I noticed but I'm too busy. PRs welcome. In this case it should contain a link pointing to the origin of this hash. I *did* fix the ones on the other workflows that "matter" more. I'm honestly unfamiliar with this workflow's purpose.
On Tue, Apr 7, 2026 at 6:39 PM Isabelle Giguere <[email protected]> wrote: > > Thanks, Arnout; > > I think I'll leave this to a Solr committer, if they find they can't wait > for a better fix of the security incident. I'm reasonably sure someone > else must have noticed the failures. > > I suppose the commit ID would be: > gradle/actions/dependency-submission@6f229686ee4375cc4a86b2514c89bac4930e82c4 > > Regards; > > Isabelle > > Le mar. 7 avr. 2026 à 12:24, Arnout Engelen <[email protected]> a écrit : > > > Hello Isabelle, > > > > This is due to https://infra.apache.org/blog/trivy_security_incident.html > > - > > the fix is to > > refer to this action by its commit hash instead of '@v5' and propose this > > version for > > the allowlist at > > https://github.com/apache/infrastructure-actions/blob/main/actions.yml#L394 > > . > > > > > > Kind regards, > > > > Arnout > > > > On Tue, Apr 7, 2026 at 5:01 PM Isabelle Giguere <[email protected]> > > wrote: > > > > > Hi devs; > > > > > > Github action "Dependency Submission" has been failing since March 20th. > > > > > > > > > > > https://github.com/apache/solr/actions/workflows/dependency-graph-submission.yml > > > > > > Error message: > > > "The action gradle/actions/dependency-submission@v5 is not allowed in > > > apache/solr because all actions must be from a repository owned by your > > > enterprise..." > > > > > > Any thoughts ? > > > > > > Isabelle Giguère > > > > > > > > > -- > > Arnout Engelen > > ASF Security Response > > Apache Pekko PMC member, ASF Member > > NixOS Committer > > Independent Open Source consultant > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
