HIVE-29553: Pin third-party GitHub Actions#6417
HIVE-29553: Pin third-party GitHub Actions#6417okumin wants to merge 5 commits intoapache:masterfrom
Conversation
| - 'master' | ||
|
|
||
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
CodeQL reported this issue on my forked repo.
| default: '0.10.2' | ||
|
|
||
| permissions: | ||
| contents: read |
| permissions: | ||
| contents: read | ||
| issues: write | ||
| pull-requests: write |
There was a problem hiding this comment.
I think it is this guy.
|
|
||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@v2 | ||
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 |
There was a problem hiding this comment.
There was a problem hiding this comment.
can't we use tag v4.0.0 ?
uses: docker/login-action@v4
There was a problem hiding this comment.
No, we can't. ASF prohibits the use of mutable tags for non-official actions: https://infra.apache.org/github-actions-policy.html
You MUST pin all external actions to the specific git hash (SHA1) of the action that has been reviewed for use by the project. For instance, you MUST pin foobar/baz-action@8843d7f92416211de9ebb963ff4ce28125932878.
Related PRs.
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v2 | ||
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd |
There was a problem hiding this comment.
|
|
||
| - name: Build Hive Image locally | ||
| uses: docker/build-push-action@v4 | ||
| uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 |
There was a problem hiding this comment.
|
|
||
| - name: Create k8s cluster | ||
| uses: helm/kind-action@v1 | ||
| uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc |
There was a problem hiding this comment.
|
|
||
| - name: Set up Helm | ||
| uses: azure/setup-helm@v4 | ||
| uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 |
There was a problem hiding this comment.
|
3 participants
What changes were proposed in this pull request?
We would specify the versions of the external GitHub Actions, following ASF's policy.
https://issues.apache.org/jira/browse/HIVE-29553
This PR would also add two additional security workflows.
As CodeQL reported permission issues, I addressed them in this PR.
This PR does not pin
apache/*,github/*, andactions/*because they are allowed.Why are the changes needed?
Because of the policy,
docker-image.ymlis not currently working. Also, we should be aware of recent increase of supply-chain attacks.Does this PR introduce any user-facing change?
No
How was this patch tested?
I ran new actions + docker-images.yml.