diff --git a/.github/workflows/api-binary-compatibility.yml b/.github/workflows/api-binary-compatibility.yml index 58a04c9427e0..4200bfef977f 100644 --- a/.github/workflows/api-binary-compatibility.yml +++ b/.github/workflows/api-binary-compatibility.yml @@ -60,6 +60,9 @@ jobs: distribution: zulu java-version: 17 - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Read-only: small job; restore opportunistically from other jobs' caches but never write. + cache-read-only: true - run: | echo "Using the old version tag, as per git describe, of $(git describe)"; - run: ./gradlew revapi --rerun-tasks diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml index a255104013d2..8370f540b757 100644 --- a/.github/workflows/cve-scan.yml +++ b/.github/workflows/cve-scan.yml @@ -127,6 +127,9 @@ jobs: distribution: zulu java-version: 21 - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 # zizmor: ignore[cache-poisoning] -- cache writes are restricted to the default branch by setup-gradle + with: + # Read-only: small job; restore opportunistically from other jobs' caches but never write. + cache-read-only: true - name: Build ${{ matrix.distribution }} run: | ./gradlew -DsparkVersions= -DflinkVersions= \ diff --git a/.github/workflows/delta-conversion-ci.yml b/.github/workflows/delta-conversion-ci.yml index 5b5eaddbd3cc..1f9d1839804c 100644 --- a/.github/workflows/delta-conversion-ci.yml +++ b/.github/workflows/delta-conversion-ci.yml @@ -90,6 +90,9 @@ jobs: distribution: zulu java-version: ${{ matrix.jvm }} - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Read-only: java-ci's build-checks (17) is the global canonical writer. + cache-read-only: true - run: echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts - run: ./gradlew -DsparkVersions=3.5 -DscalaVersion=2.12 -DkafkaVersions= -DflinkVersions= :iceberg-delta-lake:check -Pquick=true -x javadoc - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -116,6 +119,9 @@ jobs: distribution: zulu java-version: ${{ matrix.jvm }} - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Read-only: java-ci's build-checks (17) is the global canonical writer. + cache-read-only: true - run: echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts - run: ./gradlew -DsparkVersions=3.5 -DscalaVersion=2.13 -DkafkaVersions= -DflinkVersions= :iceberg-delta-lake:check -Pquick=true -x javadoc - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 diff --git a/.github/workflows/flink-ci.yml b/.github/workflows/flink-ci.yml index a33136b68412..565b8fd79672 100644 --- a/.github/workflows/flink-ci.yml +++ b/.github/workflows/flink-ci.yml @@ -94,6 +94,9 @@ jobs: distribution: zulu java-version: ${{ matrix.jvm }} - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Read-only: java-ci's build-checks (17) is the global canonical writer. + cache-read-only: true - run: echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts - run: ./gradlew -DsparkVersions= -DkafkaVersions= -DflinkVersions=${{ matrix.flink }} :iceberg-flink:iceberg-flink-${{ matrix.flink }}:check :iceberg-flink:iceberg-flink-runtime-${{ matrix.flink }}:check -Pquick=true -x javadoc -DtestParallelism=auto - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 diff --git a/.github/workflows/hive-ci.yml b/.github/workflows/hive-ci.yml index 2f0b981ea6a0..477ff47f2701 100644 --- a/.github/workflows/hive-ci.yml +++ b/.github/workflows/hive-ci.yml @@ -91,6 +91,9 @@ jobs: distribution: zulu java-version: ${{ matrix.jvm }} - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Read-only: java-ci's build-checks (17) is the global canonical writer. + cache-read-only: true - run: echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts - run: ./gradlew -DsparkVersions= -DflinkVersions= -DkafkaVersions= -Pquick=true :iceberg-mr:check -x javadoc - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 diff --git a/.github/workflows/java-ci.yml b/.github/workflows/java-ci.yml index f807c78f5618..40937642c27c 100644 --- a/.github/workflows/java-ci.yml +++ b/.github/workflows/java-ci.yml @@ -86,6 +86,9 @@ jobs: distribution: zulu java-version: ${{ matrix.jvm }} - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Read-only: java-ci's build-checks (17) is the global canonical writer. + cache-read-only: true - run: echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts - run: ./gradlew check -DsparkVersions= -DflinkVersions= -DkafkaVersions= -Pquick=true -x javadoc - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -110,6 +113,9 @@ jobs: distribution: zulu java-version: ${{ matrix.jvm }} - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Writes cache on main; read-only otherwise. + cache-read-only: ${{ !