Hi Volkan, On 30.04.2026 15:09, Volkan Yazıcı wrote: > Log4j's CI pipeline is broken because of Develocity[1], Scorecards[2], and > Rulesets[3], all of which Piotr introduced. Failures caused by these > components render the CI broken several times every year and > require constant fixing. *Currently, we cannot merge any Log4j changes or > make releases.* I find this very concerning, something that needs to be > addressed. I won't express an opinion on whether these features should stay or go, but you tend to frame features you dislike as the root cause of CI failures and their removal as the only solution.
Develocity and Scorecards haven't changed, so they can't be the actual cause. The real cause is ASF's response to the Trivy Security Incident: https://news.apache.org/foundation/entry/initial-report-on-trivy-security-incident In short: Trivy was a "verified GitHub creator" and ASF previously allowed any action from verified creators. After the incident, all actions must be whitelisted, which affected `gradle` and `ossf` too. Regarding Rulesets: these are an experimental ASFYaml feature giving us access to GitHub Rulesets (the successor of Branch Protection and the sunset Tag Protection). I apologize for testing this in `logging-parent` without broader discussion on the mailing list. They were introduced in: https://github.com/apache/logging-parent/pull/456 on a test branch and later extended to `main`. Unfortunately, the ASFYaml feature has a bug preventing modification or deletion of any ruleset until this PR is merged: https://github.com/apache/infrastructure-asfyaml/pull/93 After this PR (which I reviewed too shallowly): https://github.com/apache/logging-parent/pull/455 we ended up with: 1. PRs on `main` can't be merged because they depend on non-whitelisted workflows on the `gha/v0` branch. 2. PRs on `gha/v0` can't be merged because the branch lacks the required workflows (`build` and `codeql-analysis`). Note that your proposed solution will likely create more mess: Rulesets will remain, and you'll add Branch Protection on top. There's a JIRA ticket to expedite either the ASFYaml PR merge or manual Ruleset removal: https://issues.apache.org/jira/browse/INFRA-27873 As I said, I'm not taking a position on whether Develocity, Scorecards, or Rulesets should stay or go. But let's be honest: we're not removing them to fix the build. We're removing them because we want them gone. Fixing the build is just a side effect. Piotr
