Skip to content

HDDS-15719. Add check for allowed action usage in workflows#10641

Merged
adoroszlai merged 4 commits into
apache:masterfrom
adoroszlai:HDDS-15719
Jul 4, 2026
Merged

HDDS-15719. Add check for allowed action usage in workflows#10641
adoroszlai merged 4 commits into
apache:masterfrom
adoroszlai:HDDS-15719

Conversation

@adoroszlai

@adoroszlai adoroszlai commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

What changes were proposed in this pull request?

GitHub workflows may fail silently when using any actions not allowed by ASF Infra. See apache/infrastructure-actions#574 for details.

This change add a new check that verifies action usage in workflows. See https://github.com/apache/infrastructure-actions/blob/main/allowlist-check/README.md

https://issues.apache.org/jira/browse/HDDS-15719

How was this patch tested?

asf-allowlist-check: https://github.com/apache/ozone/actions/runs/28676520867/job/85051000513#step:3:30

Checking 11 unique action ref(s) against the ASF allowlist:

  ✅ actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 — trusted owner (actions)  (.github/workflows/check.yml, .github/workflows/ci.yml, .github/workflows/intermittent-test-check.yml, .github/workflows/intermittent-test-check.yml, .github/workflows/populate-cache.yml, .github/workflows/repeat-acceptance.yml)
  ✅ actions/cache/save@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 — trusted owner (actions)  (.github/workflows/populate-cache.yml)
  ✅ actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 — trusted owner (actions)  (.github/workflows/build-ratis.yml, .github/workflows/check.yml, .github/workflows/populate-cache.yml, .github/workflows/repeat-acceptance.yml)
  ✅ actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 — trusted owner (actions)  (.github/workflows/asf-allowlist-check.yaml, .github/workflows/build-ratis.yml, .github/workflows/build-ratis.yml, .github/workflows/check.yml, .github/workflows/ci.yml, .github/workflows/ci.yml, .github/workflows/ci.yml, .github/workflows/ci.yml, .github/workflows/generate-config-doc.yml, .github/workflows/intermittent-test-check.yml, .github/workflows/intermittent-test-check.yml, .github/workflows/intermittent-test-check.yml, .github/workflows/label-pr.yml, .github/workflows/populate-cache.yml, .github/workflows/pull-request.yml, .github/workflows/repeat-acceptance.yml, .github/workflows/repeat-acceptance.yml, .github/workflows/repeat-acceptance.yml, .github/workflows/update-ozone-site-config-doc.yml, .github/workflows/zizmor.yml)
  ✅ actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c — trusted owner (actions)  (.github/workflows/check.yml, .github/workflows/check.yml, .github/workflows/check.yml, .github/workflows/check.yml, .github/workflows/ci.yml, .github/workflows/generate-config-doc.yml, .github/workflows/intermittent-test-check.yml, .github/workflows/intermittent-test-check.yml, .github/workflows/intermittent-test-check.yml, .github/workflows/intermittent-test-check.yml, .github/workflows/repeat-acceptance.yml, .github/workflows/update-ozone-site-config-doc.yml)
  ✅ actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 — trusted owner (actions)  (.github/workflows/build-ratis.yml, .github/workflows/check.yml, .github/workflows/ci.yml, .github/workflows/intermittent-test-check.yml, .github/workflows/intermittent-test-check.yml, .github/workflows/populate-cache.yml, .github/workflows/populate-cache.yml, .github/workflows/repeat-acceptance.yml)
  ✅ actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 — trusted owner (actions)  (.github/workflows/generate-config-doc.yml)
  ✅ actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 — trusted owner (actions)  (.github/workflows/close-stale-prs.yaml)
  ✅ actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a — trusted owner (actions)  (.github/workflows/build-ratis.yml, .github/workflows/check.yml, .github/workflows/check.yml, .github/workflows/check.yml, .github/workflows/check.yml, .github/workflows/ci.yml, .github/workflows/generate-config-doc.yml, .github/workflows/intermittent-test-check.yml, .github/workflows/intermittent-test-check.yml, .github/workflows/repeat-acceptance.yml, .github/workflows/repeat-acceptance.yml)
  ✅ apache/infrastructure-actions/allowlist-check@775350a154e610e84c460cb1bbe2d2ab26c15cb3 — trusted owner (apache)  (.github/workflows/asf-allowlist-check.yaml)
  ✅ zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa — matches allowlist  (.github/workflows/zizmor.yml)
All 11 unique action refs are on the ASF allowlist

zizmor: https://github.com/apache/ozone/actions/runs/28676520903/job/85051000643#step:3:116

@adoroszlai adoroszlai self-assigned this Jun 30, 2026
@adoroszlai adoroszlai added the CI label Jun 30, 2026
Comment thread .github/workflows/asf-allowlist-check.yaml Fixed
@adoroszlai adoroszlai requested a review from peterxcli July 4, 2026 11:18

@peterxcli peterxcli left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM +1

@adoroszlai adoroszlai merged commit 0d3cdbc into apache:master Jul 4, 2026
19 checks passed
@adoroszlai adoroszlai deleted the HDDS-15719 branch July 4, 2026 13:28
@adoroszlai

Copy link
Copy Markdown
Contributor Author

Thanks @peterxcli for the review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants