This is an automated email from the ASF dual-hosted git repository.
alamb pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow-rs.git
The following commit(s) were added to refs/heads/main by this push:
new ab66fcb2dc chore: pin GitHub actions versions to hashes (#10169)
ab66fcb2dc is described below
commit ab66fcb2dc61258fce6435034da76f888b2895ba
Author: Jeffrey Vo <[email protected]>
AuthorDate: Tue Jun 23 03:01:48 2026 +0900
chore: pin GitHub actions versions to hashes (#10169)
# Which issue does this PR close?
<!--
We generally require a GitHub issue to be filed for all bug fixes and
enhancements and this helps us generate change logs for our releases.
You can link an issue to this PR using the GitHub syntax.
-->
- N/A
# Rationale for this change
<!--
Why are you proposing this change? If this is already explained clearly
in the issue then this section is not needed.
Explaining clearly why changes are proposed helps reviewers understand
your changes and offer better suggestions for fixes.
-->
Similar to what we did in DataFusion, pin to hash since tags can be
changed and potentially be susceptible to supply chain attacks
- https://github.com/apache/datafusion/issues/15298
# What changes are included in this PR?
<!--
There is no need to duplicate the description in the issue here but it
is sometimes worth providing a summary of the individual changes in this
PR.
-->
Pin all versions to their hashes
# Are these changes tested?
<!--
We typically require tests for all PRs in order to:
1. Prevent the code from being accidentally broken by subsequent changes
2. Serve as another way to document the expected behavior of the code
If tests are not included in your PR, please explain why (for example,
are they covered by existing tests)?
If this PR claims a performance improvement, please include evidence
such as benchmark results.
-->
# Are there any user-facing changes?
<!--
If there are user-facing changes then we may require documentation to be
updated before approving the PR.
If there are any breaking changes to public APIs, please call them out.
-->
---
.github/actions/setup-builder/action.yaml | 2 +-
.github/workflows/arrow.yml | 10 +++++-----
.github/workflows/arrow_flight.yml | 6 +++---
.github/workflows/audit.yml | 2 +-
.github/workflows/dev.yml | 8 ++++----
.github/workflows/dev_pr.yml | 4 ++--
.github/workflows/docs.yml | 10 +++++-----
.github/workflows/integration.yml | 22 +++++++++++-----------
.github/workflows/miri.yaml | 2 +-
.github/workflows/parquet-geospatial.yml | 6 +++---
.github/workflows/parquet-variant.yml | 6 +++---
.github/workflows/parquet.yml | 12 ++++++------
.github/workflows/parquet_derive.yml | 4 ++--
.github/workflows/release.yml | 2 +-
.github/workflows/rust.yml | 8 ++++----
.github/workflows/take.yml | 2 +-
16 files changed, 53 insertions(+), 53 deletions(-)
diff --git a/.github/actions/setup-builder/action.yaml
b/.github/actions/setup-builder/action.yaml
index 209d58e2d8..81d2b09ba8 100644
--- a/.github/actions/setup-builder/action.yaml
+++ b/.github/actions/setup-builder/action.yaml
@@ -21,7 +21,7 @@ runs:
using: "composite"
steps:
