Hi Matt, On 1.05.2026 00:33, Matt Sicker wrote: > +1 to remove or at least disable by default. If these technologies > mature, they can always be reintroduced later.
This is exactly the reaction I feared this thread would generate. Reading Volkan's mail, you could honestly believe there's something wrong with these technologies. They do *not* fail the build, because the build does *not* start! Here's what actually happened: * March 20th: Trivy was hacked. ASF INFRA and the Security Team tightened the GHA allowlist, requiring *all* actions (except `actions/*` and `github/*`) to be explicitly allowlisted. * March 24th: I opened a PR adding `gradle/develocity-actions` to the allowlist, with an April 24th expiration for v1.4: https://github.com/apache/infrastructure-actions/commit/bef65d67b3fcbc59b048279373c3f8b9099b31a1 The PR itself is gone (GitHub search issues), but admittedly I used a similar technique to Volkan: urgent release needed, build failing... Dave merged it without a thorough review and was reprimanded for it (sorry again, Dave). * April 14th: Our workflow versions were upgraded: https://github.com/apache/logging-parent/commit/5384c0cfa1276f269d90b91fe3a68c5f24b7d859 All except `gradle/develocity-actions` (though the comment was helpfully changed from v1.4 to v2.1...). * April 24th: ASF INFRA removed the expired version. All workflows depending on it refused to start. Piotr
