Pin GitHub Actions to commit SHAs for ASF policy compliance#21
Merged
Conversation
ASF policy requires all external actions be pinned to exact commit SHAs rather than mutable tag references. Also replaces the unapproved jbergstroem/hadolint-gh-action with hadolint/hadolint-action (approved in apache/infrastructure-actions), adds explicit `permissions: contents: read` to all workflows, and adds a new check-actions-usage workflow that runs the ASF-provided compliance checker on every .github/** change. See https://infra.apache.org/github-actions-policy.html
PR apache#18 bumped the minimum Python version to >=3.12 but the Dockerfile was still using python:3.11.2-slim, causing the Docker build to fail.
- Add --no-install-recommends to apt-get install calls (DL3015) - Add WORKDIR /build before COPY in build-stage (DL3045) - Replace backticks with \$() notation (SC2006) - Use ./*.whl glob prefix (SC2035) - Add --no-cache-dir to pip install (DL3042) - Fix invalid label key DOCKERFILE -> org.label-schema.dockerfile (DL3048) - Suppress DL3008 (apt version pinning) with ignore directives
epugh
approved these changes
May 25, 2026
epugh
left a comment
epugh
left a comment
There was a problem hiding this comment.
parts of me are stargint to think GHA is more work than it's worth. They were amazing at one time, but these days.... It's a whole another maintainence things.
Okay, grumping aside, LGTM.
# Conflicts: # .github/workflows/docs.yml
Contributor
Author
I think the same would be the case with any other CI system. Supply chain attach hardening is needed no matter how we build. And dependabot takes care of upgrading and finding the sha hashes of new action versions, so not really that much work on a day to day basis. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings all GitHub Actions workflows into compliance with the ASF GitHub Actions policy.
@v3,@v4) replaced with exact commit SHAs (tag retained as inline comment for readability)jbergstroem/hadolint-gh-actionis not in the ASF approved list; replaced withhadolint/hadolint-action(approved in apache/infrastructure-actions)permissions: contents: readto all active workflows (principle of least privilege)check-actions-usage.ymlruns the ASF-provided reusable checker (sample) on every.github/**changeActions pinned
actions/checkoutf43a0e5(v3)hadolint/hadolint-action2332a7b(v3.3.0)actions/checkout34e1148(v4)docker/setup-qemu-actionc7c5346(v3.7.0)docker/setup-buildx-action8d2750c(v3.12.0)actions/checkoutee0669b(v2)actions/checkout34e1148(v4)ruby/setup-rubyafeafc3(v1)