Skip to content

RATIS-2588. Add check for allowed action usage in workflows#1507

Merged
adoroszlai merged 2 commits into
apache:masterfrom
adoroszlai:RATIS-2588
Jul 5, 2026
Merged

RATIS-2588. Add check for allowed action usage in workflows#1507
adoroszlai merged 2 commits into
apache:masterfrom
adoroszlai:RATIS-2588

Conversation

@adoroszlai

Copy link
Copy Markdown
Contributor

What changes were proposed in this pull request?

Same as apache/ratis-thirdparty#139 and apache/ratis-thirdparty#141 combined, for apache/ratis.

https://issues.apache.org/jira/browse/RATIS-2588

How was this patch tested?

Checking 9 unique action ref(s) against the ASF allowlist:

  ✅ actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 — trusted owner (actions)  (.github/workflows/check.yaml, .github/workflows/ci.yaml)
  ✅ actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 — trusted owner (actions)  (.github/workflows/check.yaml, .github/workflows/repeat-test.yaml)
  ✅ actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 — trusted owner (actions)  (.github/workflows/asf-allowlist-check.yaml, .github/workflows/check.yaml, .github/workflows/ci.yaml, .github/workflows/repeat-test.yaml, .github/workflows/vulnerability-check.yaml, .github/workflows/zizmor.yaml)
  ✅ actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c — trusted owner (actions)  (.github/workflows/check.yaml, .github/workflows/check.yaml, .github/workflows/check.yaml, .github/workflows/ci.yaml, .github/workflows/repeat-test.yaml)
  ✅ actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 — trusted owner (actions)  (.github/workflows/check.yaml, .github/workflows/ci.yaml, .github/workflows/repeat-test.yaml, .github/workflows/vulnerability-check.yaml)
  ✅ actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 — trusted owner (actions)  (.github/workflows/close-stale-pr.yaml)
  ✅ actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a — trusted owner (actions)  (.github/workflows/check.yaml, .github/workflows/check.yaml, .github/workflows/check.yaml, .github/workflows/check.yaml, .github/workflows/ci.yaml, .github/workflows/repeat-test.yaml, .github/workflows/vulnerability-check.yaml)
  ✅ apache/infrastructure-actions/allowlist-check@775350a154e610e84c460cb1bbe2d2ab26c15cb3 — trusted owner (apache)  (.github/workflows/asf-allowlist-check.yaml)
  ✅ zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa — matches allowlist  (.github/workflows/zizmor.yaml)
All 9 unique action refs are on the ASF allowlist

https://github.com/adoroszlai/ratis/actions/runs/28673161941/job/85040822583#step:3:30

@adoroszlai adoroszlai self-assigned this Jul 3, 2026
@adoroszlai adoroszlai added the CI label Jul 3, 2026
@adoroszlai adoroszlai requested a review from szetszwo July 3, 2026 17:59

@szetszwo szetszwo left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 the change looks good.

@adoroszlai adoroszlai merged commit d5c0034 into apache:master Jul 5, 2026
19 checks passed
@adoroszlai

Copy link
Copy Markdown
Contributor Author

Thanks @szetszwo for the review.

@adoroszlai adoroszlai deleted the RATIS-2588 branch July 5, 2026 06:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants