Yicong Huang created SPARK-56260:
------------------------------------
Summary: Pin GitHub Actions to specific SHA versions in CI
workflows
Key: SPARK-56260
URL: https://issues.apache.org/jira/browse/SPARK-56260
Project: Spark
Issue Type: Improvement
Components: Project Infra
Affects Versions: 4.2.0
Reporter: Yicong Huang
Pin all GitHub Actions used in CI workflows to specific commit SHA versions
instead of mutable tags (e.g., v4, v5). This is a security best practice
recommended by GitHub to prevent supply chain attacks via compromised action
tags.
Currently, several actions use mutable version tags:
- actions/checkout@v6
- actions/setup-java@v5
- actions/setup-python@v6
- actions/cache@v5
- actions/upload-artifact@v6
- bufbuild/buf-*-action@v1
- codecov/codecov-action@v5
- and others
The docker/* actions are already pinned to SHA. This ticket covers pinning the
remaining actions.
This will be done in two PRs:
1. Pin official actions/* to SHA
2. Pin third-party actions to SHA
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
