/1405 https://github.com/apache/datafusion-sandbox/pull/185 https://github.com/apache/datafusion-site/pull/152 https://github.com/apache/datafusion-testing/pull/17 https://github.com/apache/datafusion-benchmarks/pull/29 https://github.com/apache/datafusion-ray/pull/90 Best, Kevin Liu [1] https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+Security [2] https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation [3] https://github.com/orgs/apache/repositories?q=datafusion* [4] https://gist.github.com/kevinjqliu/97d24733c7b75cd92b68bf8f5b247891
