Hi everyone, Following the recent trivy-action security incident, the Apache Infrastructure team has updated the requirements for GitHub Actions usage across apache/* repositories.
Third-party actions must now be pinned to a specific commit hash rather than a mutable tag. Key resources: - Incident details: https://news.apache.org/foundation/entry/initial-report-on-trivy-security-incident - Approved actions and hashes (raw): https://github.com/apache/infrastructure-actions/blob/main/approved_patterns.yml - Approved actions and hashes (readable): https://github.com/apache/infrastructure-actions/blob/main/actions.yml If an action you rely on is not yet on the allow list, you can request it to be added by following the instructions here: https://github.com/apache/infrastructure-actions/?tab=readme-ov-file#adding-a-new-action-to-the-allow-list -Lari
