Skip to content

fix: pin action SHAs in dev.yml (backport to maint-16.x)#23062

Open
sandy-sachin7 wants to merge 1 commit into
apache:maint-16.xfrom
sandy-sachin7:fix-23037-backport-hardening
Open

fix: pin action SHAs in dev.yml (backport to maint-16.x)#23062
sandy-sachin7 wants to merge 1 commit into
apache:maint-16.xfrom
sandy-sachin7:fix-23037-backport-hardening

Conversation

@sandy-sachin7

@sandy-sachin7 sandy-sachin7 commented Jun 20, 2026

Copy link
Copy Markdown

Which issue does this PR close?

Rationale for this change

The default branch already hardened .github/workflows/dev.yml against unpinned-uses (commit SHAs instead of mutable tags), but the maint-16.x release branch still uses mutable tags. This backports the same fix.

What changes are included in this PR?

Pin the following actions to their commit SHA (with the version tag as a comment):

Action Previous Pinned SHA
actions/checkout (rat job) @v3 f43a0e5ff2bd294095638e18286ca9a3d1956744
actions/setup-python (rat job) @v4 0ae58361cdfd39e2950bed97a1e26aa20c3d8955
actions/checkout (prettier job) @v3 f43a0e5ff2bd294095638e18286ca9a3d1956744
actions/setup-node (prettier job) @v3 3235b876344d2a9aa001b8d1453c930bba69e610

Are these changes tested?

Checked with actionlint — no new lint or security findings introduced. The fix matches the pattern already applied on the default branch.

Are there any user-facing changes?

No — CI workflow only.

@github-actions github-actions Bot added the development-process Related to development process of DataFusion label Jun 20, 2026
@Jefffrey Jefffrey mentioned this pull request Jun 21, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

development-process Related to development process of DataFusion

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sandy-sachin7