chore(parquet): fix some spans, propagate context #11349

npazosmendez · 2025-04-30T17:25:42Z

Small fix for nicer traces.

github-actions · 2025-04-30T17:31:03Z

😢 zizmor failed with exit code 14.

Expand for full output

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/backport.yaml:24:9
   |
24 |         - name: Checkout Actions
   |  _________-
25 | |         uses: actions/checkout@v4
...  |
30 | |           # we don't want to have the same strict rules for PR labels
31 | |           ref: d284afd314ca3625c23595e9f62b52d215ead7ce
   | |_______________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:16:9
   |
16 |         - name: Check out repository
   |  _________-
17 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:30:9
   |
30 |       - uses: actions/checkout@v4
   |         ------------------------- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:44:7
   |
44 |     - uses: actions/checkout@v4
   |       ------------------------- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:1:1
   |
 1 | / name: compare-helm-with-jsonnet
 2 | |
...  |
88 | |       run: |
89 | |         ./operations/compare-helm-with-jsonnet/compare-helm-with-jsonnet.sh || (echo "Please fix the errors above and run 'make check-helm-jsonnet-diff' to validate" && false)
   | |________________________________________________________________________________________________________________________________________________________________________________- default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:13:3
   |
13 | /   prepare:
14 | |     runs-on: ubuntu-latest
...  |
21 | |     outputs:
22 | |       build_image: ${{ steps.build_image_step.outputs.build_image }}
   | |                                                                    -
   | |____________________________________________________________________|
   |                                                                      this job
   |                                                                      default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:24:3
   |
24 | /   goversion:
25 | |     runs-on: ubuntu-latest
...  |
37 | |     outputs:
38 | |       version: ${{ steps.go-version.outputs.version }}
   | |                                                      -
   | |______________________________________________________|
   |                                                        this job
   |                                                        default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:40:3
   |
40 | /   compare-manifests:
41 | |     runs-on: ubuntu-latest
...  |
88 | |       run: |
89 | |         ./operations/compare-helm-with-jsonnet/compare-helm-with-jsonnet.sh || (echo "Please fix the errors above and run 'make check-helm-jsonnet-diff' to validate" && false)
   | |                                                                                                                                                                                -
   | |________________________________________________________________________________________________________________________________________________________________________________|
   |                                                                                                                                                                                  this job
   |                                                                                                                                                                                  default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:48:7
   |
48 |     - uses: helm/kind-action@v1.12.0
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:50:7
   |
50 |       uses: dsaltares/fetch-gh-release-asset@1.1.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:58:7
   |
58 |       uses: dsaltares/fetch-gh-release-asset@1.1.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:66:7
   |
66 |       uses: dsaltares/fetch-gh-release-asset@1.1.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/deploy-pr-preview.yml:13:3
   |
13 | /   deploy-pr-preview:
14 | |     if: "!github.event.pull_request.head.repo.fork"
...  |
37 | |         ]
38 | |       title: ${{ github.event.pull_request.title }}
   | |                                                    -
   | |____________________________________________________|
   |                                                      this job
   |                                                      default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:24:9
   |
24 |         - name: Check out repository
   |  _________-
25 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:39:9
   |
39 |         - name: Checkout Repository
   |  _________-
40 | |         uses: actions/checkout@v4
41 | |
42 | |       # Retrieve GitHub App Credentials from Vault
   | |__________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:61:9
   |
61 |         - name: Checkout Repository with App Token
   |  _________-
62 | |         uses: actions/checkout@v4
63 | |         with:
64 | |           token: ${{ steps.token.outputs.token }}
   | |_________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

