On Wed, Apr 8, 2026 at 10:18 PM Christos Malliaridis < [email protected]> wrote:
> If I get this right, what we want is to enhance security to prevent any > malicious commits being checked out by using version references like "@5". > This can be done by pinpointing a specific commit that is trusted, > requiring us to explicitly update the script when a different version of > the action should be executed. Changing the commit of a specific tag would > not change the action executed if the commit hash is used, as it is not > using the version reference this way. > Correct. > What I am wondering, are hashes trusted by default? Or do we have to > request the hashes to be trusted? You have to request actions to be trusted as documented at https://github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-action-to-the-allow-list . Once an action is trusted, new versions/hashes are proposed by Dependabot, and become trusted after someone has reviewed the update (your help is warmly welcomed in that). Kind regards, Arnout > > I'm honestly unfamiliar with this workflow's purpose. > > About the workflow's purpose, the workflow submits the gradle dependencies > used by the project to GitHub, so that they can be listed at > https://github.com/apache/solr/network/dependencies and provide further > project insights. > > > Best, > Christos > > On Wed, Apr 8, 2026 at 6:08 PM Arnout Engelen <[email protected]> wrote: > > > On Wed, Apr 8, 2026 at 5:02 PM Isabelle Giguere <[email protected]> > > wrote: > > > > > If nothing else, I opened a ticket: > > > https://issues.apache.org/jira/browse/SOLR-18192 > > > > > > Good idea! > > > > > > > I spent some time trying to wrap my head around the suggested fix, but, > > > no. The whole thing is much too mysterious, so I will not submit a PR > > that > > > I would neither understand nor be able to test. > > > > > > > That's our bad, the documentation is still rather rough. We had hoped to > > roll out these changes more gradually, but the Trivy incident expedited > > things. I'll respond further on the ticket. > > > > > > Kind regards, > > > > Arnout > > > > Le mar. 7 avr. 2026 à 22:14, David Smiley <[email protected]> a écrit : > > > > > > > I noticed but I'm too busy. PRs welcome. In this case it should > > > > contain a link pointing to the origin of this hash. > > > > I *did* fix the ones on the other workflows that "matter" more. I'm > > > > honestly unfamiliar with this workflow's purpose. > > > > > > > > On Tue, Apr 7, 2026 at 6:39 PM Isabelle Giguere <[email protected] > > > > > > wrote: > > > > > > > > > > Thanks, Arnout; > > > > > > > > > > I think I'll leave this to a Solr committer, if they find they > can't > > > wait > > > > > for a better fix of the security incident. I'm reasonably sure > > someone > > > > > else must have noticed the failures. > > > > > > > > > > I suppose the commit ID would be: > > > > > > > > > > > > > > > gradle/actions/dependency-submission@6f229686ee4375cc4a86b2514c89bac4930e82c4 > > > > > > > > > > Regards; > > > > > > > > > > Isabelle > > > > > > > > > > Le mar. 7 avr. 2026 à 12:24, Arnout Engelen <[email protected]> a > > > > écrit : > > > > > > > > > > > Hello Isabelle, > > > > > > > > > > > > This is due to > > > > https://infra.apache.org/blog/trivy_security_incident.html > > > > > > - > > > > > > the fix is to > > > > > > refer to this action by its commit hash instead of '@v5' and > > propose > > > > this > > > > > > version for > > > > > > the allowlist at > > > > > > > > > > > > > > > > https://github.com/apache/infrastructure-actions/blob/main/actions.yml#L394 > > > > > > . > > > > > > > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > Arnout > > > > > > > > > > > > On Tue, Apr 7, 2026 at 5:01 PM Isabelle Giguere < > > [email protected] > > > > > > > > > > wrote: > > > > > > > > > > > > > Hi devs; > > > > > > > > > > > > > > Github action "Dependency Submission" has been failing since > > March > > > > 20th. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://github.com/apache/solr/actions/workflows/dependency-graph-submission.yml > > > > > > > > > > > > > > Error message: > > > > > > > "The action gradle/actions/dependency-submission@v5 is not > > allowed > > > > in > > > > > > > apache/solr because all actions must be from a repository owned > > by > > > > your > > > > > > > enterprise..." > > > > > > > > > > > > > > Any thoughts ? > > > > > > > > > > > > > > Isabelle Giguère > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Arnout Engelen > > > > > > ASF Security Response > > > > > > Apache Pekko PMC member, ASF Member > > > > > > NixOS Committer > > > > > > Independent Open Source consultant > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [email protected] > > > > For additional commands, e-mail: [email protected] > > > > > > > > > > > > > > > > > -- > > Arnout Engelen > > ASF Security Response > > Apache Pekko PMC member, ASF Member > > NixOS Committer > > Independent Open Source consultant > > > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
