Skip to content

CI: Use specific patch versions in workflow action comments#3331

Merged
kevinjqliu merged 1 commit intoapache:mainfrom
kevinjqliu:kevinjqliu/fix-gh-workflow-pin
May 6, 2026
Merged

CI: Use specific patch versions in workflow action comments#3331
kevinjqliu merged 1 commit intoapache:mainfrom
kevinjqliu:kevinjqliu/fix-gh-workflow-pin

Conversation

@kevinjqliu
Copy link
Copy Markdown
Contributor

@kevinjqliu kevinjqliu commented May 6, 2026

Rationale for this change

Similar to apache/iceberg#16229

The workflow files use SHA-pinned actions (immutable), but the human-readable comments referenced only major versions (e.g., # v6, # v5).
When maintainers move these mutable tags to a new commit, zizmor fails in CI because the SHA no longer matches the stated tag.

Are these changes tested?

Are there any user-facing changes?

Fokko
Fokko approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Fokko Fokko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I would assume that dependabot would bump to the patch versions as well? 🤔

@kevinjqliu
Copy link
Copy Markdown
Contributor Author

kevinjqliu commented May 6, 2026

I would assume that dependabot would bump to the patch versions as well?

yea on updates, but some of these are rarely updated.

@kevinjqliu kevinjqliu merged commit d008a04 into apache:main May 6, 2026
18 checks passed
@kevinjqliu kevinjqliu deleted the kevinjqliu/fix-gh-workflow-pin branch May 6, 2026 18:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Fokko Fokko Fokko approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kevinjqliu @Fokko