error[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:13:3
   |
13 |   id-token: write
   |   ^^^^^^^^^^^^^^^ id-token: write is overly broad at the workflow level
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:66:9
   |
66 |         - name: Run Git Config
   |           ^^^^^^^^^^^^^^^^^^^^ this step
67 | /         run: |
68 | |           git config --global --add safe.directory '*'
69 | |           git config --global user.email "${{ github.event.pull_request.user.login }}@users.noreply.github.com"
70 | |           git config --global user.name "${{ github.event.pull_request.user.login }}"
   | |_____________________________________________________________________________________^ github.event.pull_request.user.login may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:66:9
   |
66 |         - name: Run Git Config
   |           ^^^^^^^^^^^^^^^^^^^^ this step
67 | /         run: |
68 | |           git config --global --add safe.directory '*'
69 | |           git config --global user.email "${{ github.event.pull_request.user.login }}@users.noreply.github.com"
70 | |           git config --global user.name "${{ github.event.pull_request.user.login }}"
   | |_____________________________________________________________________________________^ github.event.pull_request.user.login may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:73:9
   |
73 |         uses: ksivamuthu/actions-setup-gh-cli@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/helm-ci.yml:23:9
   |
23 |         - name: Check out repository
   |  _________-
24 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/helm-ci.yml:38:9
   |
38 |         - name: Check out repository
   |  _________-
39 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/helm-ci.yml:1:1
   |
 1 | / name: helm-ci
 2 | |
...  |
49 | |           TEMP_DIR: ${{ runner.temp }}/conftest
50 | |         run: make BUILD_IN_CONTAINER=false conftest-verify
   | |___________________________________________________________- default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
 --> ./.github/workflows/helm-ci.yml:6:3
  |
6 | /   call-lint:
7 | |     uses: grafana/helm-charts/.github/workflows/linter.yml@main
8 | |     with:
9 | |       filter_regex_include: .*operations/helm/.*
  | |                                                -
  | |________________________________________________|
  |                                                  this job
  |                                                  default permissions used due to no permissions: block
  |
  = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/helm-ci.yml:11:3
   |
11 | /   call-lint-test:
12 | |     uses: grafana/helm-charts/.github/workflows/lint-test.yaml@main
...  |
17 | |       kind_kubectl_version: v1.20.8
18 | |       kind_node_image: kindest/node:v1.20.15
   | |                                            -
   | |____________________________________________|
   |                                              this job
   |                                              default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/helm-ci.yml:20:3
   |
20 | /   prepare:
21 | |     runs-on: ubuntu-latest
...  |
28 | |     outputs:
29 | |       build_image: ${{ steps.build_image_step.outputs.build_image }}
   | |                                                                    -
   | |____________________________________________________________________|
   |                                                                      this job
   |                                                                      default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/helm-ci.yml:31:3
   |
31 | /   conftest:
32 | |     runs-on: ubuntu-latest
...  |
49 | |           TEMP_DIR: ${{ runner.temp }}/conftest
50 | |         run: make BUILD_IN_CONTAINER=false conftest-verify
   | |                                                           -
   | |___________________________________________________________|
   |                                                             this job
   |                                                             default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/helm-release.yaml:10:3
   |
10 | /   call-update-helm-repo:
11 | |     uses: grafana/helm-charts/.github/workflows/update-helm-repo.yaml@main
...  |
17 | |       github_app_id: ${{ secrets.MIMIR_HELM_RELEASE_APP_ID }}
18 | |       github_app_pem: ${{ secrets.MIMIR_HELM_RELEASE_APP_KEY_PEM }}
   | |                                                                    -
   | |____________________________________________________________________|
   |                                                                      this job
   |                                                                      default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/helm-weekly-release-pr.yaml:18:9
   |
18 |       - uses: actions/checkout@v4
   |         ------------------------- does not set persist-credentials: false
   |
   = note: audit confidence → Low

