dongjoon-hyun opened a new pull request, #2655: URL: https://github.com/apache/orc/pull/2655
### What changes were proposed in this pull request? This PR pins two `docker/*` GitHub Actions in `.github/workflows/build_and_test.yml` to commit hashes approved by the ASF (`apache/infrastructure-actions/approved_patterns.yml`): | Action | Before | After | | --- | --- | --- | | `docker/setup-qemu-action` | `@v3` | `@c7c53464625b32c7a7e944ae62b3e17d2b600130` (v3.7.0) | | `docker/setup-buildx-action` | `@v3` | `@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5` (v4.1.0) | Note that the approved patterns list has no `v3.x` hash for `docker/setup-buildx-action`, so it is bumped from `v3` to the latest approved `v4.1.0`. Actions under `actions/*` and `apache/*` are intentionally left on their tags per the ASF policy for trusted sources. `ruby/setup-ruby` is approved only as a wildcard (no hash), and `cpp-linter/cpp-linter-action` is already pinned to an approved hash. ### Why are the changes needed? The ASF infrastructure policy requires third-party GitHub Actions to be pinned to approved commit hashes instead of mutable version tags, to prevent supply-chain attacks from tag reassignment. ### How was this patch tested? Pass the GitHub Actions. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Opus 4.8 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
