Skip to content

HDDS-15719. Add check for allowed action usage in workflows#71

Merged
adoroszlai merged 1 commit into
apache:latestfrom
adoroszlai:HDDS-15719
Jul 4, 2026
Merged

HDDS-15719. Add check for allowed action usage in workflows#71
adoroszlai merged 1 commit into
apache:latestfrom
adoroszlai:HDDS-15719

Conversation

@adoroszlai

Copy link
Copy Markdown
Contributor

What changes were proposed in this pull request?

GitHub workflows may fail silently when using any actions not allowed by ASF Infra. See apache/infrastructure-actions#574 for details.

This change adds a new check that verifies action usage in workflows. See https://github.com/apache/infrastructure-actions/blob/main/allowlist-check/README.md

https://issues.apache.org/jira/browse/HDDS-15719

How was this patch tested?

asf-allowlist-check: https://github.com/adoroszlai/ozone-docker/actions/runs/28707803583/job/85136272854#step:3:30

Checking 8 unique action ref(s) against the ASF allowlist:

  ✅ actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 — trusted owner (actions)  (.github/workflows/asf-allowlist-check.yaml, .github/workflows/zizmor.yml)
  ✅ apache/infrastructure-actions/allowlist-check@775350a154e610e84c460cb1bbe2d2ab26c15cb3 — trusted owner (apache)  (.github/workflows/asf-allowlist-check.yaml)
  ✅ docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf — matches allowlist  (.github/workflows/build.yaml)
  ✅ docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee — matches allowlist  (.github/workflows/build-and-tag.yaml, .github/workflows/build-and-tag.yaml, .github/workflows/build.yaml)
  ✅ docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 — matches allowlist  (.github/workflows/build-and-tag.yaml, .github/workflows/build.yaml)
  ✅ docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 — matches allowlist  (.github/workflows/build.yaml)
  ✅ docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 — matches allowlist  (.github/workflows/build.yaml)
  ✅ zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa — matches allowlist  (.github/workflows/zizmor.yml)
All 8 unique action refs are on the ASF allowlist

zizmor: https://github.com/adoroszlai/ozone-docker/actions/runs/28707803568/job/85136272919#step:3:93

@adoroszlai adoroszlai self-assigned this Jul 4, 2026
@adoroszlai adoroszlai requested a review from peterxcli July 4, 2026 13:44

@peterxcli peterxcli left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM +1

@adoroszlai adoroszlai merged commit ee0379c into apache:latest Jul 4, 2026
4 checks passed
@adoroszlai adoroszlai deleted the HDDS-15719 branch July 4, 2026 15:23
@adoroszlai

Copy link
Copy Markdown
Contributor Author

Thanks @peterxcli for the review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants