As described by the Infra team [*], to request an addition to the allow list of actions, we need to provide a clear justification, specifically:
- Why this action is needed for the project - Any alternatives that have been considered - Any security concerns that have been identified As I don’t recall how we decided to leverage the step-security/* actions, I’d appreciate any information you can provide before we contact Infra. Thanks, Jacopo [*] https://github.com/apache/infrastructure-actions/blob/main/README.md#adding-a-new-action-to-the-allow-list On Sun, Mar 22, 2026 at 11:27 AM Jacopo Cappellato < [email protected]> wrote: > Thank you Daniel. > > All, I have tried to debug and better understand the situation. > This should be the list of all the actions currently allowed by Infra: > > 1) All the actions from the following namespaces are automatically allowed: > apache/* > github/* > actions/* > > 2) All the actions explicitly listed in this file are also allowed: > https://github.com/apache/infrastructure-actions/blob/main/actions.yml > > Since ofbiz-framework is using actions from step-security/*, that are not > allowed by the above rules, our CI/CD pipeline is currently broken. > > My question is: do we really need to leverage step-security/* actions? > When did we decide to onboard these external actions from Step Security? I > assume we could configure our workflows to use the subset of actions that > are used by the other ASF projects, and this would be my preference. > Alternatively, I think we should ask Infra to review for approval the Step > Security actions we need. > > Jacopo > > On Sat, Mar 21, 2026 at 11:28 AM Daniel Watford <[email protected]> wrote: > >> Apache INFRA recently disabled a number of GitHub Actions. I can't find >> a >> link to the email in archives, but an announcement was sent to >> >> [email protected] yesterday at 21:00 (according to my mail >> client) >> >> The message stated that to request GHA be allowed we must submit a request >> to the approval process: >> >> https://github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-version-to-the-allow-list >> >> >> On Sat, 21 Mar 2026 at 08:58, Jacques Le Roux via dev < >> [email protected]> >> wrote: >> >> > I still don't stand understand why we get this error on GH trunk actions >> > >> > *Error* < >> > >> https://github.com/apache/ofbiz-framework/actions/runs/23375921548/workflow >> > > >> > The action >> > step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 is >> > not allowed in apache/ofbiz-framework because all actions must be >> > from a repository owned by your enterprise, created by GitHub, or match >> > one of the patterns: >> > 1Password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6, >> > 1Password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb, >> > 1Password/load-secrets-action@dafbe7cb03502b260e2b2893c753c352eee545bf, >> > AdoptOpenJDK/install-jdk@*, BobAnkh/auto-generate-changelog@*, >> > >> > >> DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 >> , >> > >> > >> > >> DavidAnson/markdownlint-cli2-action@30a0e04f1870d58f8d717450cc6134995f993c63 >> , >> > EnricoMi/publish-unit-test-result-action@*, >> > >> > >> JamesIves/github-pages-deploy-action@4a3abc783e1a24aeb44c16e869ad83caf6b4cc23 >> , >> > >> > >> > >> JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f >> , >> > Jimver/cuda-toolkit@6008063726ffe3309d1b22e413d9e88fed91a2f2, >> > Jimver/cuda-toolkit@b6fc3a9f3f15256d9d94ffe1254f9c5a2565... >> > Show less >> > >> > It seems that reverting pushes related to Java 21, ie those of this >> morning >> > https://github.com/apache/ofbiz-framework/commits/trunk/ >> > should clear the situation. >> > >> > Maybe we need to change others location (from java 17 to 21) in our GH >> > related code >> > Or, reading the error above, have an Infra agreement to move to 21 >> > >> > If nobody has a better idea, I'll revert for now. >> > >> > Jacques >> > >> > Le 21/03/2026 à 09:36, Jacques Le Roux via dev a écrit : >> > > Hi Jacopo, >> > > >> > > I'll have a look very soon. >> > > >> > > Jacques >> > > >> > > Le 21/03/2026 à 08:53, Jacopo Cappellato a écrit : >> > >> Hi all, >> > >> >> > >> Dependabot has created five pull requests to bump various libraries >> > used by >> > >> GitHub Actions for CI/CD: >> > >> >> > >> https://github.com/apache/ofbiz-framework/pull/1000 >> > >> https://github.com/apache/ofbiz-framework/pull/1001 >> > >> https://github.com/apache/ofbiz-framework/pull/1002 >> > >> https://github.com/apache/ofbiz-framework/pull/1003 >> > >> https://github.com/apache/ofbiz-framework/pull/1003 >> > >> >> > >> Should we upgrade and merge these PRs? >> > >> >> > >> Jacopo >> >> >> >> -- >> Daniel Watford >> >
