Skip to content

Commit 9732cd6

Browse files
authored
Allowlist carabiner v1.2.0 transitive ampel-bootstrap + download-and-verify (#906)
The hourly "Check for transitive failures in current latest actions" workflow has been failing on every scheduled run since the carabiner v1.2.0 bump. `ampel/verify@v1.2.0` (e0e3b814) transitively resolves `install/ampel-bootstrap` and `install/download-and-verify` at the same v1.2.0 monorepo commit (e0e3b814), but only three of the five carabiner sub-actions had that SHA allowlisted — these two were missed in the v1.2.0 sync, so the run is blocked with "is not allowed in apache/infrastructure-actions". Add e0e3b814 to both sub-action blocks in actions.yml as allowlisted-but- expiring transitive entries (the existing 9db1a064 stays the live, dependabot-tracked ref, so the composite is unchanged) and regenerate approved_patterns.yml via the gateway sync. Generated-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent b6f6dfd commit 9732cd6

2 files changed

Lines changed: 12 additions & 0 deletions

File tree

actions.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -182,6 +182,11 @@ carabiner-dev/actions/install/ampel-bootstrap:
182182
9db1a064ca5691ef6f5d983031739ca287de0968:
183183
expires_at: 2026-08-28
184184
b60791af41423360b892a1a3cee90cd4e131f381: {}
185+
# transitive dep pulled by ampel/verify @ v1.2.0 (e0e3b814); allowlisted
186+
# but not dependabot-tracked (b60791af above stays the live ref).
187+
e0e3b8149dafed833431095bc148d50e7eade4e8:
188+
tag: v1.2.0
189+
expires_at: 2026-08-16
185190
carabiner-dev/actions/install/bnd:
186191
2a11d59a135c5e291f305f249a92ad7903e3ee0f:
187192
# transitive dep of carabiner-dev/actions/ampel/verify @ v1.2.0
@@ -203,6 +208,11 @@ carabiner-dev/actions/install/download-and-verify:
203208
9db1a064ca5691ef6f5d983031739ca287de0968:
204209
expires_at: 2026-08-28
205210
b60791af41423360b892a1a3cee90cd4e131f381: {}
211+
# transitive dep pulled by ampel/verify @ v1.2.0 (e0e3b814); allowlisted
212+
# but not dependabot-tracked (b60791af above stays the live ref).
213+
e0e3b8149dafed833431095bc148d50e7eade4e8:
214+
tag: v1.2.0
215+
expires_at: 2026-08-16
206216
carloscastrojumo/github-cherry-pick-action:
207217
503773289f4a459069c832dc628826685b75b4b3:
208218
tag: v1.0.10

approved_patterns.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,13 +72,15 @@
7272
- carabiner-dev/actions/install/ampel-bootstrap@0a075bb75a68646d05f99c85cbbf2be40dd8e442
7373
- carabiner-dev/actions/install/ampel-bootstrap@9db1a064ca5691ef6f5d983031739ca287de0968
7474
- carabiner-dev/actions/install/ampel-bootstrap@b60791af41423360b892a1a3cee90cd4e131f381
75+
- carabiner-dev/actions/install/ampel-bootstrap@e0e3b8149dafed833431095bc148d50e7eade4e8
7576
- carabiner-dev/actions/install/bnd@2a11d59a135c5e291f305f249a92ad7903e3ee0f
7677
- carabiner-dev/actions/install/bnd@e0e3b8149dafed833431095bc148d50e7eade4e8
7778
- carabiner-dev/actions/install/bnd@94f29392187fe5082d1195a7d4cae3a7ddf09d9c
7879
- carabiner-dev/actions/install/download-and-verify@2a11d59a135c5e291f305f249a92ad7903e3ee0f
7980
- carabiner-dev/actions/install/download-and-verify@6022a065d6420de5d86333ecfb2b25c57f84b699
8081
- carabiner-dev/actions/install/download-and-verify@9db1a064ca5691ef6f5d983031739ca287de0968
8182
- carabiner-dev/actions/install/download-and-verify@b60791af41423360b892a1a3cee90cd4e131f381
83+
- carabiner-dev/actions/install/download-and-verify@e0e3b8149dafed833431095bc148d50e7eade4e8
8284
- carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3
8385
- carlosperate/arm-none-eabi-gcc-action@*
8486
- check-spelling/check-spelling@*

0 commit comments

Comments
 (0)