Skip to content

Upgrade and pin GitHub Actions to latest SHA#72

Merged
frederikja163 merged 9 commits into
mainfrom
fix/pin-action-shas
Apr 10, 2026
Merged

Upgrade and pin GitHub Actions to latest SHA#72
frederikja163 merged 9 commits into
mainfrom
fix/pin-action-shas

Conversation

@db-ks

@db-ks db-ks commented Mar 28, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Pins all GitHub Actions uses: references to full 40-character commit SHAs to reduce supply-chain risk. Both third-party and opentap-owned actions are pinned.

Changes

All floating tags (e.g. @v4, @main) replaced with pinned SHAs. opentap-owned actions are pinned to main branch commits pending tagged releases:

  • opentap/get-gitversiond1353d4355f2c12e09bb7886ccc9aa7d18243ebc (main, pending v1.2)
  • opentap/setup-opentap6eee68cf35f2e861f93d21029bbe7af4c427b9bd (main, pending v1.1)

Where opentap/get-gitversion is used, a persist-credentials: false flag has been added to the preceding actions/checkout step to avoid a duplicate Authorization header conflict introduced in actions/checkout@v6.

Merge order

This PR depends on upstream opentap action releases. Recommended order:

  1. Merge and tag opentap/setup-opentap#19 as v1.1 ✅ Merged
  2. Merge and tag opentap/get-gitversion#8 as v1.2 ✅ Merged — tag pending
  3. Update the SHAs in this PR to the released tags once v1.1 and v1.2 are cut
  4. Merge this PR

db-ks added 4 commits March 28, 2026 14:34
@db-ks
ci: upgrade and pin GitHub Actions to latest SHA
c0f8518 
Pin all floating action refs to immutable commit SHAs with version comments.

- opentap/get-gitversion: @main -> @1ecd47ca (v1.1)
- actions/checkout: @v2/@v3/@v4 -> @de0fac2e (v6.0.2)
- actions/upload-artifact: @v4 -> @bbbca2dd (v7.0.0)
- actions/download-artifact: @v4 -> @3e5f45b2 (v8.0.1)
- opentap/setup-opentap: @v1.0 -> @d178a37a (v1.0)
@db-ks
Revert opentap/* actions to @main (opentap-owned, trusted)
f6d408d
@db-ks
Pin opentap/* actions to SHA
69e3f3f
@db-ks
Update get-gitversion and setup-opentap to latest fixed SHAs
773ffc7
@db-ks db-ks marked this pull request as draft March 29, 2026 08:20
@db-ks db-ks marked this pull request as ready for review April 7, 2026 16:52
@db-ks db-ks requested a review from frederikja163 April 7, 2026 16:52
@frederikja163 frederikja163 merged commit 5db03fb into main Apr 10, 2026
5 checks passed
@frederikja163 frederikja163 deleted the fix/pin-action-shas branch April 10, 2026 09:16
@github-actions

github-actions Bot commented Apr 10, 2026

Copy link
Copy Markdown

This change is part of Parquet version 0.3.1-beta.6+5db03fb5 or later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frederikja163 frederikja163 Awaiting requested review from frederikja163

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@db-ks @frederikja163