(github.ref == 'refs/heads/main' && matrix.jvm == 17) }} - run: ./gradlew -DallModules build -x test -x javadoc -x integrationTest build-javadoc: @@ -127,6 +133,9 @@ jobs: distribution: zulu java-version: ${{ matrix.jvm }} - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Read-only: java-ci's build-checks (17) is the global canonical writer. + cache-read-only: true - run: ./gradlew -Pquick=true javadoc check-runtime-deps: @@ -140,4 +149,7 @@ jobs: distribution: zulu java-version: 17 - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Read-only: java-ci's build-checks (17) is the global canonical writer. + cache-read-only: true - run: ./gradlew checkAllRuntimeDeps -q -DallModules=true diff --git a/.github/workflows/jmh-benchmarks.yml b/.github/workflows/jmh-benchmarks.yml index e2c9522a757c..1225532a6f31 100644 --- a/.github/workflows/jmh-benchmarks.yml +++ b/.github/workflows/jmh-benchmarks.yml @@ -104,6 +104,9 @@ jobs: distribution: zulu java-version: 17 - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Disabled: dispatched against arbitrary repo/ref inputs; never restore or write to avoid cache poisoning. + cache-disabled: true - run: echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts - name: Run Benchmark diff --git a/.github/workflows/kafka-connect-ci.yml b/.github/workflows/kafka-connect-ci.yml index 8f1951c7564a..c8de0e177ba3 100644 --- a/.github/workflows/kafka-connect-ci.yml +++ b/.github/workflows/kafka-connect-ci.yml @@ -91,6 +91,9 @@ jobs: distribution: zulu java-version: ${{ matrix.jvm }} - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Read-only: java-ci's build-checks (17) is the global canonical writer. + cache-read-only: true - run: echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts - run: | ./gradlew -DsparkVersions= -DflinkVersions= -DkafkaVersions=3 \ diff --git a/.github/workflows/publish-iceberg-rest-fixture-docker.yml b/.github/workflows/publish-iceberg-rest-fixture-docker.yml index 264e402deaac..0b1d8a2339de 100644 --- a/.github/workflows/publish-iceberg-rest-fixture-docker.yml +++ b/.github/workflows/publish-iceberg-rest-fixture-docker.yml @@ -49,6 +49,9 @@ jobs: distribution: zulu java-version: 21 - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Read-only: small job; restore opportunistically from other jobs' caches but never write. + cache-read-only: true - name: Build Iceberg Open API project run: ./gradlew :iceberg-open-api:shadowJar - name: Login to Docker Hub diff --git a/.github/workflows/publish-snapshot.yml b/.github/workflows/publish-snapshot.yml index a8557c44f32b..8354d2b4b5bb 100644 --- a/.github/workflows/publish-snapshot.yml +++ b/.github/workflows/publish-snapshot.yml @@ -44,6 +44,9 @@ jobs: distribution: zulu java-version: 17 - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Read-only: small job; restore opportunistically from other jobs' caches but never write. + cache-read-only: true - env: NEXUS_USER: ${{ secrets.NEXUS_USER }} NEXUS_PW: ${{ secrets.NEXUS_PW }} diff --git a/.github/workflows/recurring-jmh-benchmarks.yml b/.github/workflows/recurring-jmh-benchmarks.yml index 88bb10566e43..98addbc7a41e 100644 --- a/.github/workflows/recurring-jmh-benchmarks.yml +++ b/.github/workflows/recurring-jmh-benchmarks.yml @@ -59,6 +59,9 @@ jobs: distribution: zulu java-version: 17 - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Read-only: small job; restore opportunistically from other jobs' caches but never write. + cache-read-only: true - run: echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts - name: Run Benchmark diff --git a/.github/workflows/spark-ci.yml b/.github/workflows/spark-ci.yml index 2761491c3e01..5b13ae9bc463 100644 --- a/.github/workflows/spark-ci.yml +++ b/.github/workflows/spark-ci.yml @@ -101,6 +101,9 @@ jobs: distribution: zulu java-version: ${{ matrix.jvm }} - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Read-only: java-ci's build-checks (17) is the global canonical writer. + cache-read-only: true - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 with: tool-cache: false