[jira] [Commented] (SOLR-18192) GitHub action dependency-submission fails

Wed, 08 Apr 2026 08:27:49 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-18192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18072015#comment-18072015
 ] 

Arnout Engelen commented on SOLR-18192:
---------------------------------------

You're correct that Trivy is only indirectly related: previously, we implicitly 
trusted all GitHub Actions by "verified creators". Both Trivy and Gradle are 
published by such "verified creators". The Trivy indident highlighted there are 
now so many "verified creators" that trusting all of them is probably a bad 
idea at this point, and that from now on we want to review actions created by 
"verified creators" using the mechanism at 
[https://github.com/apache/infrastructure-actions|https://github.com/apache/infrastructure-actions/issues/574]
 .

This is why "gradle/actions/dependency-submission@v5" started failing: gradle 
used to be fully trusted, but now we require all gradle actions to be 
allowlisted in 
[https://github.com/apache/infrastructure-actions/blob/main/actions.yml] and 
referred to by hash, so 
"gradle/actions/dependency-submission@0723195856401067f7a2779048b490ace7a47d7c 
# 5.0.2" instead "gradle/actions/dependency-submission@v5".

Again, indeed the documentation here is rather rough - we had hoped to roll out 
this mechanism a bit more smoothly and the Trivy incident caused us to move 
forward perhaps prematurely / faster than we'd otherwise have - apologies for 
that. If you have any good recommendations for where which documentation or 
other quality-of-life improvements would be possible we're definitely 
interested.

> GitHub action dependency-submission fails
> -----------------------------------------
>
>                 Key: SOLR-18192
>                 URL: https://issues.apache.org/jira/browse/SOLR-18192
>             Project: Solr
>          Issue Type: Bug
>            Reporter: Isabelle Giguere
>            Priority: Major
>
> Github action "Dependency Submission" has been failing since March 20th, 2026.
> https://github.com/apache/solr/actions/workflows/dependency-graph-submission.yml
> Error message:
> "The action gradle/actions/dependency-submission@v5 is not allowed in 
> apache/solr because all actions must be from a repository owned by your 
> enterprise..."



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to