findepi commented on issue #15298: URL: https://github.com/apache/datafusion/issues/15298#issuecomment-2977828294
> A recent [supply chain attack](https://arstechnica.com/information-technology/2025/03/supply-chain-attack-exposing-credentials-affects-23k-users-of-tj-actions/) has made it extremely apparent that github workflows should only use actions that are tied to a specific hash, not a version. This applies to any non-github, non-apache action of which there seems to be a few: This is very important. I don't understand why Github actions copied design from Docker world, where a version string is not a version 😞 Do you know if there is any automation to lint workflows for mutable-version-ref actions? Even if we solve this problem today (which we should!), automation could help us not get back to a bad state. Do you maybe know if an action can be composite and reference downstream actions, potentially with mutable-version-ref? Is there an equivalent of Cargo.lock / package-lock.json for workflows? (i doubt but ...) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@datafusion.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: github-unsubscr...@datafusion.apache.org For additional commands, e-mail: github-h...@datafusion.apache.org
