diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 23c9b239ee..03235972dd 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,6 +17,15 @@ version: 2 updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "sunday" + cooldown: + default-days: 7 + # Maintain dependencies for iceberg - package-ecosystem: "cargo" directory: "/" @@ -35,3 +44,5 @@ updates: patterns: - "arrow*" - "parquet" + cooldown: + default-days: 7 diff --git a/.github/workflows/asf-allowlist-check.yml b/.github/workflows/asf-allowlist-check.yml new file mode 100644 index 0000000000..d4e84c5922 --- /dev/null +++ b/.github/workflows/asf-allowlist-check.yml @@ -0,0 +1,47 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# Verifies all GitHub Actions refs are on the ASF allowlist. +# Actions not on the allowlist silently fail with "Startup failure" — no logs, +# no notifications, and PRs may appear green because no checks ran. +# See https://github.com/apache/infrastructure-actions/issues/574 +name: "ASF Allowlist Check" + +on: + pull_request: + paths: + - ".github/**" + push: + branches: + - main + paths: + - ".github/**" + +permissions: + contents: read + +jobs: + asf-allowlist-check: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + # Intentionally unpinned to always use the latest allowlist from the ASF. + - uses: apache/infrastructure-actions/allowlist-check@main # zizmor: ignore[unpinned-uses] diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ea2257b676..af96f9ad66 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -97,7 +97,7 @@ jobs: uses: ./.github/actions/setup-builder - name: Cache Rust artifacts - uses: Swatinem/rust-cache@v2 + uses: swatinem/rust-cache@v2 - name: Install protoc uses: arduino/setup-protoc@v3 @@ -123,7 +123,7 @@ jobs: uses: ./.github/actions/setup-builder - name: Cache Rust artifacts - uses: Swatinem/rust-cache@v2 + uses: swatinem/rust-cache@v2 - name: Build run: cargo build -p iceberg --no-default-features @@ -149,7 +149,7 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Cache Rust artifacts - uses: Swatinem/rust-cache@v2 + uses: swatinem/rust-cache@v2 with: key: ${{ matrix.test-suite.name }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 17bfd8bf3d..75c10c7eaf 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,14 +41,16 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: languages: actions - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: category: "/language:actions"