From ec9ed2c1b074ad3a9e10de03df76fe08221a4137 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 10:30:28 -0700 Subject: [PATCH 1/5] copy over codeql.yml --- .github/workflows/codeql.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 17bfd8bf3d..75c10c7eaf 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,14 +41,16 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: languages: actions - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: category: "/language:actions" From 1be8861dc7ca608bfa5b7234122c0eb98dc4e2a9 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 10:30:34 -0700 Subject: [PATCH 2/5] Revert "Infra: Remove GitHub Actions from Dependabot configuration (#2267)" This reverts commit cb7f78a25cf6c13a2af7fd295aee31d0560eee39. --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 23c9b239ee..a94ae0151b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,6 +17,13 @@ version: 2 updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "sunday" + # Maintain dependencies for iceberg - package-ecosystem: "cargo" directory: "/" From 9f8bc25bbe146729fc9df506bd746b50f51a03ca Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 10:31:00 -0700 Subject: [PATCH 3/5] add cooldown --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a94ae0151b..03235972dd 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -23,6 +23,8 @@ updates: schedule: interval: "weekly" day: "sunday" + cooldown: + default-days: 7 # Maintain dependencies for iceberg - package-ecosystem: "cargo" @@ -42,3 +44,5 @@ updates: patterns: - "arrow*" - "parquet" + cooldown: + default-days: 7 From 1a5b45eeb2dcb3534e31e696c6aae28f78798db4 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 10:31:29 -0700 Subject: [PATCH 4/5] add asf allowlist check --- .github/workflows/asf-allowlist-check.yml | 47 +++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/asf-allowlist-check.yml diff --git a/.github/workflows/asf-allowlist-check.yml b/.github/workflows/asf-allowlist-check.yml new file mode 100644 index 0000000000..d4e84c5922 --- /dev/null +++ b/.github/workflows/asf-allowlist-check.yml @@ -0,0 +1,47 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# Verifies all GitHub Actions refs are on the ASF allowlist. +# Actions not on the allowlist silently fail with "Startup failure" — no logs, +# no notifications, and PRs may appear green because no checks ran. +# See https://github.com/apache/infrastructure-actions/issues/574 +name: "ASF Allowlist Check" + +on: + pull_request: + paths: + - ".github/**" + push: + branches: + - main + paths: + - ".github/**" + +permissions: + contents: read + +jobs: + asf-allowlist-check: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + # Intentionally unpinned to always use the latest allowlist from the ASF. + - uses: apache/infrastructure-actions/allowlist-check@main # zizmor: ignore[unpinned-uses] From 04c6af084e6db471d4334677efdbad985a256a4e Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 13:01:14 -0700 Subject: [PATCH 5/5] case sensitive --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ea2257b676..af96f9ad66 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -97,7 +97,7 @@ jobs: uses: ./.github/actions/setup-builder - name: Cache Rust artifacts - uses: Swatinem/rust-cache@v2 + uses: swatinem/rust-cache@v2 - name: Install protoc uses: arduino/setup-protoc@v3 @@ -123,7 +123,7 @@ jobs: uses: ./.github/actions/setup-builder - name: Cache Rust artifacts - uses: Swatinem/rust-cache@v2 + uses: swatinem/rust-cache@v2 - name: Build run: cargo build -p iceberg --no-default-features @@ -149,7 +149,7 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Cache Rust artifacts - uses: Swatinem/rust-cache@v2 + uses: swatinem/rust-cache@v2 with: key: ${{ matrix.test-suite.name }}