ci: Pin GitHub Actions to full-length commit SHAs#1445
Merged
tandonks merged 5 commits intoJun 25, 2026
Conversation
added 3 commits
June 25, 2026 11:45
The repository now enforces the GitHub policy requiring all Actions to be pinned to a full-length commit SHA. Workflows referencing actions by tag (e.g. actions/checkout@v3) fail at the prepare-actions step, which blocks CI on every pull request. Pin every action - and the get-ci-image-tag reusable workflow - to its current commit SHA, keeping the previous tag as a trailing comment for readability and future updates. Signed-off-by: Sandeep Kumawat <skumwt@amazon.com>
The prior commit pinned actions in .github/workflows but missed the composite action at .github/actions/run-cypress-tests/action.yaml, which the Cypress jobs invoke. Its actions (setup-java, checkout, setup-node, nick-fields/retry, cypress-io/github-action, upload-artifact) are now pinned to full commit SHAs as well, so the SHA-pinning policy no longer blocks the Cypress workflows. Signed-off-by: Sandeep Kumawat <skumwt@amazon.com>
OpenSearch Dashboards core (checked out at OPENSEARCH_DASHBOARDS_VERSION in CI) now requires @babel/runtime ^7.29.7 via @osd/interpreter, while this plugin declared ^7.26.10. The osd bootstrap single_version_dependencies check fails on the mismatch, blocking unit tests. Bump @babel/runtime to ^7.29.7 (resolutions and devDependencies) to match core. Signed-off-by: Sandeep Kumawat <skumwt@amazon.com>
Contributor
Author
|
Failing E2E tests are related to rollups, data_stream pages and are unrelated to the above changes. |
skumawat2025
requested review from
Hailong-am,
RamakrishnaChilaka,
SuZhou-Joe,
bowenlan-amzn,
shiv0408,
soosinha,
tandonks and
vikasvb90
as code owners
Contributor
Author
|
Run binary installation check is failing due to upstream repo issues. Upstream repos needs to update commit SHA, |
tandonks
approved these changes
Jun 25, 2026
tandonks
left a comment
tandonks
left a comment
Collaborator
There was a problem hiding this comment.
Since failures unrelated to current changes, good to merge
…nsearch-project#1442) Replace derek-ho/start-opensearch and derek-ho/setup-opensearch-dashboards with opensearch-project/opensearch-build/.github/actions equivalents pinned to SHA dbcc45dc3e390e54f1917be9c725450548416ce6. Signed-off-by: Craig Perkins <cwperx@amazon.com>
Contributor
|
The backport to |
Hailong-am
pushed a commit
to Hailong-am/index-management-dashboards-plugin
that referenced
this pull request
Jun 26, 2026
…#1445) * ci: Pin GitHub Actions to full-length commit SHAs The repository now enforces the GitHub policy requiring all Actions to be pinned to a full-length commit SHA. Workflows referencing actions by tag (e.g. actions/checkout@v3) fail at the prepare-actions step, which blocks CI on every pull request. Pin every action - and the get-ci-image-tag reusable workflow - to its current commit SHA, keeping the previous tag as a trailing comment for readability and future updates. Signed-off-by: Sandeep Kumawat <skumwt@amazon.com> * ci: Pin actions in run-cypress-tests composite action to SHAs The prior commit pinned actions in .github/workflows but missed the composite action at .github/actions/run-cypress-tests/action.yaml, which the Cypress jobs invoke. Its actions (setup-java, checkout, setup-node, nick-fields/retry, cypress-io/github-action, upload-artifact) are now pinned to full commit SHAs as well, so the SHA-pinning policy no longer blocks the Cypress workflows. Signed-off-by: Sandeep Kumawat <skumwt@amazon.com> * fix: Align @babel/runtime with OpenSearch Dashboards core OpenSearch Dashboards core (checked out at OPENSEARCH_DASHBOARDS_VERSION in CI) now requires @babel/runtime ^7.29.7 via @osd/interpreter, while this plugin declared ^7.26.10. The osd bootstrap single_version_dependencies check fails on the mismatch, blocking unit tests. Bump @babel/runtime to ^7.29.7 (resolutions and devDependencies) to match core. Signed-off-by: Sandeep Kumawat <skumwt@amazon.com> * Update GitHub actions to use official opensearch-project actions (opensearch-project#1442) Replace derek-ho/start-opensearch and derek-ho/setup-opensearch-dashboards with opensearch-project/opensearch-build/.github/actions equivalents pinned to SHA dbcc45dc3e390e54f1917be9c725450548416ce6. Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Sandeep Kumawat <skumwt@amazon.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Co-authored-by: Sandeep Kumawat <skumwt@amazon.com> Co-authored-by: Craig Perkins <cwperx@amazon.com>
Hailong-am
pushed a commit
to Hailong-am/index-management-dashboards-plugin
that referenced
this pull request
Jun 26, 2026
