Skip to content

GH-48326: [CI] Stop specifying hash for actions/* GitHub Actions #48327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
raulcd merged 1 commit into from
Dec 5, 2025
Merged

GH-48326: [CI] Stop specifying hash for actions/* GitHub Actions #48327

raulcd merged 1 commit into from
Dec 5, 2025

Conversation

@kou
Copy link
Member

@kou kou commented Dec 4, 2025
edited by github-actions bot
Loading

Rationale for this change

Dependabot sometimes failed to update hash.
For example: #48301

The ASF GitHub Actions policy doesn't requiring pinning actions/* actions:

https://infra.apache.org/github-actions-policy.html

External actions

You MAY use all actions internal to the apache/*, github/* and actions/* namespaces without restrictions.

You MUST pin all external actions to the specific git hash (SHA1) of the action that has been reviewed for use by the project. For instance, you MUST pin foobar/baz-action@8843d7f92416211de9ebb963ff4ce28125932878.

We can avoid the Dependabot behavior by removing hash from actions/* actions.

What changes are included in this PR?

  • Remove hash from actions/* actions.
  • Use @vX instead of @vX.Y.Z to reduce Dependabot updates.

Are these changes tested?

Yes.

Are there any user-facing changes?

No.

@github-actions
Copy link

github-actions bot commented Dec 4, 2025

⚠️ GitHub issue #48326 has been automatically assigned in GitHub to PR creator.

@github-actions github-actions bot added the awaiting committer review Awaiting committer review label Dec 4, 2025
@github-actions github-actions bot added awaiting merge Awaiting merge and removed awaiting committer review Awaiting committer review labels Dec 4, 2025
@raulcd raulcd merged commit f7159f2 into apache:main Dec 5, 2025
71 of 84 checks passed
@raulcd raulcd removed the awaiting merge Awaiting merge label Dec 5, 2025
@raulcd raulcd mentioned this pull request Dec 5, 2025
Closed
@kou kou deleted the ci-actions-no-hash branch December 5, 2025 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amoeba amoeba amoeba approved these changes

@raulcd raulcd raulcd approved these changes

@assignUser assignUser Awaiting requested review from assignUser assignUser is a code owner

@jonkeane jonkeane Awaiting requested review from jonkeane jonkeane is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kou @amoeba @raulcd