Skip to content

Add support for position and equality deletes in vortex #68

Add support for position and equality deletes in vortex

Add support for position and equality deletes in vortex #68

Workflow file for this run

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
name: "CVE Scan"
on:
push:
branches:
- 'main'
- '0.*'
- '1.*'
- '2.*'
tags:
- 'apache-iceberg-**'
pull_request:
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
# ------------------------------------------------------------------
# Trivy CVE scan — scans bundled jars for known vulnerabilities.
#
# Behaviour:
# - On PRs: the scan blocks CI if CVEs are found (exit-code 1).
# SARIF upload is skipped because GitHub's Security tab only
# accepts results from default/protected branches.
# - On push to main/release branches: the scan is informational
# (exit-code 0) and results are uploaded as SARIF to the GitHub
# Security tab for ongoing tracking.
# ------------------------------------------------------------------
cve-scan:
runs-on: ubuntu-24.04
permissions:
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
include:
- distribution: kafka-connect-runtime
build-task: >-
-DkafkaVersions=3
:iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip
scan-path: kafka-connect/kafka-connect-runtime/build/distributions
unpack: true
- distribution: aws-bundle
build-task: :iceberg-aws-bundle:shadowJar
scan-path: aws-bundle/build/libs
unpack: false
- distribution: azure-bundle
build-task: :iceberg-azure-bundle:shadowJar
scan-path: azure-bundle/build/libs
unpack: false
- distribution: gcp-bundle
build-task: :iceberg-gcp-bundle:shadowJar
scan-path: gcp-bundle/build/libs
unpack: false
- distribution: spark-runtime-3.5_2.12
build-task: >-
-DsparkVersions=3.5
:iceberg-spark:iceberg-spark-runtime-3.5_2.12:shadowJar
scan-path: spark/v3.5/spark-runtime/build/libs
unpack: false
- distribution: spark-runtime-4.0_2.13
build-task: >-
-DsparkVersions=4.0
:iceberg-spark:iceberg-spark-runtime-4.0_2.13:shadowJar
scan-path: spark/v4.0/spark-runtime/build/libs
unpack: false
- distribution: spark-runtime-4.1_2.13
build-task: >-
-DsparkVersions=4.1
:iceberg-spark:iceberg-spark-runtime-4.1_2.13:shadowJar
scan-path: spark/v4.1/spark-runtime/build/libs
unpack: false
- distribution: flink-runtime-1.20
build-task: >-
-DflinkVersions=1.20
:iceberg-flink:iceberg-flink-runtime-1.20:shadowJar
scan-path: flink/v1.20/flink-runtime/build/libs
unpack: false
- distribution: flink-runtime-2.0
build-task: >-
-DflinkVersions=2.0
:iceberg-flink:iceberg-flink-runtime-2.0:shadowJar
scan-path: flink/v2.0/flink-runtime/build/libs
unpack: false
- distribution: flink-runtime-2.1
build-task: >-
-DflinkVersions=2.1
:iceberg-flink:iceberg-flink-runtime-2.1:shadowJar
scan-path: flink/v2.1/flink-runtime/build/libs
unpack: false
- distribution: open-api-test-fixtures-runtime
build-task: :iceberg-open-api:shadowJar
scan-path: open-api/build/libs
unpack: false
name: ${{ matrix.distribution }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: zulu
java-version: 21
- uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
with:
# Read-only: small job; restore opportunistically from other jobs' caches but never write.
cache-read-only: true
- name: Build ${{ matrix.distribution }}
run: |
./gradlew -DsparkVersions= -DflinkVersions= \
${{ matrix.build-task }} \
-Pquick=true -x test -x javadoc
- name: Prepare scan directory
run: |
mkdir -p /tmp/cve-scan
if [ "${{ matrix.unpack }}" = "true" ]; then
unzip ${{ matrix.scan-path }}/*.zip -d /tmp/cve-scan
else
cp ${{ matrix.scan-path }}/iceberg-${{ matrix.distribution }}-*.jar /tmp/cve-scan/
fi
- name: Run Trivy vulnerability scan
uses: lhotari/sandboxed-trivy-action@f01374b6cc3bf7264ab238293e94f6db7ada6dd0 # v1.0.2
with:
scan-type: 'rootfs'
scan-ref: '/tmp/cve-scan'
scanners: 'vuln'
severity: 'HIGH,CRITICAL'
limit-severities-for-sarif: true
trivyignores: ${{ matrix.trivyignores || '' }}
# Block PRs on CVE findings; on main/release branches report without failing
exit-code: ${{ github.event_name == 'pull_request' && '1' || '0' }}
format: 'sarif'
output: 'trivy-results.sarif'
- name: Print Trivy scan results
if: always()
run: |
if [ -f trivy-results.sarif ]; then
echo "## Trivy CVE Scan Results — ${{ matrix.distribution }}"
jq -r '.runs[].results[] | "- \(.ruleId): \(.message.text)"' trivy-results.sarif 2>/dev/null || echo "No findings or unable to parse SARIF."
else
echo "No SARIF file found — scan may have failed to install."
fi
- name: Upload Trivy results to GitHub Security tab
if: always() && github.event_name == 'push'
uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
with:
sarif_file: 'trivy-results.sarif'
category: ${{ matrix.distribution }}