If I get this right, what we want is to enhance security to prevent any malicious commits being checked out by using version references like "@5". This can be done by pinpointing a specific commit that is trusted, requiring us to explicitly update the script when a different version of the action should be executed. Changing the commit of a specific tag would not change the action executed if the commit hash is used, as it is not using the version reference this way.
What I am wondering, are hashes trusted by default? Or do we have to request the hashes to be trusted? > I'm honestly unfamiliar with this workflow's purpose. About the workflow's purpose, the workflow submits the gradle dependencies used by the project to GitHub, so that they can be listed at https://github.com/apache/solr/network/dependencies and provide further project insights. Best, Christos On Wed, Apr 8, 2026 at 6:08 PM Arnout Engelen <[email protected]> wrote: > On Wed, Apr 8, 2026 at 5:02 PM Isabelle Giguere <[email protected]> > wrote: > > > If nothing else, I opened a ticket: > > https://issues.apache.org/jira/browse/SOLR-18192 > > > Good idea! > > > > I spent some time trying to wrap my head around the suggested fix, but, > > no. The whole thing is much too mysterious, so I will not submit a PR > that > > I would neither understand nor be able to test. > > > > That's our bad, the documentation is still rather rough. We had hoped to > roll out these changes more gradually, but the Trivy incident expedited > things. I'll respond further on the ticket. > > > Kind regards, > > Arnout > > Le mar. 7 avr. 2026 à 22:14, David Smiley <[email protected]> a écrit : > > > > > I noticed but I'm too busy. PRs welcome. In this case it should > > > contain a link pointing to the origin of this hash. > > > I *did* fix the ones on the other workflows that "matter" more. I'm > > > honestly unfamiliar with this workflow's purpose. > > > > > > On Tue, Apr 7, 2026 at 6:39 PM Isabelle Giguere <[email protected]> > > > wrote: > > > > > > > > Thanks, Arnout; > > > > > > > > I think I'll leave this to a Solr committer, if they find they can't > > wait > > > > for a better fix of the security incident. I'm reasonably sure > someone > > > > else must have noticed the failures. > > > > > > > > I suppose the commit ID would be: > > > > > > > > > > gradle/actions/dependency-submission@6f229686ee4375cc4a86b2514c89bac4930e82c4 > > > > > > > > Regards; > > > > > > > > Isabelle > > > > > > > > Le mar. 7 avr. 2026 à 12:24, Arnout Engelen <[email protected]> a > > > écrit : > > > > > > > > > Hello Isabelle, > > > > > > > > > > This is due to > > > https://infra.apache.org/blog/trivy_security_incident.html > > > > > - > > > > > the fix is to > > > > > refer to this action by its commit hash instead of '@v5' and > propose > > > this > > > > > version for > > > > > the allowlist at > > > > > > > > > > > https://github.com/apache/infrastructure-actions/blob/main/actions.yml#L394 > > > > > . > > > > > > > > > > > > > > > Kind regards, > > > > > > > > > > Arnout > > > > > > > > > > On Tue, Apr 7, 2026 at 5:01 PM Isabelle Giguere < > [email protected] > > > > > > > > wrote: > > > > > > > > > > > Hi devs; > > > > > > > > > > > > Github action "Dependency Submission" has been failing since > March > > > 20th. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://github.com/apache/solr/actions/workflows/dependency-graph-submission.yml > > > > > > > > > > > > Error message: > > > > > > "The action gradle/actions/dependency-submission@v5 is not > allowed > > > in > > > > > > apache/solr because all actions must be from a repository owned > by > > > your > > > > > > enterprise..." > > > > > > > > > > > > Any thoughts ? > > > > > > > > > > > > Isabelle Giguère > > > > > > > > > > > > > > > > > > > > > -- > > > > > Arnout Engelen > > > > > ASF Security Response > > > > > Apache Pekko PMC member, ASF Member > > > > > NixOS Committer > > > > > Independent Open Source consultant > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > > > > > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant >
