Omega359 opened a new issue, #15298: URL: https://github.com/apache/datafusion/issues/15298
### Is your feature request related to a problem or challenge? A recent [supply chain attack](https://arstechnica.com/information-technology/2025/03/supply-chain-attack-exposing-credentials-affects-23k-users-of-tj-actions/) has made it extremely apparent that github workflows should only use actions that are tied to a specific hash, not a version. This applies to any non-github, non-apache action of which there seems to be a few: - [dev.yml](https://github.com/apache/datafusion/blob/main/.github/workflows/dev.yml) -> - uses: korandoru/hawkeye@v6 - [rust.yml](https://github.com/apache/datafusion/blob/main/.github/workflows/rust.yml) -> - uses: korandoru/hawkeye@v6 - [setup-macos-aarch64-builder/action.yaml](https://github.com/apache/datafusion/blob/main/.github/actions/setup-macos-aarch64-builder/action.yaml) -> uses: Swatinem/rust-cache@v2 - [setup-rust-runtime/action.yaml](https://github.com/apache/datafusion/blob/main/.github/actions/setup-rust-runtime/action.yaml) -> uses: mozilla-actions/sccache-action@v0.0.4 an example of how to use a sha hash instead of a version can be seen in the extended.yml file: `uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be` ### Describe the solution you'd like _No response_ ### Describe alternatives you've considered _No response_ ### Additional context _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@datafusion.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: github-unsubscr...@datafusion.apache.org For additional commands, e-mail: github-h...@datafusion.apache.org
