Piotr - How do they integrate with the build? Are they separate workflows in GitHub? How exactly do they break builds? If they are part of the Maven build can we separate them into a separate job?
Ralph > On Apr 30, 2026, at 9:40 AM, Piotr P. Karwasz <[email protected]> > wrote: > > Hi Volkan, > > On 30.04.2026 15:09, Volkan Yazıcı wrote: >> Log4j's CI pipeline is broken because of Develocity[1], Scorecards[2], and >> Rulesets[3], all of which Piotr introduced. Failures caused by these >> components render the CI broken several times every year and >> require constant fixing. *Currently, we cannot merge any Log4j changes or >> make releases.* I find this very concerning, something that needs to be >> addressed. > I won't express an opinion on whether these features should stay or go, > but you tend to frame features you dislike as the root cause of CI > failures and their removal as the only solution. > > Develocity and Scorecards haven't changed, so they can't be the actual > cause. The real cause is ASF's response to the Trivy Security Incident: > > https://news.apache.org/foundation/entry/initial-report-on-trivy-security-incident > > In short: Trivy was a "verified GitHub creator" and ASF previously > allowed any action from verified creators. After the incident, all > actions must be whitelisted, which affected `gradle` and `ossf` too. > > Regarding Rulesets: these are an experimental ASFYaml feature giving us > access to GitHub Rulesets (the successor of Branch Protection and the > sunset Tag Protection). I apologize for testing this in `logging-parent` > without broader discussion on the mailing list. They were introduced in: > > https://github.com/apache/logging-parent/pull/456 > > on a test branch and later extended to `main`. Unfortunately, the > ASFYaml feature has a bug preventing modification or deletion of any > ruleset until this PR is merged: > > https://github.com/apache/infrastructure-asfyaml/pull/93 > > After this PR (which I reviewed too shallowly): > > https://github.com/apache/logging-parent/pull/455 > > we ended up with: > > 1. PRs on `main` can't be merged because they depend on non-whitelisted > workflows on the `gha/v0` branch. > 2. PRs on `gha/v0` can't be merged because the branch lacks the required > workflows (`build` and `codeql-analysis`). > > Note that your proposed solution will likely create more mess: Rulesets > will remain, and you'll add Branch Protection on top. There's a JIRA > ticket to expedite either the ASFYaml PR merge or manual Ruleset removal: > > https://issues.apache.org/jira/browse/INFRA-27873 > > As I said, I'm not taking a position on whether Develocity, Scorecards, > or Rulesets should stay or go. But let's be honest: we're not removing > them to fix the build. We're removing them because we want them gone. > Fixing the build is just a side effect. > > Piotr
