On Wed, Apr 8, 2026 at 5:02 PM Isabelle Giguere <[email protected]> wrote:
> If nothing else, I opened a ticket: > https://issues.apache.org/jira/browse/SOLR-18192 Good idea! > I spent some time trying to wrap my head around the suggested fix, but, > no. The whole thing is much too mysterious, so I will not submit a PR that > I would neither understand nor be able to test. > That's our bad, the documentation is still rather rough. We had hoped to roll out these changes more gradually, but the Trivy incident expedited things. I'll respond further on the ticket. Kind regards, Arnout Le mar. 7 avr. 2026 à 22:14, David Smiley <[email protected]> a écrit : > > > I noticed but I'm too busy. PRs welcome. In this case it should > > contain a link pointing to the origin of this hash. > > I *did* fix the ones on the other workflows that "matter" more. I'm > > honestly unfamiliar with this workflow's purpose. > > > > On Tue, Apr 7, 2026 at 6:39 PM Isabelle Giguere <[email protected]> > > wrote: > > > > > > Thanks, Arnout; > > > > > > I think I'll leave this to a Solr committer, if they find they can't > wait > > > for a better fix of the security incident. I'm reasonably sure someone > > > else must have noticed the failures. > > > > > > I suppose the commit ID would be: > > > > > > gradle/actions/dependency-submission@6f229686ee4375cc4a86b2514c89bac4930e82c4 > > > > > > Regards; > > > > > > Isabelle > > > > > > Le mar. 7 avr. 2026 à 12:24, Arnout Engelen <[email protected]> a > > écrit : > > > > > > > Hello Isabelle, > > > > > > > > This is due to > > https://infra.apache.org/blog/trivy_security_incident.html > > > > - > > > > the fix is to > > > > refer to this action by its commit hash instead of '@v5' and propose > > this > > > > version for > > > > the allowlist at > > > > > > > https://github.com/apache/infrastructure-actions/blob/main/actions.yml#L394 > > > > . > > > > > > > > > > > > Kind regards, > > > > > > > > Arnout > > > > > > > > On Tue, Apr 7, 2026 at 5:01 PM Isabelle Giguere <[email protected] > > > > > > wrote: > > > > > > > > > Hi devs; > > > > > > > > > > Github action "Dependency Submission" has been failing since March > > 20th. > > > > > > > > > > > > > > > > > > > > > > https://github.com/apache/solr/actions/workflows/dependency-graph-submission.yml > > > > > > > > > > Error message: > > > > > "The action gradle/actions/dependency-submission@v5 is not allowed > > in > > > > > apache/solr because all actions must be from a repository owned by > > your > > > > > enterprise..." > > > > > > > > > > Any thoughts ? > > > > > > > > > > Isabelle Giguère > > > > > > > > > > > > > > > > > -- > > > > Arnout Engelen > > > > ASF Security Response > > > > Apache Pekko PMC member, ASF Member > > > > NixOS Committer > > > > Independent Open Source consultant > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