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/helm-weekly-release-pr.yaml:19:9
   |
19 |       - uses: imjasonh/setup-crane@v0.4
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/helm-weekly-release-pr.yaml:43:9
   |
43 |         uses: peter-evans/create-pull-request@v5
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/helm-weekly-release-reviewer.yml:23:9
   |
23 |         - name: Checkout Repository
   |  _________-
24 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/publish-technical-documentation-next.yml:23:9
   |
23 |       - uses: actions/checkout@v4
   |         ------------------------- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/publish-technical-documentation-next.yml:1:1
   |
 1 | / name: publish-technical-documentation-next
 2 | |
...  |
30 | |           source_directory: docs/sources/helm-charts/mimir-distributed
31 | |           website_directory: content/docs/helm-charts/mimir-distributed/next
   | |_____________________________________________________________________________- default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/publish-technical-documentation-next.yml:12:3
   |
12 | /   test:
13 | |     uses: ./.github/workflows/test-docs.yml
   | |                                           -
   | |______________________________________
8000
_____|
   |                                             this job
   |                                             default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/publish-technical-documentation-release-helm-charts.yml:25:9
   |
25 |         - uses: actions/checkout@v4
   |  _________-
26 | |         with:
27 | |           # Full fetch depth is required to fetch tags. The publishing workflow uses tags to prevent publishing a release branch bef...
28 | |           fetch-depth: 0
   | |________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/publish-technical-documentation-release-helm-charts.yml:1:1
   |
 1 | / name: publish-technical-documentation-release-helm-charts
 2 | |
...  |
34 | |           source_directory: docs/sources/helm-charts/mimir-distributed
35 | |           website_directory: content/docs/helm-charts/mimir-distributed
   | |________________________________________________________________________- default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/publish-technical-documentation-release-helm-charts.yml:14:3
   |
14 | /   test:
15 | |     uses: ./.github/workflows/test-docs.yml
   | |                                           -
   | |___________________________________________|
   |                                             this job
   |                                             default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/publish-technical-documentation-release-mimir.yml:24:9
   |
24 |         - uses: actions/checkout@v4
   |  _________-
25 | |         with:
26 | |           # Full fetch depth is required to fetch tags.
27 | |           # The publishing workflow uses tags to prevent publishing a release branch before it has been formally released, as determ...
28 | |           fetch-depth: 0
   | |________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/publish-technical-documentation-release-mimir.yml:1:1
   |
 1 | / name: publish-technical-documentation-release-mimir
 2 | |
...  |
34 | |           source_directory: docs/sources/mimir
35 | |           website_directory: content/docs/mimir
   | |________________________________________________- default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/publish-technical-documentation-release-mimir.yml:13:3
   |
13 | /   test:
14 | |     uses: ./.github/workflows/test-docs.yml
   | |                                           -
   | |___________________________________________|
   |                                             this job
   |                                             default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/push-mimir-build-image.yml:26:9
   |
26 |         - name: Checkout Repository
   |  _________-
27 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/push-mimir-build-image.yml:111:9
    |
111 |         - name: Add commit to PR in order to update Build Image version
    |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
112 |           if: steps.compare_tag.outputs.isDifferent == 'true'
113 | /         run: |
114 | |           echo "Get current Build Image Version"
...   |
126 | |             git push origin HEAD
127 | |           fi
    | |____________^ github.event.pull_request.user.login may expand into attacker-controllable code
    |
    = note: audit confidence → High

