Skip to content

GitHub Actions Policy Check and Review #2626

New issue
New issue
Open
Task
Open
GitHub Actions Policy Check and Review#2626
Task
Labels
github_actionsPull requests that update GitHub Actions code
@jbampton

Description

@jbampton
jbampton
opened on Feb 7, 2026

Repo health check issue.

The next link details the ASF GitHub actions policies

https://infra.apache.org/github-actions-policy.html

Seems it says there:

You MUST pin all external actions to the specific git hash (SHA1) of the action that has been reviewed for use by the project. For instance, you MUST pin foobar/baz-action@8843d7f92416211de9ebb963ff4ce28125932878.

Do we need to pin to hash our external actions for example:

sedona/.github/workflows/python.yml

Line 126 in 59efe6e

uses: astral-sh/setup-uv@v7

This repository hosts GitHub Actions developed by the ASF community and approved for any ASF top level project to use:

https://github.com/apache/infrastructure-actions

Also we use pull_request_target for the actions/labeler:

https://github.com/apache/sedona/blob/master/.github/workflows/labeler.yml

The code does not checkout but mentions the token.

Metadata

Metadata

Assignees

No one assigned

    Labels

    github_actionsPull requests that update GitHub Actions code

    Type

    Task

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions