Thanks, Arnout; I think I'll leave this to a Solr committer, if they find they can't wait for a better fix of the security incident. I'm reasonably sure someone else must have noticed the failures.
I suppose the commit ID would be: gradle/actions/dependency-submission@6f229686ee4375cc4a86b2514c89bac4930e82c4 Regards; Isabelle Le mar. 7 avr. 2026 à 12:24, Arnout Engelen <[email protected]> a écrit : > Hello Isabelle, > > This is due to https://infra.apache.org/blog/trivy_security_incident.html > - > the fix is to > refer to this action by its commit hash instead of '@v5' and propose this > version for > the allowlist at > https://github.com/apache/infrastructure-actions/blob/main/actions.yml#L394 > . > > > Kind regards, > > Arnout > > On Tue, Apr 7, 2026 at 5:01 PM Isabelle Giguere <[email protected]> > wrote: > > > Hi devs; > > > > Github action "Dependency Submission" has been failing since March 20th. > > > > > > > https://github.com/apache/solr/actions/workflows/dependency-graph-submission.yml > > > > Error message: > > "The action gradle/actions/dependency-submission@v5 is not allowed in > > apache/solr because all actions must be from a repository owned by your > > enterprise..." > > > > Any thoughts ? > > > > Isabelle Giguère > > > > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant >