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/push-mimir-build-image.yml:111:9
    |
111 |         - name: Add commit to PR in order to update Build Image version
    |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
112 |           if: steps.compare_tag.outputs.isDifferent == 'true'
113 | /         run: |
114 | |           echo "Get current Build Image Version"
...   |
126 | |             git push origin HEAD
127 | |           fi
    | |____________^ github.event.pull_request.user.login may expand into attacker-controllable code
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/push-mimir-build-image.yml:35:9
   |
35 |         uses: docker/setup-qemu-action@v3
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/push-mimir-build-image.yml:38:9
   |
38 |         uses: docker/setup-buildx-action@v3
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/push-mimir-build-image.yml:41:9
   |
41 |         uses: docker/login-action@v3
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/sbom-report.yml:13:7
   |
13 |       - name: Checkout
   |  _______-
14 | |       uses: actions/checkout@v4
   | |_______________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/sbom-report.yml:8:3
   |
 8 | /   syft-sbom:
 9 | |
...  |
19 | |          artifact-name: ${{ github.event.repository.name }}-spdx.json
20 | |
   | |_-- this job
   |   |
   |   default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/sbom-report.yml:17:7
   |
17 |       uses: anchore/sbom-action@v0.18.0
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/snyk.yml:11:3
   |
11 | /   snyk-scan-ci:
12 | |     uses: 'grafana/security-github-actions/.github/workflows/snyk_monitor.yml@main'
13 | |     secrets:
14 | |       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
   | |                                            -
   | |____________________________________________|
   |                                              this job
   |                                              default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/stale.yaml:9:3
   |
 9 | /   stale:
10 | |     runs-on: ubuntu-latest
...  |
31 | |           # Enable statistics in the logs
32 | |           enable-statistics: true
   | |                                  -
   | |__________________________________|
   |                                    this job
   |                                    default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/test-build-deploy.yml:23:9
   |
23 |         - name: Check out repository
   |  _________-
24 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/test-build-deploy.yml:39:9
   |
39 |       - uses: actions/checkout@v4
   |         ------------------------- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/test-build-deploy.yml:55:9
   |
55 |         - name: Check out repository
   |  _________-
56 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> ./.github/workflows/test-build-deploy.yml:115:9
    |
115 |         - name: Check out repository
    |  _________-
116 | |         uses: actions/checkout@v4
    | |_________________________________- does not set persist-credentials: false
    |
    = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> ./.github/workflows/test-build-deploy.yml:145:9
    |
145 |         - name: Check out repository
    |  _________-
146 | |         uses: actions/checkout@v4
    | |_________________________________- does not set persist-credentials: false
    |
    = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> ./.github/workflows/test-build-deploy.yml:176:9
    |
176 |         - name: Check out repository
    |  _________-
177 | |         uses: actions/checkout@v4
    | |_________________________________- does not set persist-credentials: false
    |
    = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> ./.github/workflows/test-build-deploy.yml:209:9
    |
209 |         - name: Check out repository
    |  _________-
210 | |         uses: actions/checkout@v4
    | |_________________________________- does not set persist-credentials: false
    |
    = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> ./.github/workflows/test-build-deploy.yml:274:9
    |
274 |         - name: Check out repository
    |  _________-
275 | |         uses: actions/checkout@v4
    | |_________________________________- does not set persist-credentials: false
    |
    = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> ./.github/workflows/test-build-deploy.yml:340:9
    |
340 |         - name: Check out repository
    |  _________-
341 | |         uses: actions/checkout@v4
    | |_________________________________- does not set persist-credentials: false
    |
    = note: audit confidence → Low

