Allow dart-lang/setup-dart v1.7.1

[chaokunyang]

Request for adding a new GitHub Action to the allow list

Overview

Allow apache/fory to use the direct dart-lang/setup-dart action in its Dart release workflow for pub.dev trusted publishing.

Name of action: dart-lang/setup-dart

URL of action: https://github.com/dart-lang/setup-dart

Version to pin to (hash only): e51d8e571e22473a2ddebf0ef8a2123f0ab2c02c

Permissions

The action itself installs the Dart SDK. The calling workflow in apache/fory keeps repository permissions minimal and uses id-token: write for pub.dev trusted publishing via OIDC.

Related Actions

apache/fory already has a separate allowlist request for the reusable publish workflow path from the same repository. This request is for the direct action ref because the release workflow was rewritten to use explicit publish steps instead of the reusable workflow wrapper.

Checklist

• The action is listed in the GitHub Actions Marketplace
• The action is not already on the list of approved actions
• The action has a sufficient number of contributors or has contributors within the ASF community
• The action has a clearly defined license
• The action is actively developed or maintained
• The action has CI/unit tests configured
• Compiled JavaScript in dist/ matches a clean rebuild

Verification note: uv run utils/verify-action-build.py dart-lang/setup-dart@e51d8e571e22473a2ddebf0ef8a2123f0ab2c02c was attempted locally, but the check could not complete because the local Docker CLI rejected docker build --progress=plain (unknown flag: --progress).

[potiuk]

PR #741 should address rebuild check

[potiuk]

Ran the latest verify-action-build from main (which now includes Dart-action handling from #736 and the binary-download verification from #743). Build verification passes — compiled JS in dist/ matches a clean rebuild, no binary downloads without verification, and the action is correctly detected as node20.

Result: ✅ All checks pass

Full verify-action-build output

  Extracted action reference from PR #739:
dart-lang/setup-dart@e51d8e571e22473a2ddebf0ef8a2123f0ab2c02c

╭───────────────────────── Action Build Verification ──────────────────────────╮
│  Action  dart-lang/setup-dart                                                │
│  Commit  e51d8e571e22473a2ddebf0ef8a2123f0ab2c02c                            │
╰──────────────────────────────────────────────────────────────────────────────╯
  ✓ Artifacts extracted
  ✓ Deleted 2 compiled JS file(s) before rebuild:
    - dist/index.mjs
    - dist/main.cjs
  ✓ Action type: node20
  ✓ Cleanup complete

───────────────────────── Binary Download Verification ─────────────────────────
  ✓ No binary downloads detected

──────────────────────── Comparing 2 JavaScript file(s) ────────────────────────
  ~ index.mjs (non-minified JS — rebuild differs, likely due to ncc/toolchain
version differences)
    The dist/ JS is human-readable and not minified. Small differences in the
webpack boilerplate are expected across ncc versions.
    Review the source changes via the approved version diff below instead.
  ~ main.cjs (non-minified JS — rebuild differs, likely due to ncc/toolchain
version differences)
    The dist/ JS is human-readable and not minified. Small differences in the
webpack boilerplate are expected across ncc versions.
    Review the source changes via the approved version diff below instead.

───────────────────────────── Verification Summary ─────────────────────────────
                    dart-lang/setup-dart@e51d8e571e22
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Check                          ┃ Status ┃ Detail                       ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ Action type detection          │   ℹ    │ node20                       │
│ Binary download verification   │   ✓    │ no downloads or all verified │
│ JS build verification          │   ✓    │ compiled JS matches rebuild  │
│ Approved versions              │   ℹ    │ new action (none on file)    │
└────────────────────────────────┴────────┴──────────────────────────────┘

╭─────────────────────────────────── RESULT ───────────────────────────────────╮
│ All compiled JavaScript matches the rebuild                                  │
╰──────────────────────────────────────────────────────────────────────────────╯
Exit code: 0

Command: uv run verify-action-build --from-pr 739 --ci (from utils/). Ran against commit e51d8e5 as specified in the PR body.

[potiuk]

LGTM.

[potiuk]

Also added #739 to run verify check on manual PRs as well - not only on dependabot ones