You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by sr...@apache.org on 2021/10/16 13:54:00 UTC
[spark] branch master updated: [SPARK-36915][INFRA] Pin actions to
a full length commit SHA
This is an automated email from the ASF dual-hosted git repository.
srowen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/master by this push:
new 00b87c9 [SPARK-36915][INFRA] Pin actions to a full length commit SHA
00b87c9 is described below
commit 00b87c967ff8217b64e597400f3248c375a74879
Author: Hyukjin Kwon <gu...@gmail.com>
AuthorDate: Sat Oct 16 08:53:19 2021 -0500
[SPARK-36915][INFRA] Pin actions to a full length commit SHA
### What changes were proposed in this pull request?
Pinning github actions to a SHA
### Why are the changes needed?
Pinning an action to a full length commit SHA is currently the only way to use an action as
an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a
backdoor to the action's repository, as they would need to generate a SHA-1 collision for
a valid Git object payload.
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
### Does this PR introduce _any_ user-facing change?
Running github action and checking the SHA with the existing repository
### How was this patch tested?
Running the GitHub action
Closes #34163 from naveensrinivasan/naveen/feat/pin-github-actions.
Lead-authored-by: Hyukjin Kwon <gu...@gmail.com>
Co-authored-by: naveen <17...@users.noreply.github.com>
Signed-off-by: Sean Owen <sr...@gmail.com>
---
.github/workflows/cancel_duplicate_workflow_runs.yml | 2 +-
.github/workflows/labeler.yml | 2 +-
.github/workflows/notify_test_workflow.yml | 2 +-
.github/workflows/publish_snapshot.yml | 6 +++---
.github/workflows/stale.yml | 2 +-
.github/workflows/test_report.yml | 4 ++--
.github/workflows/update_build_status.yml | 2 +-
7 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/.github/workflows/cancel_duplicate_workflow_runs.yml b/.github/workflows/cancel_duplicate_workflow_runs.yml
index 1077371..525c7e7 100644
--- a/.github/workflows/cancel_duplicate_workflow_runs.yml
+++ b/.github/workflows/cancel_duplicate_workflow_runs.yml
@@ -29,7 +29,7 @@ jobs:
name: "Cancel duplicate workflow runs"
runs-on: ubuntu-latest
steps:
- - uses: potiuk/cancel-workflow-runs@953e057dc81d3458935a18d1184c386b0f6b5738 # @master
+ - uses: potiuk/cancel-workflow-runs@4723494a065d162f8e9efd071b98e0126e00f866 # @master
name: "Cancel duplicate workflow runs"
with:
cancelMode: allDuplicates
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 98855f4..88d17bf 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -44,7 +44,7 @@ jobs:
#
# However, these are not in a published release and the current `main` branch
# has some issues upon testing.
- - uses: actions/labeler@2.2.0
+ - uses: actions/labeler@5f867a63be70efff62b767459b009290364495eb # pin@2.2.0
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
sync-labels: true
diff --git a/.github/workflows/notify_test_workflow.yml b/.github/workflows/notify_test_workflow.yml
index cc2b7a2..08c50cc 100644
--- a/.github/workflows/notify_test_workflow.yml
+++ b/.github/workflows/notify_test_workflow.yml
@@ -33,7 +33,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: "Notify test workflow"
- uses: actions/github-script@v3
+ uses: actions/github-script@f05a81df23035049204b043b50c3322045ce7eb3 # pin@v3
if: ${{ github.base_ref == 'master' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish_snapshot.yml b/.github/workflows/publish_snapshot.yml
index 46f4f7a..bd75e26 100644
--- a/.github/workflows/publish_snapshot.yml
+++ b/.github/workflows/publish_snapshot.yml
@@ -36,18 +36,18 @@ jobs:
- branch-3.1
steps:
- name: Checkout Spark repository
- uses: actions/checkout@master
+ uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # pin@master
with:
ref: ${{ matrix.branch }}
- name: Cache Maven local repository
- uses: actions/cache@v2
+ uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353 # pin@v2
with:
path: ~/.m2/repository
key: snapshot-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
snapshot-maven-
- name: Install Java 8
- uses: actions/setup-java@v1
+ uses: actions/setup-java@d202f5dbf7256730fb690ec59f6381650114feb2 # pin@v1
with:
java-version: 8
- name: Publish snapshot
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index f26100d..f270673 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -27,7 +27,7 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- - uses: actions/stale@v1.1.0
+ - uses: actions/stale@c201d45ef4b0ccbd3bb0616f93bae13e73d0a080 # pin@v1.1.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-pr-message: >
diff --git a/.github/workflows/test_report.yml b/.github/workflows/test_report.yml
index 3277089..2f768b7 100644
--- a/.github/workflows/test_report.yml
+++ b/.github/workflows/test_report.yml
@@ -29,14 +29,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Download test results to report
- uses: dawidd6/action-download-artifact@v2
+ uses: dawidd6/action-download-artifact@6f8f427fb41886a66b82ea11a5a15d1454c79415 # pin@v2
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
workflow: ${{ github.event.workflow_run.workflow_id }}
commit: ${{ github.event.workflow_run.head_commit.id }}
workflow_conclusion: completed
- name: Publish test report
- uses: scacap/action-surefire-report@v1
+ uses: scacap/action-surefire-report@482f012643ed0560e23ef605a79e8e87ca081648 # pin@v1
with:
check_name: Report test results
github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/update_build_status.yml b/.github/workflows/update_build_status.yml
index a695870..671487a 100644
--- a/.github/workflows/update_build_status.yml
+++ b/.github/workflows/update_build_status.yml
@@ -29,7 +29,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: "Update build status"
- uses: actions/github-script@v3
+ uses: actions/github-script@f05a81df23035049204b043b50c3322045ce7eb3 # pin@v3
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org