datafusion icon indicating copy to clipboard operation
datafusion copied to clipboard
verified publisher icon apache

updatted github action by change version tag to sha hashes

Open Jiashu-Hu opened this issue 9 months ago • 5 comments

Which issue does this PR close?

Rationale for this change

This update strengthens the security of GitHub workflows by substituting version tags with precise SHA hashes for actions. This modification reduces the risks tied to supply chain attacks by guaranteeing that only validated action versions are utilized in the workflows. This method adheres to industry best practices for safeguarding CI/CD pipelines.

What changes are included in this PR?

Replaced version tags with specific SHA hashes for actions in the GitHub workflows.

Original: dev.yml -> - uses: korandoru/hawkeye@v6 rust.yml -> - uses: korandoru/hawkeye@v6 setup-macos-aarch64-builder/action.yaml -> uses: Swatinem/rust-cache@v2 setup-rust-runtime/action.yaml -> uses: mozilla-actions/[email protected]

Update: dev.yml -> - uses: korandoru/hawkeye@dd74178a96f27b1121447c6b4a4ccfce180d5bf7 rust.yml -> - uses: korandoru/hawkeye@dd74178a96f27b1121447c6b4a4ccfce180d5bf7 setup-macos-aarch64-builder/action.yaml -> uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 setup-rust-runtime/action.yaml -> uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd

Are these changes tested?

Yes, the changes are tested to ensure that the GitHub workflows function correctly with the specified SHA hashes. Where I got this Hash: korandoru/hawkeye@dd74178a96f27b1121447c6b4a4ccfce180d5bf7:

This is implemented in v6 of the original GitHub Action, but it redirects to v6.0.1. Consequently, I’ve bound the hash to v6.0.1 here for consistency and security.

https://github.com/korandoru/hawkeye/commit/dd74178a96f27b1121447c6b4a4ccfce180d5bf7 image

Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6:

This is implemented in v2 of the original GitHub Action, but it redirects to v2.7.8. Consequently, I’ve bound the hash to v2.7.8 here for consistency and security.

https://github.com/Swatinem/rust-cache/commit/9d47c6ad4b02e050fd481d890b2ea34778fd09d6 image

mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd:

https://github.com/mozilla-actions/sccache-action/commit/2e7f9ec7921547d4b46598398ca573513895d0bd This is implemented in v0.0.4 of the original GitHub Action, so that I just bound the hash to v0.0.4 here for consistency and security.

image

Are there any user-facing changes?

No, all of that is under github action

Jiashu-Hu avatar Mar 19 '25 17:03 Jiashu-Hu

hi @alamb, @Omega359 seems there's some regulation to blocked SHA HASH value as version tag in apache community, if we may update our github action policy it will be best image

I tried convert it to a shorter version hash values (7 digit) but it shows image

Jiashu-Hu avatar Mar 19 '25 22:03 Jiashu-Hu

Well that is unfortunate. I wonder if the apache regex is correct - the one in the error message is not, should be .*\/.*@[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]+

Omega359 avatar Mar 20 '25 17:03 Omega359

Well that is unfortunate. I wonder if the apache regex is correct - the one in the error message is not, should be .*\/.*@[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]+

Yes, you're correct— and I've checked that korandoru/hawkeye@dd74178a96f27b1121447c6b4a4ccfce180d5bf7 does match the regex pattern you provided .*\/.*@[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]+, as the commit hash is a valid 40-character hexadecimal string. Since these actions run successfully in my repository, it confirms that the hash values are correct and GitHub can execute them without issues. The error likely arises from specific settings in Apache's GitHub Actions policies or DataFusion's repository configuration, which may restrict the use of commit hashes for external actions.

image

I suppose related setting is in here: image

After conducting some research, it seems that the issue arises because mozilla-actions/[email protected] has been explicitly added to the allowlist. Once a specific version tag is defined, other versions—including those with commit hashes like mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd—are not matched and thus not permitted. Related official document image

The most effective solution is to either add the specific commit hashes to the allowlist (e.g., mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd) to approve that SHA, or use a wildcard (e.g., mozilla-actions/sccache-action@*) to allow all versions, including both hashes and tags.

Jiashu-Hu avatar Mar 20 '25 19:03 Jiashu-Hu

I think a committer should bring this up with apache infra structure folks as I cannot see a way to follow the directions in the apache github actions policy here without just yanking those actions.

@alamb

Omega359 avatar Mar 21 '25 11:03 Omega359

Thank you for your contribution. Unfortunately, this pull request is stale because it has been open 60 days with no activity. Please remove the stale label or comment or this will be closed in 7 days.

github-actions[bot] avatar Jun 17 '25 02:06 github-actions[bot]