datafusion icon indicating copy to clipboard operation
datafusion copied to clipboard

Published 20 hours ago verified publisher icon apache

Update all github workflow to use actions tied to sha hashes

Open Omega359 opened this issue 8 months ago • 6 comments

Is your feature request related to a problem or challenge?

A recent supply chain attack has made it extremely apparent that github workflows should only use actions that are tied to a specific hash, not a version. This applies to any non-github, non-apache action of which there seems to be a few:

an example of how to use a sha hash instead of a version can be seen in the extended.yml file:

uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be

Describe the solution you'd like

No response

Describe alternatives you've considered

No response

Additional context

No response

Omega359 avatar Mar 18 '25 13:03 Omega359

Thank you @Omega359 -- I agree this is very important

alamb avatar Mar 18 '25 17:03 alamb

I think this is a good first issue as the write up is clear and there is an example to follow

alamb avatar Mar 18 '25 17:03 alamb

take

Jiashu-Hu avatar Mar 18 '25 18:03 Jiashu-Hu

Hi there,

I just checked this issue and tried to solved it.

Feel free for feedback.

Thank You.

SanjayUG avatar Mar 19 '25 10:03 SanjayUG

A recent supply chain attack has made it extremely apparent that github workflows should only use actions that are tied to a specific hash, not a version. This applies to any non-github, non-apache action of which there seems to be a few:

This is very important. I don't understand why Github actions copied design from Docker world, where a version string is not a version 😞

Do you know if there is any automation to lint workflows for mutable-version-ref actions? Even if we solve this problem today (which we should!), automation could help us not get back to a bad state.

Do you maybe know if an action can be composite and reference downstream actions, potentially with mutable-version-ref? Is there an equivalent of Cargo.lock / package-lock.json for workflows? (i doubt but ...)

findepi avatar Jun 16 '25 19:06 findepi

Do you know if there is any automation to lint workflows for mutable-version-ref actions?

I do now know of any myself

alamb avatar Jun 17 '25 14:06 alamb

I think we have basically done this , eg https://github.com/apache/datafusion/blob/ed836d73970f5651cba0544326479bc8e2d72c54/.github/workflows/rust.yml#L58

Let's close this one now and we can reopen if there is more work to be done

alamb avatar Dec 01 '25 22:12 alamb