arpitjain099 opened a new pull request, #18872: URL: https://github.com/apache/hudi/pull/18872
This pins the third-party GitHub Actions used in CI to immutable commit SHAs instead of mutable version tags. Mutable refs like `@v5` can be repointed by whoever controls the action repository, so a compromised or hijacked tag silently flows into every workflow run that references it. The tj-actions/changed-files incident (CVE-2025-30066) is the most prominent recent example: attackers force-pushed malicious commits onto existing tags and exfiltrated CI secrets across thousands of repos. Pinning to a full 40-character SHA removes that class of risk because the runner fetches exactly the reviewed commit. Changes in this PR: - `codecov/codecov-action@v5` pinned across `bot.yml` - `amannn/action-semantic-pull-request@v6` pinned in `pr_title_validation.yml` The human-readable version is kept in a trailing comment on each line, so future maintenance and Dependabot updates still see which release the SHA maps to. This also satisfies the OpenSSF Scorecard Pinned-Dependencies check. First-party `actions/*` were intentionally left as-is. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
