[
https://issues.apache.org/jira/browse/DAFFODIL-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18062500#comment-18062500
]
Steve Lawrence commented on DAFFODIL-3069:
------------------------------------------
All daffodil repositories have been updated to specify "max-parallel" if they
also specify a "matrix" job.
The PR Labeler still uses pull_request_target, but a number of projects use
this and so ASF Infra is now working on providing additional guidance. We will
keep the PR labeler as is that guidance is released and update the workflows
accordingly.
> GitHub actions workflows ASF policy violations
> ----------------------------------------------
>
> Key: DAFFODIL-3069
> URL: https://issues.apache.org/jira/browse/DAFFODIL-3069
> Project: Daffodil
> Issue Type: Bug
> Components: Infrastructure
> Reporter: Steve Lawrence
> Priority: Critical
>
> From an email from ASF:
> Greetings Daffodil PMC!
> The repository: daffodil has been scanned.
> Our analysis has found that the following GitHub Actions workflows need
> remediation:
> CI: `max-parallel: 20` is required for job matrices. see
> https://s.apache.org/max-parallel for more details
> PR Labeler: `pull_request_target` was found as a workflow trigger. see
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=321719166#GitHubActionsSecurity-Buildstriggeredwithpull_request_target,
> for more details
> For more information on the GitHub Actions workflow policy, visit:
> https://infra.apache.org/github-actions-policy.html
> Please remediate the above as soon as possible.
> If after after 60 days these problems are not addressed, we will turn off
> builds
> Cheers,
> ASF Infrastructure
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
