arpitjain099 opened a new pull request, #447: URL: https://github.com/apache/doris-opentelemetry-demo/pull/447
A few workflows here call third-party actions by mutable refs (one even uses a branch, `dyladan/component-owners@main`). Branch and tag refs can be repointed at any time by the action's maintainers, so whatever lives at that ref is what runs with access to the workflow's token and secrets. The tj-actions/changed-files compromise (CVE-2025-30066) demonstrated the impact: tags were rewritten to malicious commits and CI secrets leaked downstream before anyone noticed. Pinning to the exact commit SHA closes that gap. I resolved each ref to its current commit and recorded the original tag or branch name in a trailing comment so upgrades stay straightforward: - `dyladan/component-owners@main` in assign-reviewers.yml - `umbrelladocs/action-linkspector@v1` in checks.yml - `gradle/actions/[email protected]` in gradle-wrapper-validation.yml - `dorny/paths-filter@v3` in label-pr.yml I left the reusable `component-build-images.yml` (`on: workflow_call`) untouched on purpose, since that one is better handled together with whatever pins its caller. GitHub-maintained `actions/*` were also left as-is. This nudges the Pinned-Dependencies score in the right direction. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