warning[excessive-permissions]: overly broad permissions
   --> ./.github/workflows/test-build-deploy.yml:1:1
    |
  1 | / name: ci
  2 | | on:
...   |
363 | |           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
364 | |           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
    | |__________________________________________________________- default permissions used due to no permissions: block
    |
    = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/test-build-deploy.yml:20:3
   |
20 | /   prepare:
21 | |     runs-on: ubuntu-latest
...  |
30 | |       # Determine if we will deploy (aka push) the image to the registry.
31 | |       is_deploy: ${{ (startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/heads/r')) && github.event_name == 'push' && github.repository == 'grafana/mimir' }}
   | |                                                                                                                                                                               -
   | |_______________________________________________________________________________________________________________________________________________________________________________|
   |                                                                                                                                                                                 this job
   |                                                                                                                                                                                 default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/test-build-deploy.yml:33:3
   |
33 | /   goversion:
34 | |     runs-on: ubuntu-latest
...  |
46 | |     outputs:
47 | |       version: ${{ steps.go-version.outputs.version }}
   | |                                                      -
   | |______________________________________________________|
   |                                                        this job
   |                                                        default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
   --> ./.github/workflows/test-build-deploy.yml:49:3
    |
 49 | /   lint:
 50 | |     runs-on: ubuntu-latest
...   |
105 | |       - name: Check Generated OTLP Code
106 | |         run: make BUILD_IN_CONTAINER=false check-generated-otlp-code
    | |                                                                    -
    | |____________________________________________________________________|
    |                                                                      this job
    |                                                                      default permissions used due to no permissions: block
    |
    = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
   --> ./.github/workflows/test-build-deploy.yml:108:3
    |
108 | /   lint-jsonnet:
109 | |     runs-on: ubuntu-latest
...   |
135 | |       - name: Check Jsonnet Tests
136 | |         run: make BUILD_IN_CONTAINER=false check-jsonnet-tests
    | |                                                              -
    | |______________________________________________________________|
    |                                                                this job
    |                                                                default permissions used due to no permissions: block
    |
    = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
   --> ./.github/workflows/test-build-deploy.yml:138:3
    |
138 | /   lint-helm:
139 | |     runs-on: ubuntu-latest
...   |
159 | |       - name: Check Helm Tests
160 | |         run: make BUILD_IN_CONTAINER=false check-helm-tests
    | |                                                           -
    | |___________________________________________________________|
    |                                                             this job
    |                                                             default permissions used due to no permissions: block
    |
    = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
   --> ./.github/workflows/test-build-deploy.yml:162:3
    |
162 | /   test:
163 | |     runs-on: ubuntu-latest
...   |
196 | |           echo "Running unit tests (group ${{ matrix.test_group_id }} of ${{ matrix.test_group_total }}) with Go version: $(go version)"
197 | |           ./.github/workflows/scripts/run-unit-tests-group.sh --index ${{ matrix.test_group_id }} --total ${{ matrix.test_group_total }}
    | |                                                                                                                                        -
    | |________________________________________________________________________________________________________________________________________|
    |                                                                                                                                          this job
    |                                                                                                                                          default permissions used due to no permissions: block
    |
    = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
   --> ./.github/workflows/test-build-deploy.yml:199:3
    |
199 | /   test-docs:
200 | |     uses: ./.github/workflows/test-docs.yml
    | |                                           -
    | |___________________________________________|
    |                                             this job
    |                                             default permissions used due to no permissions: block
    |
    = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
   --> ./.github/workflows/test-build-deploy.yml:202:3
    |
202 | /   build:
203 | |     runs-on: ubuntu-latest
...   |
255 | |           path: |
256 | |             ./mimir_race_image_distroless
    | |                                         -
    | |_________________________________________|
    |                                           this job
    |                                           default permissions used due to no permissions: block
    |
    = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
   --> ./.github/workflows/test-build-deploy.yml:258:3
    |
258 | /   integration:
259 | |     needs: [goversion, build, prepare]
...   |
329 | |           echo "Running integration tests (group ${{ matrix.test_group_id }} of ${{ matrix.test_group_total }}) with Go version: $(go version)"
330 | |           ./.github/workflows/scripts/run-integration-tests-group.sh --index ${{ matrix.test_group_id }} --total ${{ matrix.test_group_total }}
    | |                                                                                                                                               -
    | |_______________________________________________________________________________________________________________________________________________|
    |                                                                                                                                                 this job
    |                                                                                                                                                 default permissions used due to no permissions: block
    |
    = note: audit confidence → Medium

warning[excessive-permissions]: overly broad permissions
   --> ./.github/workflows/test-build-deploy.yml:332:3
    |
332 | /   deploy:
333 | |     needs: [prepare, build, test, lint, integration]
...   |
363 | |           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
364 | |           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
    | |                                                          -
    | |__________________________________________________________|
    |                                                            this job
    |                                                            default permissions used due to no permissions: block
    |
    = note: audit confidence → Medium

