sedona icon indicating copy to clipboard operation
sedona copied to clipboard
verified publisher icon apache

[GH-1977] Added zizmor with pre-commit

Open Aashish-Jha-11 opened this issue 6 months ago • 5 comments

Did you read the Contributor Guide?

Is this PR related to a ticket?

  • Yes, #1977

What changes were proposed in this PR?

  • Added zizmor with pre-commit

Did this PR include necessary documentation updates?

  • No, this PR does not affect any public API so no need to change the documentation.

Aashish-Jha-11 avatar Jun 08 '25 13:06 Aashish-Jha-11

@Aashish-Jha-11 please fix the lint issue

jiayuasu avatar Jun 09 '25 04:06 jiayuasu

Thank you for the review and feedback! Apologies for the lint issues — this was my first time contributing to such a large open-source project, and I'm still learning the workflows. I’ve fixed the issues now. Really grateful for the opportunity to contribute and improve.

Aashish-Jha-11 avatar Jun 17 '25 14:06 Aashish-Jha-11

I've enhanced our CI/CD security by adding the zizmor static analysis tool to our pre-commit configuration. This addition helps protect our GitHub Actions workflows from common security vulnerabilities.

Changes made: Added zizmor pre-commit hook with these settings:

Repository: https://github.com/zizmorcore/zizmor-pre-commit Version: v1.9.0 Hook ID: zizmor Configured to scan all GitHub Actions workflow files Fixed security issues in existing workflows:

Updated r.yml workflow to use commit SHA pinning instead of version tags Replaced r-lib/actions/@v2.11.3 references with r-lib/actions/@bd49c52ffe281809afa6f0fecbf37483c5dd0b93 Benefits: The zizmor pre-commit hook will automatically scan all workflows for security issues, including:

Unpinned action references (which could be hijacked) Overly broad permissions Credential persistence issues Other GitHub Actions security best practices This should help maintain a more secure CI/CD pipeline for all contributors. When creating or updating workflows, the pre-commit hook will identify security issues before they reach our repository.

Aashish-Jha-11 avatar Jun 21 '25 06:06 Aashish-Jha-11

Hey @Aashish-Jha-11 you should read about pre-commit in the Sedona docs. pre-commit is running on the CI with GitHub Actions but pre-commit is really a git hooks framework which can also run on your local machine before pushing up to GitHub. So you can test on your local machine with the audit rules and config file

https://sedona.apache.org/latest-snapshot/setup/compile/#pre-commit

If you are not really sure how to finish this PR I can try to finish it. Since you have already done some work we can always use another PR that I create and we can put you down as the commit co-author so you get credit for the existing work.

https://docs.github.com/en/pull-requests/committing-changes-to-your-project/creating-and-editing-commits/creating-a-commit-with-multiple-authors

jbampton avatar Jun 27 '25 18:06 jbampton

Hi @jbampton ,

Thank you so much for explaining and for sharing the helpful links. Since this is my first time contributing to a large open-source project like this, I’ve tried multiple approaches to fix the pre-commit and lint issues locally, but I’m still getting stuck.

If it’s okay, I would really appreciate it if you could help finish this PR and add me as a co-author for the contribution. Thanks again for your guidance and support!

Aashish-Jha-11 avatar Jun 27 '25 18:06 Aashish-Jha-11