Skip to content

updatted github action by change version tag to sha hashes #15315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

updatted github action by change version tag to sha hashes #15315

wants to merge 2 commits into from
+10 −13

Conversation

Jiashu-Hu
Copy link
Contributor

@Jiashu-Hu Jiashu-Hu commented Mar 19, 2025
edited
Loading

Which issue does this PR close?

Rationale for this change

This update strengthens the security of GitHub workflows by substituting version tags with precise SHA hashes for actions. This modification reduces the risks tied to supply chain attacks by guaranteeing that only validated action versions are utilized in the workflows. This method adheres to industry best practices for safeguarding CI/CD pipelines.

What changes are included in this PR?

Replaced version tags with specific SHA hashes for actions in the GitHub workflows.

Original:
dev.yml -> - uses: korandoru/hawkeye@v6
rust.yml -> - uses: korandoru/hawkeye@v6
setup-macos-aarch64-builder/action.yaml -> uses: Swatinem/rust-cache@v2
setup-rust-runtime/action.yaml -> uses: mozilla-actions/[email protected]

Update:
dev.yml -> - uses: korandoru/hawkeye@dd74178a96f27b1121447c6b4a4ccfce180d5bf7
rust.yml -> - uses: korandoru/hawkeye@dd74178a96f27b1121447c6b4a4ccfce180d5bf7
setup-macos-aarch64-builder/action.yaml -> uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6
setup-rust-runtime/action.yaml -> uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd

Are these changes tested?

Yes, the changes are tested to ensure that the GitHub workflows function correctly with the specified SHA hashes.
Where I got this Hash:
korandoru/hawkeye@dd74178a96f27b1121447c6b4a4ccfce180d5bf7:

This is implemented in v6 of the original GitHub Action, but it redirects to v6.0.1. Consequently, I’ve bound the hash to v6.0.1 here for consistency and security.

korandoru/hawkeye@dd74178
image

Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6:

This is implemented in v2 of the original GitHub Action, but it redirects to v2.7.8. Consequently, I’ve bound the hash to v2.7.8 here for consistency and security.

Swatinem/rust-cache@9d47c6a
image

mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd:

Mozilla-Actions/sccache-action@2e7f9ec
This is implemented in v0.0.4 of the original GitHub Action, so that I just bound the hash to v0.0.4 here for consistency and security.

image

Are there any user-facing changes?

No, all of that is under github action

@github-actions github-actions bot added the development-process Related to development process of DataFusion label Mar 19, 2025
@Jiashu-Hu Jiashu-Hu marked this pull request as draft March 19, 2025 17:48
@Jiashu-Hu Jiashu-Hu marked this pull request as ready for review March 19, 2025 22:17
@Jiashu-Hu
Copy link
Contributor Author

Jiashu-Hu commented Mar 19, 2025
edited
Loading

hi @alamb, @Omega359 seems there's some regulation to blocked SHA HASH value as version tag in apache community, if we may update our github action policy it will be best
image

I tried convert it to a shorter version hash values (7 digit) but it shows
image

@alamb alamb marked this pull request as draft March 20, 2025 16:02
@Omega359
Copy link
Contributor

Omega359 commented Mar 20, 2025
edited
Loading

Well that is unfortunate. I wonder if the apache regex is correct - the one in the error message is not, should be .*\/.*@[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]+

@Jiashu-Hu
Copy link
Contributor Author

Jiashu-Hu commented Mar 20, 2025
edited
Loading

Well that is unfortunate. I wonder if the apache regex is correct - the one in the error message is not, should be .*\/.*@[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]+

Yes, you're correct— and I've checked that korandoru/hawkeye@dd74178a96f27b1121447c6b4a4ccfce180d5bf7 does match the regex pattern you provided .*\/.*@[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]+, as the commit hash is a valid 40-character hexadecimal string. Since these actions run successfully in my repository, it confirms that the hash values are correct and GitHub can execute them without issues. The error likely arises from specific settings in Apache's GitHub Actions policies or DataFusion's repository configuration, which may restrict the use of commit hashes for external actions.

image

I suppose related setting is in here:
image

After conducting some research, it seems that the issue arises because mozilla-actions/[email protected] has been explicitly added to the allowlist. Once a specific version tag is defined, other versions—including those with commit hashes like Mozilla-Actions/sccache-action@2e7f9ec—are not matched and thus not permitted.
Related official document
image

The most effective solution is to either add the specific commit hashes to the allowlist (e.g., Mozilla-Actions/sccache-action@2e7f9ec) to approve that SHA, or use a wildcard (e.g., mozilla-actions/sccache-action@*) to allow all versions, including both hashes and tags.

@Omega359
Copy link
Contributor

I think a committer should bring this up with apache infra structure folks as I cannot see a way to follow the directions in the apache github actions policy here without just yanking those actions.

@alamb

geoffreyclaude
geoffreyclaude reviewed Apr 17, 2025
View reviewed changes
.github/actions/setup-rust-runtime/action.yaml
- name: Configure runtime env
shell: bash
# do not produce debug symbols to keep memory usage down
# hardcoding other profile params to avoid profile override values
# More on Cargo profiles https://doc.rust-lang.org/cargo/reference/profiles.html?profile-settings#profile-settings
#
#
# Set debuginfo=line-tables-only as debuginfo=0 causes immensely slow build
# See for more details: https://github.com/rust-lang/rust/issues/119560
run: |
echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
echo "SCCACHE_GHA_ENABLED=true" >> $GITHUB_ENV
echo "RUST_BACKTRACE=1" >> $GITHUB_ENV
echo "RUSTFLAGS=-C debuginfo=line-tables-only -C incremental=false" >> $GITHUB_ENV
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The -C incremental=false was introduced in #8730, but I'm pretty sure it should actually be disabled with an env variable instead:

echo "CARGO_INCREMENTAL=0" >> $GITHUB_ENV

The RUSTCFLAGS incremental only specifies the "path to a directory where incremental files will be stored" — so in this case it is requesting to store incremental files in the folder named "false".

Since sccache does not cache incremental files, using the env var instead of the flag should have some good improvements on the sccache hit rate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geoffreyclaude geoffreyclaude geoffreyclaude left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
development-process Related to development process of DataFusion
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update all github workflow to use actions tied to sha hashes
3 participants
@Jiashu-Hu @Omega359 @geoffreyclaude