allowlist: add carabiner-dev install/{ampel,bnd} transitive deps#831
Conversation
carabiner-dev/actions/ampel/verify@v1.2.0 (already approved) calls carabiner-dev/actions/install/ampel and install/bnd at v1.1.7 SHA 2a11d59a135c5e291f305f249a92ad7903e3ee0f. GitHub Actions validates every transitive `uses:` against the org allowlist, so these two need to be approved too — without them, check-for-transitive-failures fails every hour with "action ... is not allowed". Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Needs approve :) |
|
Do we need to pin those dependencies by SHA1? Until https://github.com/orgs/community/discussions/26245#discussioncomment-15601440 is solved, sibling actions will need to either be pinned by SHA1 and refer to the previous version or be pinned by tag. We could ask @puerco to:
|
That all seems much more complex than just approving those SHAs now - why would that be better? |
|
With the current setup we always need to trust two SHA1 at each given moment:
This is a lot of patterns and we already use up around one third (332) of the 1000 pattern limit imposed by GitHub. It would be better to have a single pattern for a single version of the actions (e.g. If a tag is immutable, it is as good as a SHA1, but sibling actions can reference each other. |
|
Thanks @ppkarwasz — the diagnosis is right and the proposals have merit, but I think they belong in a separate piece of work rather than gating this PR. Splitting the response in two: On the immediate fix (this PR): The pattern-count pressure also isn't acute: we're at 332/1000 with the soft-fail at 800 (README), so we have years of headroom at current growth. On the broader proposal:
I'll open a tracking issue to capture this so we can design it properly (immutability check semantics, path-wildcard verification, README/policy update) without holding up the immediate fix. Sound reasonable? |
|
Issues opened - including one on carabiner |
…trap} (levels 2-3) Follow-up to apache#831 — that PR added the level-1 transitive siblings install/{ampel,bnd} @ v1.1.7 (SHA 2a11d59a135c5e291f305f249a92ad7903e3ee0f), but the sibling-call chain rooted at carabiner-dev/actions/ampel/verify@v1.2.0 is actually four levels deep: ampel/verify @ v1.2.0 (e0e3b81…) └── install/{ampel,bnd} @ v1.1.7 (2a11d59…) [added by apache#831] └── install/download-and-verify (6022a06…) [this PR] └── install/ampel-bootstrap (0a075bb…) [this PR] ampel-bootstrap is a leaf — no further sibling refs. After this PR the check-for-transitive-failures workflow should go green; the immediately preceding failure log was on the missing download-and-verify SHA. Underlying scaling issue (sibling-chain pattern explosion) tracked at apache#852 and upstream at carabiner-dev/actions#57. Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…itive
carabiner-dev/actions/ampel/verify@v1.2.0 (already approved) calls
install/download-and-verify at v1.1.7 SHA 2a11d59a — the same
monorepo commit already approved for install/{ampel,bnd} via apache#831.
GitHub Actions validates every transitive `uses:` against the org
allowlist, so this subpath needs to be approved too — without it,
check-for-transitive-failures fails every hour with "action ... is
not allowed".
Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Summary
carabiner-dev/actions/install/ampel@v1.1.7andinstall/bnd@v1.1.7to the allowlist. Both are transitive deps thatcarabiner-dev/actions/ampel/verify@v1.2.0calls.check-for-transitive-failuresfailures (e.g. run 25643163039): GitHub Actions rejects the transitiveinstall/*refs because they aren't on the org allowlist.Test plan
update_actions.ymlregeneratesapproved_patterns.yml+ the composite action.yml fromactions.yml.check-for-transitive-failuresrun passes.