Clarification on SHA pinning for wildcard-approved actions

[ongdisheng]

Hi,

I noticed that actions-cool/maintain-one-comment@* is in the approved_patterns.yml with a wildcard while the README states:

"Always pin actions to exact commit SHAs, never use tags or branch references."

Could you clarify if:

1. For actions with @* wildcard, we should still use SHA (e.g., @4b2dbf086015f892dcb5e8c1106f5fccd6c1476b)
2. Or the wildcard means version tags are acceptable (e.g., @v3)

Thanks!

[raboof]

It is ASF policy to always pin external actions to tags (https://infra.apache.org/github-actions-policy.html)

Indeed we still have some wildcards in the 'approved' patterns. I think this is because we didn't want to break projects' workflows right away, even where they're noncompliant. I'm not sure what the plan for wider enforcement is, but you should use the SHA.

[ongdisheng]

Thank you for the quick clarification! I appreciate the explanation about the wildcards and make sure to use the SHA pinning to stay compliant with ASF policy. Closing this issue as resolved.