If nothing else, I opened a ticket: https://issues.apache.org/jira/browse/SOLR-18192 I spent some time trying to wrap my head around the suggested fix, but, no. The whole thing is much too mysterious, so I will not submit a PR that I would neither understand nor be able to test. Sorry.
Le mar. 7 avr. 2026 à 22:14, David Smiley <[email protected]> a écrit : > I noticed but I'm too busy. PRs welcome. In this case it should > contain a link pointing to the origin of this hash. > I *did* fix the ones on the other workflows that "matter" more. I'm > honestly unfamiliar with this workflow's purpose. > > On Tue, Apr 7, 2026 at 6:39 PM Isabelle Giguere <[email protected]> > wrote: > > > > Thanks, Arnout; > > > > I think I'll leave this to a Solr committer, if they find they can't wait > > for a better fix of the security incident. I'm reasonably sure someone > > else must have noticed the failures. > > > > I suppose the commit ID would be: > > > gradle/actions/dependency-submission@6f229686ee4375cc4a86b2514c89bac4930e82c4 > > > > Regards; > > > > Isabelle > > > > Le mar. 7 avr. 2026 à 12:24, Arnout Engelen <[email protected]> a > écrit : > > > > > Hello Isabelle, > > > > > > This is due to > https://infra.apache.org/blog/trivy_security_incident.html > > > - > > > the fix is to > > > refer to this action by its commit hash instead of '@v5' and propose > this > > > version for > > > the allowlist at > > > > https://github.com/apache/infrastructure-actions/blob/main/actions.yml#L394 > > > . > > > > > > > > > Kind regards, > > > > > > Arnout > > > > > > On Tue, Apr 7, 2026 at 5:01 PM Isabelle Giguere <[email protected]> > > > wrote: > > > > > > > Hi devs; > > > > > > > > Github action "Dependency Submission" has been failing since March > 20th. > > > > > > > > > > > > > > > > https://github.com/apache/solr/actions/workflows/dependency-graph-submission.yml > > > > > > > > Error message: > > > > "The action gradle/actions/dependency-submission@v5 is not allowed > in > > > > apache/solr because all actions must be from a repository owned by > your > > > > enterprise..." > > > > > > > > Any thoughts ? > > > > > > > > Isabelle Giguère > > > > > > > > > > > > > -- > > > Arnout Engelen > > > ASF Security Response > > > Apache Pekko PMC member, ASF Member > > > NixOS Committer > > > Independent Open Source consultant > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