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/test-build-deploy.yml:156:9
    |
156 |         uses: azure/setup-helm@v4
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/test-build-deploy.yml:216:9
    |
216 |         uses: docker/setup-qemu-action@v3
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/test-build-deploy.yml:219:9
    |
219 |         uses: docker/setup-buildx-action@v3
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/test-build-deploy.yml:2:1
   |
 2 | / on:
 3 | |   push:
...  |
 9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
10 | |   pull_request:
   | |_______________^ generally used when publishing artifacts generated at runtime
11 |
...
69 |         - name: Cache golangci-lint cache
70 |           uses: actions/cache@v4
   |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/test-build-deploy.yml:2:1
   |
 2 | / on:
 3 | |   push:
...  |
 9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
10 | |   pull_request:
   | |_______________^ generally used when publishing artifacts generated at runtime
11 |
...
79 |         - name: Cache Go build cache
80 |           uses: actions/cache@v4
   |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/test-build-deploy.yml:2:1
   |
 2 | / on:
 3 | |   push:
...  |
 9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
10 | |   pull_request:
   | |_______________^ generally used when publishing artifacts generated at runtime
11 |
...
86 |         - name: Cache Go module cache
87 |           uses: actions/cache@v4
   |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/test-build-deploy.yml:2:1
    |
  2 | / on:
  3 | |   push:
...   |
  9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
 10 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 11 |
...
188 |         - name: Cache Go build cache
189 |           uses: actions/cache@v4
    |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/test-build-deploy.yml:2:1
    |
  2 | / on:
  3 | |   push:
...   |
  9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
 10 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 11 |
...
228 |         - name: Cache Go build cache
229 |           uses: actions/cache@v4
    |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/test-build-deploy.yml:2:1
    |
  2 | / on:
  3 | |   push:
...   |
  9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
 10 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 11 |
...
288 |         - name: Cache Go build cache
289 |           uses: actions/cache@v4
    |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
    |
    = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/test-docs.yml:10:7
   |
10 |       - name: "Check out code"
   |  _______-
11 | |       uses: "actions/checkout@v4"
   | |_________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/test-docs.yml:39:7
   |
39 |       - name: Check out ${{ steps.mimir_version.outputs.branch }} documentation
   |  _______-
40 | |       uses: actions/checkout@v4
41 | |       with:
42 | |         path: ${{ steps.mimir_branch.outputs.branch }}
43 | |         ref: ${{ steps.mimir_branch.outputs.branch }}
   | |_____________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/update-make-docs.yml:11:9
   |
11 |       - uses: actions/checkout@v4
   |         ------------------------- does not set persist-credentials: false
   |
   = note: audit confidence → Low

warning[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/update-make-docs.yml:7:3
   |
 7 | /   main:
 8 | |     if: github.repository == 'grafana/mimir'
...  |
14 | |           pr_options: >
15 | |             --label type/docs
   | |                             -
   | |_____________________________|
   |                               this job
   |                               default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

111 findings (11 ignored, 15 suppressed): 0 unknown, 0 informational, 0 low, 60 medium, 25 high

jesusvazquez

LGTM

chore(parquet): fix some spans, propagate context

ce2a373

npazosmendez requested a review from a team as a code owner April 30, 2025 17:25

jesusvazquez approved these changes Apr 30, 2025

View reviewed changes

npazosmendez merged commit 37873ae into parquet-mimir Apr 30, 2025
21 of 28 checks passed

npazosmendez deleted the njpm/span-improvements branch April 30, 2025 18:28

jesusvazquez pushed a commit that referenced this pull request May 2, 2025

chore(parquet): fix some spans, propagate context (#11349)

3ca95d6

francoposa pushed a commit that referenced this pull request May 7, 2025

chore(parquet): fix some spans, propagate context (#11349)

480e9d9

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(parquet): fix some spans, propagate context #11349

chore(parquet): fix some spans, propagate context #11349

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

chore(parquet): fix some spans, propagate context #11349

chore(parquet): fix some spans, propagate context #11349

Uh oh!

Conversation

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!