ci: add ASF allowlist check for GitHub Actions (Dependabot guard)#8817
Open
rzo1 wants to merge 1 commit into
Open
ci: add ASF allowlist check for GitHub Actions (Dependabot guard)#8817rzo1 wants to merge 1 commit into
rzo1 wants to merge 1 commit into
Conversation
rzo1
force-pushed
the
add-asf-allowlist-check
branch
from
5b521a8 to
8bd70e1
Compare
Member
|
Hi @rzo1, thanks for jumping in so quickly to support! I checked the logs for the allowlist action, and it looks like it isn't actually scanning any files. It returns Checking 0 unique action ref(s), even though the workflows exist: I suspect the glob pattern might be the issue here. Could this syntax be incorrect for this specific python script? It seems that the py doesn't expand the {yml,yaml} |
Adds a workflow running apache/infrastructure-actions/allowlist-check on PRs touching .github/** (which is what Dependabot's github-actions updater modifies) so that bumps to actions not on the ASF allowlist are caught before merge. Also marks asf-allowlist-check as a required status check on master via .asf.yaml so such PRs are blocked from merging.
rzo1
force-pushed
the
add-asf-allowlist-check
branch
from
8bd70e1 to
03f0277
Compare
Contributor
Author
|
Should be fine now @GGraziadei |
GGraziadei
approved these changes
Jun 29, 2026
GGraziadei
left a comment
GGraziadei
left a comment
Member
There was a problem hiding this comment.
Thank you for the quick fix!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a CI check that validates every referenced GitHub Action against the ASF allowlist, and wires it in as a required status check on
master.Why
Dependabot's
github-actionsecosystem updater opens PRs that bump action versions. Without this guard, an update could point us at an action that is not on the ASF allowlist, which would only surface later (or get merged). This makes the violation fail fast on the PR.How
.github/workflows/asf-allowlist-check.ymlapache/infrastructure-actions/allowlist-check@main.pull_request(andpushtomaster/2.x) limited topaths: .github/**— exactly the files Dependabot's github-actions updater touches.scan-glob: ".github/**/*.{yml,yaml}"because Storm mixes both.ymland.yamlworkflow files (the action's default only matches.yml).permissions: contents: read,persist-credentials: falseper ASF guidance..asf.yaml: addsasf-allowlist-checktorequired_status_checks.contextsonmasterso failing PRs are blocked from merging (branch protection on ASF repos is managed via.asf.yaml, not the GitHub UI).