[BugFix] Bump get-ci-image-tag.yml ref to SHA-pinned opensearch-build commit to unblock CI#5583
Merged
Swiddis merged 2 commits intoJun 25, 2026
Conversation
… commit CI checks that call the opensearch-build get-ci-image-tag.yml reusable workflow (SQL Java CI, Analytics Engine Compatibility, Security Plugin IT, SQL PIT test) were blocked before any build or test ran, with: The actions iarekylew00t/crane-installer@v1 and actions/checkout@v6 are not allowed in opensearch-project/sql because all actions must be pinned to a full-length commit SHA. Those unpinned actions live in the referenced opensearch-build commit c2498b758c, not in this repo. Bump the ref in all five workflows to 761e093b8c13 (opensearch-build #6253), where crane-installer and checkout are pinned to full SHAs, satisfying the org action-pinning policy. Signed-off-by: Eric Wei <mengwei.eric@gmail.com>
mengweieric
requested review from
LantaoJin,
RyanL1997,
Swiddis,
acarbonetto,
ahkcs,
anirudha,
dai-chen,
joshuali925,
noCharger,
penghuo,
ps48,
qianheng-aws,
songkant-aws,
vamsimanohar,
ykmr1224 and
yuancu
as code owners
mengweieric
added
infrastructure
…commit The first commit covered the five workflows that call get-ci-image-tag.yml. The same old opensearch-build ref (c2498b758c) was still pinned in pr_review.yml (code-diff-analyzer.yml, code-diff-reviewer.yml) and issue-dedupe.yml (issue-dedupe-detect.yml, issue-dedupe-autoclose.yml). Code-Diff-Analyzer failed at action resolution with the same policy error (actions/setup-node@v6, aws-actions/configure-aws-credentials@v6, peter-evans/find-comment@v3, peter-evans/create-or-update-comment@v5 not pinned to full SHA). This dies before the skip-diff-analyzer label can take effect, since the policy check runs before the called workflow executes. Bump all four remaining refs to 761e093b8c13 (opensearch-build #6253), where these actions are SHA-pinned, fully removing the old ref from the repo. Signed-off-by: Eric Wei <mengwei.eric@gmail.com>
RyanL1997
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Several CI checks were blocked on
mainbefore any build or test could run, all with the same org-policy error:The unpinned actions are not defined in this repository. They live in the
opensearch-buildreusable workflows that this repo's workflows pinned at the old refc2498b758c(2026-05-21), which still referenced version tags (crane-installer@v1,checkout@v6,setup-node@v6,configure-aws-credentials@v6,find-comment@v3,create-or-update-comment@v5).This bumps every
opensearch-buildreusable-workflow ref to761e093b8c1349cc07f21c1d681d3b30bf9e1999(opensearch-buildPR #6253, "Update build repo all workflows to use SHA", 2026-06-12), where all of those actions are pinned to full-length SHAs, satisfying the policy. No product code is touched; this is a CI-infrastructure fix.Workflows updated (all to the new SHA):
get-ci-image-tag.ymlconsumers:sql-test-and-build-workflow.yml,analytics-engine-compat.yml,integ-tests-with-security.yml,sql-pitest.yml,sql-test-workflow.ymlpr_review.yml(code-diff-analyzer.yml,code-diff-reviewer.yml)issue-dedupe.yml(issue-dedupe-detect.yml,issue-dedupe-autoclose.yml)Verified that at the new SHA, each referenced
opensearch-buildworkflow pins all of its actions to full SHAs. On this PR, theget-ci-image-tag.yml-gated checks (SQL Java CI, Analytics Engine Compatibility, Security Plugin IT, SQL PIT test) now pass.Note:
pr_review.ymltriggers onpull_request_target, so it runs from the base branch. ItsCode-Diff-Analyzerfix therefore takes effect for PRs opened after this merges, not retroactively on this PR.Related Issues
Check List
--signoffor-s.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.