Jiashu-Hu commented on PR #15315: URL: https://github.com/apache/datafusion/pull/15315#issuecomment-2741526839
> Well that is unfortunate. I wonder if the apache regex is correct - the one in the error message is not, should be `.*\/.*@[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]+` Yes, you're correct— and I've checked that `korandoru/hawkeye@dd74178a96f27b1121447c6b4a4ccfce180d5bf7` does match the regex pattern you provided `.*\/.*@[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]+`, as the commit hash is a valid 40-character hexadecimal string. Since these actions run successfully in your repository, it confirms that the hash values are correct and GitHub can execute them without issues. The error likely arises from specific settings in Apache's GitHub Actions policies or DataFusion's repository configuration, which may restrict the use of commit hashes for external actions. <img width="1503" alt="image" src="https://github.com/user-attachments/assets/31837bb1-632f-4d30-8e13-c4507a117c21"; /> I suppose related setting is in here: <img width="1482" alt="image" src="https://github.com/user-attachments/assets/ba2ecbdc-ea36-4383-b8b6-92b542cf0421"; /> After conducting some research, it seems that the issue arises because mozilla-actions/sccache-action@v0.0.4 has been explicitly added to the allowlist. Once a specific version tag is defined, other versions—including those with commit hashes like mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd—are not matched and thus not permitted. [Related official document](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run) <img width="756" alt="image" src="https://github.com/user-attachments/assets/26525c8b-acd1-4d80-9e54-e29c40260faf"; /> The most effective solution is to either add the specific commit hashes to the allowlist (e.g., mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd) to approve that SHA, or use a wildcard (e.g., mozilla-actions/sccache-action@*) to allow all versions, including both hashes and tags. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@datafusion.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: github-unsubscr...@datafusion.apache.org For additional commands, e-mail: github-h...@datafusion.apache.org
