[SPARK-36915][INFRA] Pin actions to a full length commit SHA

HyukjinKwon · naveensrinivasan · srowen · commit 00b87c967ff8 · 2021-10-16T08:53:19.000-05:00
### What changes were proposed in this pull request? Pinning github actions to a SHA ### Why are the changes needed? Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies ### Does this PR introduce _any_ user-facing change? Running github action and checking the SHA with the existing repository ### How was this patch tested? Running the GitHub action Closes apache#34163 from naveensrinivasan/naveen/feat/pin-github-actions. Lead-authored-by: Hyukjin Kwon <gurwls223@gmail.com> Co-authored-by: naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Sean Owen <srowen@gmail.com>
diff --git a/.github/workflows/cancel_duplicate_workflow_runs.yml b/.github/workflows/cancel_duplicate_workflow_runs.yml
@@ -29,7 +29,7 @@ jobs:
     name: "Cancel duplicate workflow runs"
     runs-on: ubuntu-latest
     steps:
-      - uses: potiuk/cancel-workflow-runs@953e057dc81d3458935a18d1184c386b0f6b5738 # @master
+      - uses: potiuk/cancel-workflow-runs@4723494a065d162f8e9efd071b98e0126e00f866 # @master
         name: "Cancel duplicate workflow runs"
         with:
           cancelMode: allDuplicates
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -44,7 +44,7 @@ jobs:
     #
     # However, these are not in a published release and the current `main` branch
     # has some issues upon testing.
-    - uses: actions/labeler@2.2.0
+    - uses: actions/labeler@5f867a63be70efff62b767459b009290364495eb # pin@2.2.0
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
         sync-labels: true
diff --git a/.github/workflows/notify_test_workflow.yml b/.github/workflows/notify_test_workflow.yml
@@ -33,7 +33,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: "Notify test workflow"
-        uses: actions/github-script@v3
+        uses: actions/github-script@f05a81df23035049204b043b50c3322045ce7eb3 # pin@v3
         if: ${{ github.base_ref == 'master' }}
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish_snapshot.yml b/.github/workflows/publish_snapshot.yml
@@ -36,18 +36,18 @@ jobs:
           - branch-3.1
     steps:
     - name: Checkout Spark repository
-      uses: actions/checkout@master
+      uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # pin@master
       with:
         ref: ${{ matrix.branch }}
     - name: Cache Maven local repository
-      uses: actions/cache@v2
+      uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353 # pin@v2
       with:
         path: ~/.m2/repository
         key: snapshot-maven-${{ hashFiles('**/pom.xml') }}
         restore-keys: |
           snapshot-maven-
     - name: Install Java 8
-      uses: actions/setup-java@v1
+      uses: actions/setup-java@d202f5dbf7256730fb690ec59f6381650114feb2 # pin@v1
       with:
         java-version: 8
     - name: Publish snapshot
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -27,7 +27,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v1.1.0
+    - uses: actions/stale@c201d45ef4b0ccbd3bb0616f93bae13e73d0a080 # pin@v1.1.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-pr-message: >
diff --git a/.github/workflows/test_report.yml b/.github/workflows/test_report.yml
@@ -29,14 +29,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Download test results to report
-      uses: dawidd6/action-download-artifact@v2
+      uses: dawidd6/action-download-artifact@6f8f427fb41886a66b82ea11a5a15d1454c79415 # pin@v2
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         workflow: ${{ github.event.workflow_run.workflow_id }}
         commit: ${{ github.event.workflow_run.head_commit.id }}
         workflow_conclusion: completed
     - name: Publish test report
-      uses: scacap/action-surefire-report@v1
+      uses: scacap/action-surefire-report@482f012643ed0560e23ef605a79e8e87ca081648 # pin@v1
       with:
         check_name: Report test results
         github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/update_build_status.yml b/.github/workflows/update_build_status.yml
@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: "Update build status"
-        uses: actions/github-script@v3
+        uses: actions/github-script@f05a81df23035049204b043b50c3322045ce7eb3 # pin@v3
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ jobs:`
`44`	`44`	`#`
`45`	`45`	# However, these are not in a published release and the current `main` branch
`46`	`46`	`# has some issues upon testing.`
`47`		`- - uses: actions/[email protected]`
	`47`	`+ - uses: actions/labeler@5f867a63be70efff62b767459b009290364495eb # pin@2.2.0`
`48`	`48`	`with:`
`49`	`49`	`repo-token: "${{ secrets.GITHUB_TOKEN }}"`
`50`	`50`	`sync-labels: true`