Based on Jeffrey's recommendations [1], I've updated the PRs to pin action to a specific hash. Some PRs were already merged, so I opened a follow up.
Here's the current status: - [Needs Review] https://github.com/apache/datafusion/pull/20636 - [Needs Review] https://github.com/apache/datafusion-ballista/pull/1484 - [Merged] https://github.com/apache/datafusion-comet/pull/3617 - [Needs Review] https://github.com/apache/datafusion-comet/pull/3621 (Follow up to above) - [Needs Review] https://github.com/apache/datafusion-python/pull/1408 (Supercedes https://github.com/apache/datafusion-python/pull/1405) - [Needs Review] https://github.com/apache/datafusion-sandbox/pull/185 - [Merged] https://github.com/apache/datafusion-site/pull/152 - [Needs Review] https://github.com/apache/datafusion-site/pull/153 (Follow up to above) - [Needs Review] https://github.com/apache/datafusion-testing/pull/17 - [Needs Review] https://github.com/apache/datafusion-benchmarks/pull/29 - [Needs Review] https://github.com/apache/datafusion-ray/pull/90 Thanks, Kevin Liu [1] https://github.com/apache/datafusion/pull/20636#discussion_r2872187485 On Sun, Mar 1, 2026 at 1:01 PM Kevin Liu <[email protected]> wrote: > Hey folks, > > I've recently added CodeQL Github actions to all the apache/iceberg* repos > based on Apache Infra's recommendation [1]. CodeQL scans the repo for > vulnerabilities in Github Action workflows. Given the recent automated > scans on public repos [2], I think it's a good idea to add this check. > > I've opened PRs against all apache/datafusion* repos [3] using this script > [4] > Please take a look at the PRs. Once merged, CodeQL will scan for > vulnerabilities and we can fix forward. > > https://github.com/apache/datafusion/pull/20636 > https://github.com/apache/datafusion-ballista/pull/1484 > https://github.com/apache/datafusion-comet/pull/3617 > https://github.com/apache/datafusion-python/pull/1405 > https://github.com/apache/datafusion-sandbox/pull/185 > https://github.com/apache/datafusion-site/pull/152 > https://github.com/apache/datafusion-testing/pull/17 > https://github.com/apache/datafusion-benchmarks/pull/29 > https://github.com/apache/datafusion-ray/pull/90 > > Best, > Kevin Liu > > > [1] > https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+Security > [2] > https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation > [3] https://github.com/orgs/apache/repositories?q=datafusion* > [4] https://gist.github.com/kevinjqliu/97d24733c7b75cd92b68bf8f5b247891 > >
