adutra opened a new pull request, #4097:
URL: https://github.com/apache/polaris/pull/4097
This PR strengthens our CI jobs:
- Prevent template injection by moving `${{ }}` expressions out of run blocks
- Prevent "ArtiPACKED"-like exploits by avoiding persisting credentials
- Fix excessive permissions wherever possible
- Add new job to run Zizmor checks on PRs that modify workflows
Release workflows that push branches/tags (release-1, release-2, release-4)
intentionally retain persisted credentials.
<!--
๐ Describe what changes you're proposing, especially breaking or user-facing
changes.
๐ See https://github.com/apache/polaris/blob/main/CONTRIBUTING.md for more.
-->
## Checklist
- [ ] ๐ก๏ธ Don't disclose security issues! (contact [email protected])
- [ ] ๐ Clearly explained why the changes are needed, or linked related
issues: Fixes #
- [ ] ๐งช Added/updated tests with good coverage, or manually tested (and
explained how)
- [ ] ๐ก Added comments for complex logic
- [ ] ๐งพ Updated `CHANGELOG.md` (if needed)
- [ ] ๐ Updated documentation in `site/content/in-dev/unreleased` (if needed)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
