Skip to content

HDDS-15719. Add check for allowed action usage in workflows#485

Merged
adoroszlai merged 1 commit into
apache:masterfrom
adoroszlai:HDDS-15719
Jul 4, 2026
Merged

HDDS-15719. Add check for allowed action usage in workflows#485
adoroszlai merged 1 commit into
apache:masterfrom
adoroszlai:HDDS-15719

Conversation

@adoroszlai

Copy link
Copy Markdown
Contributor

What changes were proposed in this pull request?

GitHub workflows may fail silently when using any actions not allowed by ASF Infra. See apache/infrastructure-actions#574 for details.

This change adds a new check that verifies action usage in workflows. See https://github.com/apache/infrastructure-actions/blob/main/allowlist-check/README.md

https://issues.apache.org/jira/browse/HDDS-15719

How was this patch tested?

asf-allowlist-check: https://github.com/adoroszlai/ozone-site/actions/runs/28707933976/job/85136613970#step:3:30

Checking 10 unique action ref(s) against the ASF allowlist:

  ✅ actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 — trusted owner (actions)  (.github/workflows/docusaurus.yml, .github/workflows/docusaurus.yml)
  ✅ actions/cache/save@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 — trusted owner (actions)  (.github/workflows/docusaurus.yml)
  ✅ actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 — trusted owner (actions)  (.github/workflows/docusaurus.yml)
  ✅ actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 — trusted owner (actions)  (.github/workflows/asf-allowlist-check.yaml, .github/workflows/docusaurus.yml, .github/workflows/docusaurus.yml, .github/workflows/docusaurus.yml, .github/workflows/publish.yml, .github/workflows/pull-request.yml, .github/workflows/static.yml, .github/workflows/static.yml, .github/workflows/static.yml, .github/workflows/static.yml, .github/workflows/static.yml, .github/workflows/zizmor.yml)
  ✅ actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c — trusted owner (actions)  (.github/workflows/docusaurus.yml, .github/workflows/publish.yml)
  ✅ actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e — trusted owner (actions)  (.github/workflows/static.yml, .github/workflows/static.yml, .github/workflows/static.yml)
  ✅ actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a — trusted owner (actions)  (.github/workflows/docusaurus.yml)
  ✅ apache/infrastructure-actions/allowlist-check@775350a154e610e84c460cb1bbe2d2ab26c15cb3 — trusted owner (apache)  (.github/workflows/asf-allowlist-check.yaml)
  ✅ apache/skywalking-eyes@61275cc80d0798a405cb070f7d3a8aaf7cf2c2c1 — trusted owner (apache)  (.github/workflows/static.yml)
  ✅ zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa — matches allowlist  (.github/workflows/zizmor.yml)
All 10 unique action refs are on the ASF allowlist

@adoroszlai adoroszlai self-assigned this Jul 4, 2026
@adoroszlai adoroszlai requested a review from peterxcli July 4, 2026 15:12
@adoroszlai adoroszlai added the CI label Jul 4, 2026

@peterxcli peterxcli left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM +1

@adoroszlai adoroszlai merged commit 988ff52 into apache:master Jul 4, 2026
13 checks passed
@adoroszlai adoroszlai deleted the HDDS-15719 branch July 4, 2026 18:25
@adoroszlai

Copy link
Copy Markdown
Contributor Author

Thanks @peterxcli for the review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants