dongjoon-hyun opened a new pull request, #2655:
URL: https://github.com/apache/orc/pull/2655

   ### What changes were proposed in this pull request?
   
   This PR pins two `docker/*` GitHub Actions in 
`.github/workflows/build_and_test.yml` to commit hashes approved by the ASF 
(`apache/infrastructure-actions/approved_patterns.yml`):
   
   | Action | Before | After |
   | --- | --- | --- |
   | `docker/setup-qemu-action` | `@v3` | 
`@c7c53464625b32c7a7e944ae62b3e17d2b600130` (v3.7.0) |
   | `docker/setup-buildx-action` | `@v3` | 
`@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5` (v4.1.0) |
   
   Note that the approved patterns list has no `v3.x` hash for 
`docker/setup-buildx-action`, so it is bumped from `v3` to the latest approved 
`v4.1.0`.
   
   Actions under `actions/*` and `apache/*` are intentionally left on their 
tags per the ASF policy for trusted sources. `ruby/setup-ruby` is approved only 
as a wildcard (no hash), and `cpp-linter/cpp-linter-action` is already pinned 
to an approved hash.
   
   ### Why are the changes needed?
   
   The ASF infrastructure policy requires third-party GitHub Actions to be 
pinned to approved commit hashes instead of mutable version tags, to prevent 
supply-chain attacks from tag reassignment.
   
   ### How was this patch tested?
   
   Pass the GitHub Actions.
   
   ### Was this patch authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Opus 4.8


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to