ci: verify manual allowlist PRs via verify-action-build#745
Merged
Conversation
Adds a workflow that runs verify-action-build on PRs which touch actions.yml or approved_patterns.yml and are not authored by dependabot. Mirrors the existing verify_dependabot_action.yml pattern — regular pull_request trigger with read-only permissions, exits with the verify script's rc so the status check reflects pass/fail. Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Member
Author
|
cc: @dave2wave @raboof -> this one will run the check also on the manual PR from people. |
dave2wave
approved these changes
Apr 19, 2026
Member
dave2wave
left a comment
dave2wave
left a comment
There was a problem hiding this comment.
LGTM - is this documented in the README?
Member
Author
Good point! Let me add it and update AGENTS.md to always update the docs. |
…eatures - README: rewrite the "Automated Verification in CI" section to list both verify workflows (dependabot + manual) and describe their triggers, permissions, and pass/fail semantics. - AGENTS.md: add a "Documentation" section requiring user-visible changes (workflows, scripts, CLI flags) to ship with reference-doc updates in the same PR. Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Member
Author
|
Updatedd the docs and agents instruction to not happen next time ! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a workflow that runs
verify-action-buildon PRs which manually add a new action to the allow list — i.e. those touchingactions.ymlorapproved_patterns.ymland not authored by dependabot. Example PR this would have caught: #739.Mirrors the existing
verify_dependabot_action.ymlpattern:pull_requesttrigger (notpull_request_target— avoids the privilege-escalation risk).contents: read,pull-requests: read).verify-action-build --ci --from-pr $Nscript exits with rc, and that becomes the status check on the PR.::stop-commands::wrapper to neutralize any workflow-command strings that might appear in action diffs.persist-credentials: falseon checkout.Skipped for dependabot-authored PRs (already covered by
verify_dependabot_action.yml).Test plan
actions.ymlchange) — the workflow should not run.actions.yml— the workflow should run and pass/fail according to the verify result.actions.yml/approved_patterns.yml— should be skipped by theif:guard (the dependabot workflow handles them).