…#1445) * ci: Pin GitHub Actions to full-length commit SHAs The repository now enforces the GitHub policy requiring all Actions to be pinned to a full-length commit SHA. Workflows referencing actions by tag (e.g. actions/checkout@v3) fail at the prepare-actions step, which blocks CI on every pull request. Pin every action - and the get-ci-image-tag reusable workflow - to its current commit SHA, keeping the previous tag as a trailing comment for readability and future updates. Signed-off-by: Sandeep Kumawat <skumwt@amazon.com> * ci: Pin actions in run-cypress-tests composite action to SHAs The prior commit pinned actions in .github/workflows but missed the composite action at .github/actions/run-cypress-tests/action.yaml, which the Cypress jobs invoke. Its actions (setup-java, checkout, setup-node, nick-fields/retry, cypress-io/github-action, upload-artifact) are now pinned to full commit SHAs as well, so the SHA-pinning policy no longer blocks the Cypress workflows. Signed-off-by: Sandeep Kumawat <skumwt@amazon.com> * fix: Align @babel/runtime with OpenSearch Dashboards core OpenSearch Dashboards core (checked out at OPENSEARCH_DASHBOARDS_VERSION in CI) now requires @babel/runtime ^7.29.7 via @osd/interpreter, while this plugin declared ^7.26.10. The osd bootstrap single_version_dependencies check fails on the mismatch, blocking unit tests. Bump @babel/runtime to ^7.29.7 (resolutions and devDependencies) to match core. Signed-off-by: Sandeep Kumawat <skumwt@amazon.com> * Update GitHub actions to use official opensearch-project actions (opensearch-project#1442) Replace derek-ho/start-opensearch and derek-ho/setup-opensearch-dashboards with opensearch-project/opensearch-build/.github/actions equivalents pinned to SHA dbcc45dc3e390e54f1917be9c725450548416ce6. Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Sandeep Kumawat <skumwt@amazon.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Co-authored-by: Sandeep Kumawat <skumwt@amazon.com> Co-authored-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Hailong Cui <ihailong@amazon.com>
tandonks
pushed a commit
that referenced
this pull request
Jun 26, 2026
* Bump lodash from 4.17.21 to 4.18.0 to fix CVE-2026-4800 Signed-off-by: Hailong Cui <ihailong@amazon.com> * Bump picomatch to 2.3.2 to fix CVE-2026-33671 Signed-off-by: Hailong Cui <ihailong@amazon.com> * Bump serialize-javascript to 7.0.3 to fix GHSA-5c6j-r48x-rmvq Signed-off-by: Hailong Cui <ihailong@amazon.com> * add yarn.lock Signed-off-by: Hailong Cui <ihailong@amazon.com> * ci: Pin GitHub Actions to full-length commit SHAs (#1445) * ci: Pin GitHub Actions to full-length commit SHAs The repository now enforces the GitHub policy requiring all Actions to be pinned to a full-length commit SHA. Workflows referencing actions by tag (e.g. actions/checkout@v3) fail at the prepare-actions step, which blocks CI on every pull request. Pin every action - and the get-ci-image-tag reusable workflow - to its current commit SHA, keeping the previous tag as a trailing comment for readability and future updates. Signed-off-by: Sandeep Kumawat <skumwt@amazon.com> * ci: Pin actions in run-cypress-tests composite action to SHAs The prior commit pinned actions in .github/workflows but missed the composite action at .github/actions/run-cypress-tests/action.yaml, which the Cypress jobs invoke. Its actions (setup-java, checkout, setup-node, nick-fields/retry, cypress-io/github-action, upload-artifact) are now pinned to full commit SHAs as well, so the SHA-pinning policy no longer blocks the Cypress workflows. Signed-off-by: Sandeep Kumawat <skumwt@amazon.com> * fix: Align @babel/runtime with OpenSearch Dashboards core OpenSearch Dashboards core (checked out at OPENSEARCH_DASHBOARDS_VERSION in CI) now requires @babel/runtime ^7.29.7 via @osd/interpreter, while this plugin declared ^7.26.10. The osd bootstrap single_version_dependencies check fails on the mismatch, blocking unit tests. Bump @babel/runtime to ^7.29.7 (resolutions and devDependencies) to match core. Signed-off-by: Sandeep Kumawat <skumwt@amazon.com> * Update GitHub actions to use official opensearch-project actions (#1442) Replace derek-ho/start-opensearch and derek-ho/setup-opensearch-dashboards with opensearch-project/opensearch-build/.github/actions equivalents pinned to SHA dbcc45dc3e390e54f1917be9c725450548416ce6. Signed-off-by: Craig Perkins <cwperx@amazon.com> --------- Signed-off-by: Sandeep Kumawat <skumwt@amazon.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Co-authored-by: Sandeep Kumawat <skumwt@amazon.com> Co-authored-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Hailong Cui <ihailong@amazon.com> * yarn.lock Signed-off-by: Hailong Cui <ihailong@amazon.com> * add missing distribution Signed-off-by: Hailong Cui <ihailong@amazon.com> * Revert serialize-javascript 7.0.3 bump (incompatible with Node 18) serialize-javascript 7.x requires Node >= 20 but CI runs Node 18.19.0, causing yarn install to fail with engine incompatibility error. Signed-off-by: Hailong Cui <ihailong@amazon.com> * Remove verify-binary-installation workflow Signed-off-by: Hailong Cui <ihailong@amazon.com> --------- Signed-off-by: Hailong Cui <ihailong@amazon.com> Signed-off-by: Sandeep Kumawat <skumwt@amazon.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Co-authored-by: Sandeep Kumawat <2025sandeepkumawat@gmail.com> Co-authored-by: Sandeep Kumawat <skumwt@amazon.com> Co-authored-by: Craig Perkins <cwperx@amazon.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The repository now enforces the GitHub policy requiring all Actions to be pinned to a full-length commit SHA. Workflows referencing actions by tag (e.g. actions/checkout@v3) fail at the prepare-actions step, which blocks CI on every pull request.
Pin every action - and the get-ci-image-tag reusable workflow - to its current commit SHA, keeping the previous tag as a trailing comment for readability and future updates.
Changes done in other plugins/repos: opensearch-project/dashboards-assistant#699
Description
[Describe what this change achieves]
Issues Resolved
[List any issues this PR will resolve]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.