Hi,
OK, I have think I should follow
https://github.com/apache/infrastructure-actions/blob/main/README.md#adding-a-new-version-to-the-allow-list
But I did not find an explanation there, only encouragement to check Dependabot
suggestion:
"Projects are encouraged to help review updates to actions they use.
Please have a look at the diff and mention in your approval what you have checked
and why you think the action is safe."
And a recommendation about "Cooldown Period" (wait 4 instead of 1 day "to avoid
being overwhelmed by update PRs)
It's the 1st time I get a such issue* with a new version suggested by
Dependabot.
On the other hand PR-1005 seems to have fixed the password issue. But not
totally, after it some PRs are still rejected because of a password issue:
https://github.com/apache/ofbiz-framework/actions/runs/23429547895
https://github.com/apache/ofbiz-framework/actions/runs/23429443461
https://github.com/apache/ofbiz-framework/actions/runs/23428655492
Note that all are related to Docker
If you look at the GHA pages it's chaotic without real possible explanation by
reason. Some PR passe some not because of a password issue. But why ?
* Password issue, though not sure since it was not the start as mentioned at
bottom of my previous email
Also, last but no least, before PR-1005 our GHA were protected by harden runner
V2.7.0 without password issue. We miss that now.
Jacques
Le 23/03/2026 à 18:46, Jacques Le Roux via dev a écrit :
Hi Jacopo, Team,
I'm still trying to understand why we had to revert the PR-1004 (Harden-Runner
upgrade) with PR-1005 (see OFBIZ-13375 below)
Initially PR-1004 ("Bump step-security/harden-runner from 2.7.0 to 2.16.0")
seemed like a good idea.
Harden-Runner* is a step-security project** defined as
"Harden-Runner is a CI/CD security agent that works like an EDR for GitHub
Actions runners.
It monitors network egress, file integrity, and process activity on those runners,
detecting threats…"
It's the tool that found the issue*** that leaded us to create and close
https://issues.apache.org/jira/browse/OFBIZ-13375
after Daniel's email**** above in this thread
I installed it in ofbiz-framework on Mar 20, 2024 with PR-737
(https://github.com/apache/ofbiz-framework/pull/737)
We had no issues since then and ofbiz-framework GHA (GH actions) were protected.
You can see 2 security fixes in the Release notes of PR-1004.
But indeed the compatibility is unknown and Dependabot mention it.
So I did not see any reason to not upgrade it from 2.7.0 to 2.16.0 as suggested
by dependabot in PR-1004
but the compatibility. But why OFBiz would be incompatible? Its code is totally
unrelated to Harden-Runner one.
It annoys me to not get further because of the lack of the 2 security fixes in
the Release notes of PR-1004.
Also if you look into framework GHA***** the 1st issue we got with passwords
was 2 days before the pushing of PR-1004
So I see no reason to revert PR-1004, do you?
TIA
Jacques
* https://github.com/step-security/harden-runner
https://docs.stepsecurity.io/harden-runner
** https://github.com/step-security
***
https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release
**** https://lists.apache.org/thread/r41g7qtfyc9dod580ttx5q0vynkl5l1h
***** https://github.com/apache/ofbiz-framework/actions?page=5
Le 23/03/2026 à 10:32, Jacopo Cappellato a écrit :
I have now fixed our CI/CD workflows, including Docker image builds.
Jacopo
On Sun, Mar 22, 2026 at 7:05 PM Jacques Le Roux via dev <
[email protected]> wrote:
Hi Jacopo,
I have created https://issues.apache.org/jira/browse/OFBIZ-13375 as a
task related to that
Jacques
Le 22/03/2026 à 11:27, Jacopo Cappellato a écrit :
Thank you Daniel.
All, I have tried to debug and better understand the situation.
This should be the list of all the actions currently allowed by Infra:
1) All the actions from the following namespaces are automatically
allowed:
apache/*
github/*
actions/*
2) All the actions explicitly listed in this file are also allowed:
https://github.com/apache/infrastructure-actions/blob/main/actions.yml
Since ofbiz-framework is using actions from step-security/*, that are not
allowed by the above rules, our CI/CD pipeline is currently broken.
My question is: do we really need to leverage step-security/* actions?
When
did we decide to onboard these external actions from Step Security? I
assume we could configure our workflows to use the subset of actions that
are used by the other ASF projects, and this would be my preference.
Alternatively, I think we should ask Infra to review for approval the
Step
Security actions we need.
Jacopo
On Sat, Mar 21, 2026 at 11:28 AM Daniel Watford <[email protected]>
wrote:
Apache INFRA recently disabled a number of GitHub Actions. I can't
find a
link to the email in archives, but an announcement was sent to
[email protected] yesterday at 21:00 (according to my mail
client)
The message stated that to request GHA be allowed we must submit a
request
to the approval process:
https://github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-version-to-the-allow-list
On Sat, 21 Mar 2026 at 08:58, Jacques Le Roux via dev <
[email protected]>
wrote:
I still don't stand understand why we get this error on GH trunk
actions
*Error* <
https://github.com/apache/ofbiz-framework/actions/runs/23375921548/workflow
The action
step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142
is
not allowed in apache/ofbiz-framework because all actions must be
from a repository owned by your enterprise, created by GitHub, or match
one of the patterns:
1Password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6
,
1Password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb
,
1Password/load-secrets-action@dafbe7cb03502b260e2b2893c753c352eee545bf
,
AdoptOpenJDK/install-jdk@*, BobAnkh/auto-generate-changelog@*,
DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101
,
DavidAnson/markdownlint-cli2-action@30a0e04f1870d58f8d717450cc6134995f993c63
,
EnricoMi/publish-unit-test-result-action@*,
JamesIves/github-pages-deploy-action@4a3abc783e1a24aeb44c16e869ad83caf6b4cc23
,
JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f
,
Jimver/cuda-toolkit@6008063726ffe3309d1b22e413d9e88fed91a2f2,
Jimver/cuda-toolkit@b6fc3a9f3f15256d9d94ffe1254f9c5a2565...
Show less
It seems that reverting pushes related to Java 21, ie those of this
morning
https://github.com/apache/ofbiz-framework/commits/trunk/
should clear the situation.
Maybe we need to change others location (from java 17 to 21) in our GH
related code
Or, reading the error above, have an Infra agreement to move to 21
If nobody has a better idea, I'll revert for now.
Jacques
Le 21/03/2026 à 09:36, Jacques Le Roux via dev a écrit :
Hi Jacopo,
I'll have a look very soon.
Jacques
Le 21/03/2026 à 08:53, Jacopo Cappellato a écrit :
Hi all,
Dependabot has created five pull requests to bump various libraries
used by
GitHub Actions for CI/CD:
https://github.com/apache/ofbiz-framework/pull/1000
https://github.com/apache/ofbiz-framework/pull/1001
https://github.com/apache/ofbiz-framework/pull/1002
https://github.com/apache/ofbiz-framework/pull/1003
https://github.com/apache/ofbiz-framework/pull/1003
Should we upgrade and merge these PRs?
Jacopo
--
Daniel Watford
