mumrah commented on code in PR #16915:
URL: https://github.com/apache/kafka/pull/16915#discussion_r1722535722
##########
.github/workflows/docker_scan.yml:
##########
@@ -29,7 +32,7 @@ jobs:
supported_image_tag: ['latest', '3.7.0']
steps:
- name: Run CVE scan
- uses: aquasecurity/trivy-action@master
+ uses:
aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb # master
Review Comment:
This seems like a very important change. We should not be pulling in
`master` of any action.
We also need to have Infra bless any 3rd party plugins we use. I filed
https://issues.apache.org/jira/browse/INFRA-26051 for this.
##########
.github/workflows/docker_scan.yml:
##########
@@ -39,7 +42,7 @@ jobs:
exit-code: '1'
- name: Upload CVE scan report
if: always()
- uses: actions/upload-artifact@v4
Review Comment:
I think we can probably keep the official `actions/*` at "flexible" versions
(like v3, v4, etc).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
