guiyanakuang commented on a change in pull request #914:
URL: https://github.com/apache/orc/pull/914#discussion_r711998202
##########
File path: .github/workflows/build_and_test.yml
##########
@@ -40,6 +40,12 @@ jobs:
uses: actions/setup-java@v1
with:
java-version: ${{ matrix.java }}
+ - name: Set maven version to env
+ run: echo "maven_version=$(grep "<maven.version>" "./java/pom.xml" |
head -n1 | awk -F '[<>]' '{print $3}')" >> $GITHUB_ENV
+ - name: Set up Maven ${{ env.maven_version }}
+ uses: stCarolas/setup-maven@v4
Review comment:
@dongjoon-hyun I read this link:
https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+status.
Learn about security. This pr hands over the installation of maven to a
third party, which does pose a significant security risk.
> NEVER use 3rd-party actions directly in your worfklows - use the
"submodule" pattern. Example PR Tobiasz Kędzierski opened in SuperSet showing
how this could be done.
Although I did not find an ASF Approved Action list, I will close this pr
first and open it again if I find a safe and approved solution.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
