Skip to content

ci: improve github workflows#3204

Open
kevinjqliu wants to merge 5 commits intoapache:mainfrom
kevinjqliu:kevinjqliu/improve-gh-workflows
Open

ci: improve github workflows#3204
kevinjqliu wants to merge 5 commits intoapache:mainfrom
kevinjqliu:kevinjqliu/improve-gh-workflows

Conversation

@kevinjqliu
Copy link
Copy Markdown
Contributor

@kevinjqliu kevinjqliu commented Mar 28, 2026
edited
Loading

Rationale for this change

Relates to apache/iceberg#15742

This PR

We can add back dependabot for github action because the "ASF allowlist check" will now alert when an action is not allowed (failures will no longer be silent)

  • Temporarily use pypa/gh-action-pypi-publish with tag instead of pinned hash in .github/workflows/nightly-pypi-build.yml. ASF Infra allowlist only includes tag. Will fix forward

Are these changes tested?

Yes

➜  iceberg-python git:(kevinjqliu/improve-gh-workflows) uvx --from zizmor zizmor --offline .github/
🌈 zizmor v1.23.1
 INFO audit: zizmor: 🌈 completed .github/dependabot.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/asf-allowlist-check.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/check-md-link.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/codeql.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/license_check.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/nightly-pypi-build.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/pypi-build-artifacts.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/python-ci-docs.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/python-ci.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/python-release-docs.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/python-release.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/stale.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/svn-build-artifacts.yml
No findings to report. Good job! (2 ignored, 32 suppressed)

Are there any user-facing changes?

@kevinjqliu kevinjqliu force-pushed the kevinjqliu/improve-gh-workflows branch from a312e19 to c0885f4 Compare March 28, 2026 17:05
@kevinjqliu
Copy link
Copy Markdown
Contributor Author

kevinjqliu commented Mar 28, 2026
edited
Loading

Error: Found 1 action ref(s) not on the ASF allowlist:
Error: pypa/gh-action-pypi-publish@ed0c539 is not on the ASF allowlist
Error: To resolve, open a PR in apache/infrastructure-actions to add the action or version to the allowlist: https://github.com/apache/infrastructure-actions#adding-a-new-action-to-the-allow-list

oops this was from previous PR. we need to fix forward.
but asf infra is wrong here, the allowlist is pinned to a tag instead of commit hash
https://github.com/apache/infrastructure-actions/blob/fae466bc0d9821859a623cbc7648c750ff359ec6/approved_patterns.yml#L229

will send an upstream pr
EDIT: apache/infrastructure-actions#619

kevinjqliu
kevinjqliu commented Mar 28, 2026
View reviewed changes
.github/workflows/nightly-pypi-build.yml
id: publish-testpypi
continue-on-error: true
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
uses: pypa/gh-action-pypi-publish@release/v1 # zizmor: ignore[unpinned-uses] -- until asf-infra publishes new allowlist with commit hash
Copy link
Copy Markdown
Contributor Author

@kevinjqliu kevinjqliu Mar 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will follow up once apache/infrastructure-actions#619 is merged
tracked in #3205

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security bot commented Mar 28, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kevinjqliu