- name: Cache Cargo
- uses: actions/cache@v4
+ uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
# these represent dependencies downloaded by cargo
# and thus do not depend on the OS, arch nor rust version.
diff --git a/.github/workflows/arrow.yml b/.github/workflows/arrow.yml
index 32cba9dcfa..cb9a6efcab 100644
--- a/.github/workflows/arrow.yml
+++ b/.github/workflows/arrow.yml
@@ -56,7 +56,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -116,7 +116,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -152,7 +152,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -180,7 +180,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -200,7 +200,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Setup Rust toolchain
uses: ./.github/actions/setup-builder
- name: Setup Clippy
diff --git a/.github/workflows/arrow_flight.yml
b/.github/workflows/arrow_flight.yml
index aebddc881a..fd8bd2dadd 100644
--- a/.github/workflows/arrow_flight.yml
+++ b/.github/workflows/arrow_flight.yml
@@ -47,7 +47,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -68,7 +68,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Setup Rust toolchain
uses: ./.github/actions/setup-builder
- name: Run gen
@@ -82,7 +82,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Setup Rust toolchain
uses: ./.github/actions/setup-builder
- name: Setup Clippy
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index 5f803a3aa5..e63fc86267 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -36,7 +36,7 @@ jobs:
name: Audit
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Install cargo-audit
run: cargo install cargo-audit
- name: Run audit check
diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
index 812595a066..355a5216c9 100644
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@@ -38,9 +38,9 @@ jobs:
name: Release Audit Tool (RAT)
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Setup Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
with:
python-version: 3.8
- name: Audit licenses
@@ -50,8 +50,8 @@ jobs:
name: Markdown format
runs-on: ubuntu-slim
steps:
- - uses: actions/checkout@v7
- - uses: actions/setup-node@v6
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
+ - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e #
v6.4.0
with:
node-version: "14"
- name: Prettier check
diff --git a/.github/workflows/dev_pr.yml b/.github/workflows/dev_pr.yml
index 229dd0caf6..f00bff8e37 100644
--- a/.github/workflows/dev_pr.yml
+++ b/.github/workflows/dev_pr.yml
@@ -37,14 +37,14 @@ jobs:
contents: read
pull-requests: write
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Assign GitHub labels
if: |
github.event_name == 'pull_request_target' &&
(github.event.action == 'opened' ||
github.event.action == 'synchronize')
- uses: actions/[email protected]
+ uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 #
v6.1.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
configuration-path: .github/workflows/dev_pr/labeler.yml
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 8c7360dd92..ebe9415089 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -39,7 +39,7 @@ jobs:
env:
RUSTDOCFLAGS: "-Dwarnings --enable-index-page -Zunstable-options"
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -56,7 +56,7 @@ jobs:
echo "::warning title=Invalid file permissions automatically
fixed::$line"
done
- name: Upload artifacts
- uses: actions/upload-pages-artifact@v5
+ uses:
actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
with:
name: crate-docs
path: target/doc
@@ -69,9 +69,9 @@ jobs:
contents: write
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Download crate docs
- uses: actions/download-artifact@v8
+ uses:
actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: crate-docs
path: website/build
@@ -81,7 +81,7 @@ jobs:
rm website/build/artifact.tar
cp .asf.yaml ./website/build/.asf.yaml
- name: Deploy to gh-pages
- uses: peaceiris/[email protected]
+ uses:
peaceiris/actions-gh-pages@84c30a85c19949d7eee79c4ff27748b70285e453 # v4.1.0
if: github.event_name == 'push' && github.ref_name == 'main'
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/integration.yml
b/.github/workflows/integration.yml
index 6b9ba82c2f..c58647b8f2 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -116,43 +116,43 @@ jobs:
# Checkout repos (using shallow clones with fetch-depth: 1)
- name: Checkout Arrow
- uses: actions/checkout@v7
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
repository: apache/arrow
submodules: true
fetch-depth: 1
- name: Checkout Arrow Rust
- uses: actions/checkout@v7
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
path: rust
submodules: true
fetch-depth: 1
- name: Checkout Arrow .NET
- uses: actions/checkout@v7
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
repository: apache/arrow-dotnet
path: dotnet
fetch-depth: 1
- name: Checkout Arrow Go
- uses: actions/checkout@v7
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
repository: apache/arrow-go
path: go
fetch-depth: 1
- name: Checkout Arrow Java
- uses: actions/checkout@v7
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
repository: apache/arrow-java
path: java
fetch-depth: 1
- name: Checkout Arrow JavaScript
- uses: actions/checkout@v7
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
repository: apache/arrow-js
path: js
fetch-depth: 1
- name: Checkout Arrow nanoarrow
- uses: actions/checkout@v7
+ uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
repository: apache/arrow-nanoarrow
path: nanoarrow
@@ -194,7 +194,7 @@ jobs:
# PyArrow 15 was the first version to introduce StringView/BinaryView
support
pyarrow: ["15", "16", "17"]
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -203,17 +203,17 @@ jobs:
rustup default ${{ matrix.rust }}
rustup component add rustfmt clippy
- name: Cache Cargo
- uses: actions/cache@v5
+ uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: /home/runner/.cargo
key: cargo-maturin-cache-
- name: Cache Rust dependencies
- uses: actions/cache@v5
+ uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: /home/runner/target
# this key is not equal because maturin uses different compilation
flags.
