chore: Perform ASF allowlist checks on CI changes#69
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new GitHub Actions workflow intended to validate ASF allowlist compliance when .github/** changes, helping catch workflow breakages (including those introduced by Dependabot) early in CI.
Changes:
- Introduces a new
.github/workflows/asf-allowlist-check.ymlworkflow that runs on PRs and pushes affecting.github/**. - Runs ASF allowlist checks and a zizmor workflow analysis step as part of the job.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
I'm thinking we can merge this PR (since the workflow itself is working) and fix the linting errors in later PRs. |
kou
left a comment
There was a problem hiding this comment.
Could you open an issue for this?
See also: https://github.com/apache/arrow-erlang/blob/main/CONTRIBUTING.md#minor-fixes
How about removing the zizmor change from this PR?
If we remove the zizmor change, the CI job isn't failed, right?
How about working on adding the zizmor job and fixing failures in a separated PR?
I've opened #70. |
What issue does this PR close?
Closes #70.
Dependabot updates do not respect the ASF allowlist. Thus, some dependabot PRs
can silently break workflows as seen in #63.
What's changed
A workflow to perform to ASF allowlist checks on changes to
.githubhas beenadded. Any breakages introduced by dependabot updates (or any other changes)
will be highlighted.
Copied verbatim from https://github.com/apache/arrow-adbc/blob/main/.github/workflows/asf-allowlist-check.yml.