[
https://issues.apache.org/jira/browse/SPARK-56260?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated SPARK-56260:
-----------------------------------
Labels: pull-request-available (was: )
> Pin GitHub Actions to specific SHA versions in CI workflows
> -----------------------------------------------------------
>
> Key: SPARK-56260
> URL: https://issues.apache.org/jira/browse/SPARK-56260
> Project: Spark
> Issue Type: Improvement
> Components: Project Infra
> Affects Versions: 4.2.0
> Reporter: Yicong Huang
> Priority: Major
> Labels: pull-request-available
>
> Pin all GitHub Actions used in CI workflows to specific commit SHA versions
> instead of mutable tags (e.g., v4, v5). This is a security best practice
> recommended by GitHub to prevent supply chain attacks via compromised action
> tags.
> Currently, several actions use mutable version tags:
> - actions/checkout@v6
> - actions/setup-java@v5
> - actions/setup-python@v6
> - actions/cache@v5
> - actions/upload-artifact@v6
> - bufbuild/buf-*-action@v1
> - codecov/codecov-action@v5
> - and others
> The docker/* actions are already pinned to SHA. This ticket covers pinning
> the remaining actions.
> This will be done in two PRs:
> 1. Pin official actions/* to SHA
> 2. Pin third-party actions to SHA
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