key: ${{ runner.os }}-${{ matrix.arch }}-target-maturin-cache-${{
matrix.rust }}-
- - uses: actions/setup-python@v6
+ - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
with:
python-version: '3.8'
- name: Upgrade pip and setuptools
diff --git a/.github/workflows/miri.yaml b/.github/workflows/miri.yaml
index 7fd3ac9e5f..36285bc2fa 100644
--- a/.github/workflows/miri.yaml
+++ b/.github/workflows/miri.yaml
@@ -50,7 +50,7 @@ jobs:
matrix:
partition: [1, 2, 3, 4]
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
diff --git a/.github/workflows/parquet-geospatial.yml
b/.github/workflows/parquet-geospatial.yml
index 3f8a4c6fb5..201790339e 100644
--- a/.github/workflows/parquet-geospatial.yml
+++ b/.github/workflows/parquet-geospatial.yml
@@ -41,7 +41,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -56,7 +56,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -70,7 +70,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Setup Rust toolchain
uses: ./.github/actions/setup-builder
- name: Setup Clippy
diff --git a/.github/workflows/parquet-variant.yml
b/.github/workflows/parquet-variant.yml
index 32d588a9e2..51858f0898 100644
--- a/.github/workflows/parquet-variant.yml
+++ b/.github/workflows/parquet-variant.yml
@@ -43,7 +43,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -62,7 +62,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -80,7 +80,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Setup Rust toolchain
uses: ./.github/actions/setup-builder
- name: Setup Clippy
diff --git a/.github/workflows/parquet.yml b/.github/workflows/parquet.yml
index dd03c98c7f..4be54b0e28 100644
--- a/.github/workflows/parquet.yml
+++ b/.github/workflows/parquet.yml
@@ -55,7 +55,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -77,7 +77,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -132,7 +132,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -155,9 +155,9 @@ jobs:
matrix:
rust: [ stable ]
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Setup Python
- uses: actions/setup-python@v6
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
with:
python-version: "3.10"
cache: "pip"
@@ -188,7 +188,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Setup Rust toolchain
uses: ./.github/actions/setup-builder
- name: Setup Clippy
diff --git a/.github/workflows/parquet_derive.yml
b/.github/workflows/parquet_derive.yml
index 6445772286..c2b3083f6f 100644
--- a/.github/workflows/parquet_derive.yml
+++ b/.github/workflows/parquet_derive.yml
@@ -43,7 +43,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Setup Rust toolchain
@@ -57,7 +57,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Setup Rust toolchain
uses: ./.github/actions/setup-builder
- name: Setup Clippy
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1a13e48a96..d0bb1815b6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -33,7 +33,7 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Create GitHub Releases
run: |
version=${GITHUB_REF_NAME}
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 4101584048..59f8e2217a 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -36,7 +36,7 @@ jobs:
name: Test on Mac
runs-on: macos-latest
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Install protoc with brew
@@ -59,7 +59,7 @@ jobs:
name: Test on Windows
runs-on: windows-latest
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
with:
submodules: true
- name: Install protobuf compiler in /d/protoc
@@ -91,7 +91,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Setup Rust toolchain
uses: ./.github/actions/setup-builder
- name: Setup rustfmt
@@ -113,7 +113,7 @@ jobs:
container:
image: amd64/rust
steps:
- - uses: actions/checkout@v7
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #
v7.0.0
- name: Setup Rust toolchain
uses: ./.github/actions/setup-builder
- name: Install cargo-msrv (if needed)
diff --git a/.github/workflows/take.yml b/.github/workflows/take.yml
index cda06c32c5..5ae4fdb3f1 100644
--- a/.github/workflows/take.yml
+++ b/.github/workflows/take.yml
@@ -28,7 +28,7 @@ jobs:
if: (!github.event.issue.pull_request) && github.event.comment.body ==
'take'
runs-on: ubuntu-slim
steps:
- - uses: actions/github-script@v9
+ - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3
# v9.0.0
with:
script: |
github.rest.issues.addAssignees({
