HBASE-29893 Add zizmor for GitHub Actions workflows security analysis

[ndimiduk]

ASF Infrastructure recommends running zizmor static analysis on GitHub Actions workflows to detect security issues (see https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+Security).

[ndimiduk]

Heya @gmcdonald should we add zizmor to the list of authorized actions? Seems kinda silly that this is the prescribed tool.

The action zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d is not allowed in apache/hbase because all actions must be from a repository owned by your enterprise, created by GitHub, verified in the GitHub Marketplace, or match one of the patterns: ...

[gmcdonald]

Heya @gmcdonald should we add zizmor to the list of authorized actions? Seems kinda silly that this is the prescribed tool.

The action zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d is not allowed in apache/hbase because all actions must be from a repository owned by your enterprise, created by GitHub, verified in the GitHub Marketplace, or match one of the patterns: ...

I'll take a look

[potiuk]

Heya @gmcdonald should we add zizmor to the list of authorized actions? Seems kinda silly that this is the prescribed tool.

The action zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d is not allowed in apache/hbase because all actions must be from a repository owned by your enterprise, created by GitHub, verified in the GitHub Marketplace, or match one of the patterns: ...

I think we should indeed.

But It's not silly, because you can use zizmor in multiple ways in GH Actions - for example in Airflow we use it in prek hooks that are even better because they catch any issues locally for developers and then they are run in GH in static code checks via prek run --all-files - rather than via actions.

https://github.com/apache/airflow/blob/main/.pre-commit-config.yaml#L329

I guess it was waiting here for the first person who will want to use it via actions to add it to allowlist - which is not silly, rather expected (and just happened)

[potiuk]

And BTW @ndimiduk -> you are absolutely free to make PR to request adding it to allowlist, which is how the whole workflow is designed someone wants to use actions -> make PR -> infra accepts it.

[potiuk]

Here are the instructions @ndimiduk https://github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-action-to-the-allow-list

[Apache9]

Pity that we need to add this everywhere...

This is the suggested way for github actions usage but not recommanded in zizmor rules?

[potiuk]

BTW. we are using octopin prek hook from eclipse that is keeping actions updated to have hash-commits https://github.com/apache/airflow/blob/a9df1220b8a62aff9e6c0004de0624051a937a91/.pre-commit-config.yaml#L33 - this is nice because it keeps the "tag" version in comment and will propose an update when we run it and then we can review the changes coming and commit it.

Also zizmor can be configured to ignore certain actions or relax their rules https://docs.zizmor.sh/audits/#rulesunpinned-usesconfigpolicies - they even have example how to configure it to skip pinning for github-owned "/actions/" - which is fine according to ASF rules, but we opted not to do it as octopin makes it super easy to keep hash-commit for all actions.