[
https://issues.apache.org/jira/browse/SOLR-18192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18071999#comment-18071999
]
Isabelle Giguere commented on SOLR-18192:
-----------------------------------------
>From https://infra.apache.org/blog/trivy_security_incident.html
{quote}A small number of ASF projects include the trivy GitHub Action in their
build workflows.{quote}
There's no "trivy" anywhere in Solr, so it's not direct usage. Maybe a
transitive dependency... For that, I don't know what to fix or how.
If the "fix" is really just to use a commit has rather than the version tag, I
honestly don't understand how this would "fix" anything... wouldn't it mean
running with the un-secured Trivy, with a different id?
Dependency Submission:
https://github.com/gradle/actions/blob/main/docs/dependency-submission.md
https://github.com/gradle/actions/blob/main/dependency-submission/action.yml
https://github.com/gradle/actions/blob/main/sources/src/actions/dependency-submission/main.ts
Somewhat related discussion:
https://github.com/apache/infrastructure-actions/issues/574
> GitHub action dependency-submission fails
> -----------------------------------------
>
> Key: SOLR-18192
> URL: https://issues.apache.org/jira/browse/SOLR-18192
> Project: Solr
> Issue Type: Bug
> Reporter: Isabelle Giguere
> Priority: Major
>
> Github action "Dependency Submission" has been failing since March 20th, 2026.
> https://github.com/apache/solr/actions/workflows/dependency-graph-submission.yml
> Error message:
> "The action gradle/actions/dependency-submission@v5 is not allowed in
> apache/solr because all actions must be from a repository owned by your
> enterprise..."
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
