From 0134927c4869e67f761f29ffcca0619d4e6b4366 Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 25 Jun 2026 12:49:39 +0200 Subject: [PATCH 1/5] ci: Remove outdated reviewdog workflow --- .github/workflows/pr_prek.yaml | 18 ++++++++++ .github/workflows/reviewdog.yml | 62 --------------------------------- .pre-commit-config.yaml | 40 +++++++++++++++++++++ 3 files changed, 58 insertions(+), 62 deletions(-) create mode 100644 .github/workflows/pr_prek.yaml delete mode 100644 .github/workflows/reviewdog.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/pr_prek.yaml b/.github/workflows/pr_prek.yaml new file mode 100644 index 0000000..76e5894 --- /dev/null +++ b/.github/workflows/pr_prek.yaml @@ -0,0 +1,18 @@ +--- +name: prek + +on: + pull_request: + +permissions: {} + +jobs: + prek: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + submodules: recursive + fetch-depth: 0 + - uses: stackabletech/actions/run-prek@a14cbd08d9e034e2361ea9205b32aff0491885db # v0.15.0 \ No newline at end of file diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml deleted file mode 100644 index c79f34e..0000000 --- a/.github/workflows/reviewdog.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -name: reviewdog -on: - pull_request - -permissions: - contents: read - checks: write - pull-requests: write - issues: write - -jobs: - actionlint: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: reviewdog/action-actionlint@a5524e1c19e62881d79c1f1b9b6f09f16356e281 # v1.65.2 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - detect-secrets: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: reviewdog/action-detect-secrets@bc63f9282b0cee5af6187043f8e79e80e7f6ffe3 # v0.28.3 - with: - github_token: ${{ secrets.github_token }} - - flake8: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 - with: - python-version: "3.9" - - uses: reviewdog/action-flake8@b65981e158319f08cb7d0132f28bc0081e110adc # v3.15.2 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - markdownlint: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: reviewdog/action-markdownlint@3667398db9118d7e78f7a63d10e26ce454ba5f58 # v0.26.2 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - shellcheck: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: reviewdog/action-shellcheck@5ebd09ddbe2ebb471646ce234c6c8dd18663ca7c # v1.30.0 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - yamllint: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: reviewdog/action-yamllint@f01d8a48fd8d89f89895499fca2cff09f9e9e8c0 # v1.21.0 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..aa53bdb --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,40 @@ +--- +default_language_version: + node: system + +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # 6.0.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: detect-aws-credentials + args: ["--allow-missing-credentials"] + - id: detect-private-key + + - repo: https://github.com/adrienverge/yamllint + rev: 79a6b2b1392eaf49cdd32ac4f14be1a809bbd8f7 # 1.37.1 + hooks: + - id: yamllint + args: ["--strict"] + + - repo: https://github.com/igorshubovych/markdownlint-cli + rev: 192ad822316c3a22fb3d3cc8aa6eafa0b8488360 # 0.45.0 + hooks: + - id: markdownlint + - repo: https://github.com/koalaman/shellcheck-precommit + rev: 99470f5e12208ff0fb17ab81c3c494f7620a1d8d # 0.11.0 + hooks: + - id: shellcheck + args: ["--severity=info"] + + - repo: https://github.com/rhysd/actionlint + rev: e7d448ef7507c20fc4c88a95d0c448b848cd6127 # 1.7.8 + hooks: + - id: actionlint + + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: 7fc963270df722f37707d47ff41265fe8f460822 # v1.20.0 + hooks: + - id: zizmor + args: ["--no-progress", "--min-confidence", "medium"] \ No newline at end of file From 8bf73c85ba4b5b94ff9a0669fa444a74f312d394 Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 25 Jun 2026 13:01:45 +0200 Subject: [PATCH 2/5] ci: Fix excessive-permissions audit --- .github/workflows/maven.yml | 2 ++ .github/workflows/release.yml | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 1c667ad..2c96158 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -13,6 +13,8 @@ on: pull_request: merge_group: +permissions: {} + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cd12810..845f692 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,9 +19,15 @@ on: description: 'The next stackable version to use, this updates the POM (without the "-SNAPSHOT"). If stackable-version is 0 then set this to 1 etc.' required: true +permissions: {} + jobs: build: runs-on: ubuntu-latest + permissions: + # Write is needed to draft the release + # See https://github.com/softprops/action-gh-release/blob/153bb8e04406b158c6c84fc1615b65b24149a1fe/README.md?plain=1#L281 + contents: write steps: - name: Set Java Version From 8c528beefd4e0dfd5ebd5d6f8b5ce28adb685b55 Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 25 Jun 2026 13:02:23 +0200 Subject: [PATCH 3/5] ci: Fix artipacked audit --- .github/workflows/maven.yml | 2 ++ .github/workflows/release.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 2c96158..1c0f7b7 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -27,6 +27,8 @@ jobs: - {druid: druid-37.0.0, java: '21'} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up JDK uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 845f692..f47a401 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,6 +40,8 @@ jobs: fi - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Release uses: qcastel/github-actions-maven-release@0fd7a9e2ba3a4af8728a88cf57b11592fd8bdd0f # v1.12.43 From 68c39128cc9d0014d61ca29abb307a93fbe46420 Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 25 Jun 2026 13:02:44 +0200 Subject: [PATCH 4/5] ci: Fix template-injection audit --- .github/workflows/release.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f47a401..94105da 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,7 +5,7 @@ on: workflow_dispatch: inputs: druid-version: - description: 'Select the Druid version to build the authorizer for.' + description: "Select the Druid version to build the authorizer for." required: true type: choice options: @@ -32,8 +32,10 @@ jobs: steps: - name: Set Java Version id: set_java_version + env: + DRUID_VERSION: ${{ github.event.inputs.druid-version }} run: | - if [ "${{ github.event.inputs.druid-version }}" == "druid-30.0.0" ] || [ "${{ github.event.inputs.druid-version }}" == "druid-30.0.1" ] || [ "${{ github.event.inputs.druid-version }}" == "druid-31.0.1" ]; then + if [ "$DRUID_VERSION" == "druid-30.0.0" ] || [ "$DRUID_VERSION" == "druid-30.0.1" ] || [ "$DRUID_VERSION" == "druid-31.0.1" ]; then echo "JAVA_VERSION=17" >> "$GITHUB_ENV" else echo "JAVA_VERSION=unknown" >> "$GITHUB_ENV" From 0a650229eb84e0b873e48746329958d066527b80 Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 25 Jun 2026 13:04:55 +0200 Subject: [PATCH 5/5] chore: Fix file endings --- .github/workflows/pr_prek.yaml | 2 +- .pre-commit-config.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr_prek.yaml b/.github/workflows/pr_prek.yaml index 76e5894..780b86c 100644 --- a/.github/workflows/pr_prek.yaml +++ b/.github/workflows/pr_prek.yaml @@ -15,4 +15,4 @@ jobs: persist-credentials: false submodules: recursive fetch-depth: 0 - - uses: stackabletech/actions/run-prek@a14cbd08d9e034e2361ea9205b32aff0491885db # v0.15.0 \ No newline at end of file + - uses: stackabletech/actions/run-prek@a14cbd08d9e034e2361ea9205b32aff0491885db # v0.15.0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index aa53bdb..a223069 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,4 +37,4 @@ repos: rev: 7fc963270df722f37707d47ff41265fe8f460822 # v1.20.0 hooks: - id: zizmor - args: ["--no-progress", "--min-confidence", "medium"] \ No newline at end of file + args: ["--no-progress", "--min-confidence", "medium"]