arpitjain099 opened a new pull request, #38739: URL: https://github.com/apache/shardingsphere/pull/38739
The Docker and Codecov actions in several CI workflows are currently referenced by floating tags (`@v3`, `@v6`, `@v5`). A version tag is not immutable: the upstream owner, or anyone who compromises that account, can move the tag to point at a different commit, and the next workflow run will pull whatever is there. That is exactly how the tj-actions/changed-files supply-chain attack (CVE-2025-30066) played out earlier this year, where retagged commits harvested CI secrets from a large number of downstream repositories. This PR replaces those floating refs with the full commit SHA they currently resolve to, while keeping the tag name in a trailing `# v3` style comment so the mapping stays readable and Dependabot can still propose upgrades. Files touched: `mcp-build.yml`, `mcp-llm-e2e.yml`, `mcp-llm-usability-e2e.yml`, `nightly-build.yml`, `schedule-report.yml`. Only third-party actions were pinned. The `actions/*` entries maintained by GitHub were left alone. This brings the affected workflows in line with the OpenSSF Scorecard Pinned-Dependencies expectation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
