This is an automated email from the ASF dual-hosted git repository. srowen pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/master by this push: new 00b87c9 [SPARK-36915][INFRA] Pin actions to a full length commit SHA 00b87c9 is described below commit 00b87c967ff8217b64e597400f3248c375a74879 Author: Hyukjin Kwon <gurwls...@gmail.com> AuthorDate: Sat Oct 16 08:53:19 2021 -0500 [SPARK-36915][INFRA] Pin actions to a full length commit SHA ### What changes were proposed in this pull request? Pinning github actions to a SHA ### Why are the changes needed? Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies ### Does this PR introduce _any_ user-facing change? Running github action and checking the SHA with the existing repository ### How was this patch tested? Running the GitHub action Closes #34163 from naveensrinivasan/naveen/feat/pin-github-actions. Lead-authored-by: Hyukjin Kwon <gurwls...@gmail.com> Co-authored-by: naveen <172697+naveensriniva...@users.noreply.github.com> Signed-off-by: Sean Owen <sro...@gmail.com> --- .github/workflows/cancel_duplicate_workflow_runs.yml | 2 +- .github/workflows/labeler.yml | 2 +- .github/workflows/notify_test_workflow.yml | 2 +- .github/workflows/publish_snapshot.yml | 6 +++--- .github/workflows/stale.yml | 2 +- .github/workflows/test_report.yml | 4 ++-- .github/workflows/update_build_status.yml | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/cancel_duplicate_workflow_runs.yml b/.github/workflows/cancel_duplicate_workflow_runs.yml index 1077371..525c7e7 100644 --- a/.github/workflows/cancel_duplicate_workflow_runs.yml +++ b/.github/workflows/cancel_duplicate_workflow_runs.yml @@ -29,7 +29,7 @@ jobs: name: "Cancel duplicate workflow runs" runs-on: ubuntu-latest steps: - - uses: potiuk/cancel-workflow-runs@953e057dc81d3458935a18d1184c386b0f6b5738 # @master + - uses: potiuk/cancel-workflow-runs@4723494a065d162f8e9efd071b98e0126e00f866 # @master name: "Cancel duplicate workflow runs" with: cancelMode: allDuplicates diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 98855f4..88d17bf 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -44,7 +44,7 @@ jobs: # # However, these are not in a published release and the current `main` branch # has some issues upon testing. - - uses: actions/labeler@2.2.0 + - uses: actions/labeler@5f867a63be70efff62b767459b009290364495eb # pin@2.2.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" sync-labels: true diff --git a/.github/workflows/notify_test_workflow.yml b/.github/workflows/notify_test_workflow.yml index cc2b7a2..08c50cc 100644 --- a/.github/workflows/notify_test_workflow.yml +++ b/.github/workflows/notify_test_workflow.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: "Notify test workflow" - uses: actions/github-script@v3 + uses: actions/github-script@f05a81df23035049204b043b50c3322045ce7eb3 # pin@v3 if: ${{ github.base_ref == 'master' }} with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/publish_snapshot.yml b/.github/workflows/publish_snapshot.yml index 46f4f7a..bd75e26 100644 --- a/.github/workflows/publish_snapshot.yml +++ b/.github/workflows/publish_snapshot.yml @@ -36,18 +36,18 @@ jobs: - branch-3.1 steps: - name: Checkout Spark repository - uses: actions/checkout@master + uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # pin@master with: ref: ${{ matrix.branch }} - name: Cache Maven local repository - uses: actions/cache@v2 + uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353 # pin@v2 with: path: ~/.m2/repository key: snapshot-maven-${{ hashFiles('**/pom.xml') }} restore-keys: | snapshot-maven- - name: Install Java 8 - uses: actions/setup-java@v1 + uses: actions/setup-java@d202f5dbf7256730fb690ec59f6381650114feb2 # pin@v1 with: java-version: 8 - name: Publish snapshot diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index f26100d..f270673 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -27,7 +27,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v1.1.0 + - uses: actions/stale@c201d45ef4b0ccbd3bb0616f93bae13e73d0a080 # pin@v1.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-pr-message: > diff --git a/.github/workflows/test_report.yml b/.github/workflows/test_report.yml index 3277089..2f768b7 100644 --- a/.github/workflows/test_report.yml +++ b/.github/workflows/test_report.yml @@ -29,14 +29,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Download test results to report - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@6f8f427fb41886a66b82ea11a5a15d1454c79415 # pin@v2 with: github_token: ${{ secrets.GITHUB_TOKEN }} workflow: ${{ github.event.workflow_run.workflow_id }} commit: ${{ github.event.workflow_run.head_commit.id }} workflow_conclusion: completed - name: Publish test report - uses: scacap/action-surefire-report@v1 + uses: scacap/action-surefire-report@482f012643ed0560e23ef605a79e8e87ca081648 # pin@v1 with: check_name: Report test results github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/update_build_status.yml b/.github/workflows/update_build_status.yml index a695870..671487a 100644 --- a/.github/workflows/update_build_status.yml +++ b/.github/workflows/update_build_status.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: "Update build status" - uses: actions/github-script@v3 + uses: actions/github-script@f05a81df23035049204b043b50c3322045ce7eb3 # pin@v3 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org For additional commands, e-mail: commits-h...@spark.apache.org