From f88b862f38b8afd6294d360a3af6c135ec457329 Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Thu, 28 May 2026 23:20:03 +0200 Subject: [PATCH] allowlist: add carabiner-dev install/download-and-verify v1.1.7 transitive MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit carabiner-dev/actions/ampel/verify@v1.2.0 (already approved) calls install/download-and-verify at v1.1.7 SHA 2a11d59a — the same monorepo commit already approved for install/{ampel,bnd} via #831. GitHub Actions validates every transitive `uses:` against the org allowlist, so this subpath needs to be approved too — without it, check-for-transitive-failures fails every hour with "action ... is not allowed". Generated-by: Claude Opus 4.7 (1M context) --- actions.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/actions.yml b/actions.yml index 5d72798c7..84a561aaf 100644 --- a/actions.yml +++ b/actions.yml @@ -191,6 +191,10 @@ carabiner-dev/actions/install/bnd: e0e3b8149dafed833431095bc148d50e7eade4e8: tag: v1.2.0 carabiner-dev/actions/install/download-and-verify: + 2a11d59a135c5e291f305f249a92ad7903e3ee0f: + # transitive dep of carabiner-dev/actions/ampel/verify @ v1.2.0 + tag: v1.1.7 + expires_at: 2026-08-16 # level-2 transitive: called by install/{ampel,bnd} @ v1.1.7; commit is untagged 6022a065d6420de5d86333ecfb2b25c57f84b699: expires_at: 2026-08-16