CharlieMCY opened a new issue, #23037: URL: https://github.com/apache/datafusion/issues/23037
### Summary The default branch already hardened `.github/workflows/dev.yml` against the issue(s) below, but the release branch **`maint-16.x`** still carries it. This proposes the same, minimal fix for that branch. ### Affected branch / file - branch: **`maint-16.x`** (HEAD `c8d10c56`) - file: `.github/workflows/dev.yml` ### What's flagged (by [zizmor](https://github.com/woodruffw/zizmor)) - `unpinned-uses` — actions referenced by mutable tag/branch instead of a pinned commit SHA These are already resolved on the default branch in https://github.com/apache/datafusion/commit/9b27952303d38f9991475e9feb1d81ccac9d4f65 but the fix was not backported to `maint-16.x`. ### Suggested fix Concretely: - ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA) - ~ jobs.$J.steps[uses=korandoru/hawkeye].uses : pin(korandoru/hawkeye -> target_ref SHA) - ~ jobs.$J2.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA) - ~ jobs.$J2.steps[uses=actions/setup-node].uses : pin(actions/setup-node -> target_ref SHA) ```diff --- a/.github/workflows/dev.yml +++ b/.github/workflows/dev.yml @@ -36,8 +36,8 @@ name: Use prettier to check formatting of documents runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: "14" - name: Prettier check ``` *(Whitespace is normalized in the diff above; only the security-relevant lines change.)* This patch was checked locally with **zizmor** and **actionlint**: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. --- *This issue was prepared by an automated workflow-hardening analysis and double-checked against the two scanners above. Please review before merging — happy to send a pull request instead if that's preferred.* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
