Hi Jacques, today I improved the CI/CD configuration so that we now use the same setup on both trunk and release24.09.
The configuration in release24.09 was previously incomplete and outdated; this has now been fixed. For the moment, please do not contact Infra to modify the allow list. The current configuration should cover our needs, and I’d like to keep it stable for a few weeks so we can test it properly and apply any necessary fine tuning. Now that the workflows are operational again, we can move on and focus on preparing the release. Best regards, Jacopo On Tue, Mar 24, 2026 at 6:42 AM Jacques Le Roux via dev < [email protected]> wrote: > Hi, > > OK, I have think I should follow > https://github.com/apache/infrastructure-actions/blob/main/README.md#adding-a-new-version-to-the-allow-list > But I did not find an explanation there, only encouragement to check > Dependabot suggestion: > "Projects are encouraged to help review updates to actions they use. > Please have a look at the diff and mention in your approval what you have > checked and why you think the action is safe." > And a recommendation about "Cooldown Period" (wait 4 instead of 1 day "to > avoid being overwhelmed by update PRs) > > It's the 1st time I get a such issue* with a new version suggested by > Dependabot. > > On the other hand PR-1005 seems to have fixed the password issue. But not > totally, after it some PRs are still rejected because of a password issue: > https://github.com/apache/ofbiz-framework/actions/runs/23429547895 > https://github.com/apache/ofbiz-framework/actions/runs/23429443461 > https://github.com/apache/ofbiz-framework/actions/runs/23428655492 > Note that all are related to Docker > > If you look at the GHA pages it's chaotic without real possible > explanation by reason. Some PR passe some not because of a password issue. > But why ? > > * Password issue, though not sure since it was not the start as mentioned > at bottom of my previous email > > Also, last but no least, before PR-1005 our GHA were protected by harden > runner V2.7.0 without password issue. We miss that now. > > Jacques > > Le 23/03/2026 à 18:46, Jacques Le Roux via dev a écrit : > > Hi Jacopo, Team, > > > > I'm still trying to understand why we had to revert the PR-1004 > (Harden-Runner upgrade) with PR-1005 (see OFBIZ-13375 below) > > > > Initially PR-1004 ("Bump step-security/harden-runner from 2.7.0 to > 2.16.0") seemed like a good idea. > > > > Harden-Runner* is a step-security project** defined as > > "Harden-Runner is a CI/CD security agent that works like an EDR for > GitHub Actions runners. > > It monitors network egress, file integrity, and process activity on > those runners, detecting threats…" > > > > It's the tool that found the issue*** that leaded us to create and close > https://issues.apache.org/jira/browse/OFBIZ-13375 > > after Daniel's email**** above in this thread > > > > I installed it in ofbiz-framework on Mar 20, 2024 with PR-737 ( > https://github.com/apache/ofbiz-framework/pull/737) > > We had no issues since then and ofbiz-framework GHA (GH actions) were > protected. > > > > You can see 2 security fixes in the Release notes of PR-1004. > > But indeed the compatibility is unknown and Dependabot mention it. > > > > So I did not see any reason to not upgrade it from 2.7.0 to 2.16.0 as > suggested by dependabot in PR-1004 > > but the compatibility. But why OFBiz would be incompatible? Its code is > totally unrelated to Harden-Runner one. > > > > It annoys me to not get further because of the lack of the 2 security > fixes in the Release notes of PR-1004. > > Also if you look into framework GHA***** the 1st issue we got with > passwords was 2 days before the pushing of PR-1004 > > > > So I see no reason to revert PR-1004, do you? > > > > TIA > > > > Jacques > > > > * https://github.com/step-security/harden-runner > > https://docs.stepsecurity.io/harden-runner > > ** https://github.com/step-security > > *** > https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release > > **** https://lists.apache.org/thread/r41g7qtfyc9dod580ttx5q0vynkl5l1h > > ***** https://github.com/apache/ofbiz-framework/actions?page=5 > > > > > > > > Le 23/03/2026 à 10:32, Jacopo Cappellato a écrit : > >> I have now fixed our CI/CD workflows, including Docker image builds. > >> > >> Jacopo > >> > >> On Sun, Mar 22, 2026 at 7:05 PM Jacques Le Roux via dev < > >> [email protected]> wrote: > >> > >>> Hi Jacopo, > >>> > >>> I have created https://issues.apache.org/jira/browse/OFBIZ-13375 as a > >>> task related to that > >>> > >>> Jacques > >>> > >>> Le 22/03/2026 à 11:27, Jacopo Cappellato a écrit : > >>>> Thank you Daniel. > >>>> > >>>> All, I have tried to debug and better understand the situation. > >>>> This should be the list of all the actions currently allowed by Infra: > >>>> > >>>> 1) All the actions from the following namespaces are automatically > >>> allowed: > >>>> apache/* > >>>> github/* > >>>> actions/* > >>>> > >>>> 2) All the actions explicitly listed in this file are also allowed: > >>>> > https://github.com/apache/infrastructure-actions/blob/main/actions.yml > >>>> > >>>> Since ofbiz-framework is using actions from step-security/*, that are > not > >>>> allowed by the above rules, our CI/CD pipeline is currently broken. > >>>> > >>>> My question is: do we really need to leverage step-security/* actions? > >>> When > >>>> did we decide to onboard these external actions from Step Security? I > >>>> assume we could configure our workflows to use the subset of actions > that > >>>> are used by the other ASF projects, and this would be my preference. > >>>> Alternatively, I think we should ask Infra to review for approval the > >>> Step > >>>> Security actions we need. > >>>> > >>>> Jacopo > >>>> > >>>> On Sat, Mar 21, 2026 at 11:28 AM Daniel Watford <[email protected]> > >>> wrote: > >>>>> Apache INFRA recently disabled a number of GitHub Actions. I can't > >>> find a > >>>>> link to the email in archives, but an announcement was sent to > >>>>> > >>>>> [email protected] yesterday at 21:00 (according to my mail > >>> client) > >>>>> The message stated that to request GHA be allowed we must submit a > >>> request > >>>>> to the approval process: > >>>>> > >>>>> > >>> > https://github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-version-to-the-allow-list > >>>>> > >>>>> On Sat, 21 Mar 2026 at 08:58, Jacques Le Roux via dev < > >>>>> [email protected]> > >>>>> wrote: > >>>>> > >>>>>> I still don't stand understand why we get this error on GH trunk > >>> actions > >>>>>> *Error* < > >>>>>> > >>> > https://github.com/apache/ofbiz-framework/actions/runs/23375921548/workflow > >>>>>> The action > >>>>>> step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 > >>> is > >>>>>> not allowed in apache/ofbiz-framework because all actions must be > >>>>>> from a repository owned by your enterprise, created by GitHub, or > match > >>>>>> one of the patterns: > >>>>>> > 1Password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6 > >>> , > >>>>>> > 1Password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb > >>> , > >>>>>> > 1Password/load-secrets-action@dafbe7cb03502b260e2b2893c753c352eee545bf > >>> , > >>>>>> AdoptOpenJDK/install-jdk@*, BobAnkh/auto-generate-changelog@*, > >>>>>> > >>>>>> > >>> > DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 > >>>>> , > >>>>>> > >>> > DavidAnson/markdownlint-cli2-action@30a0e04f1870d58f8d717450cc6134995f993c63 > >>>>> , > >>>>>> EnricoMi/publish-unit-test-result-action@*, > >>>>>> > >>>>>> > >>> > JamesIves/github-pages-deploy-action@4a3abc783e1a24aeb44c16e869ad83caf6b4cc23 > >>>>> , > >>>>>> > >>> > JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f > >>>>> , > >>>>>> Jimver/cuda-toolkit@6008063726ffe3309d1b22e413d9e88fed91a2f2, > >>>>>> Jimver/cuda-toolkit@b6fc3a9f3f15256d9d94ffe1254f9c5a2565... > >>>>>> Show less > >>>>>> > >>>>>> It seems that reverting pushes related to Java 21, ie those of this > >>>>> morning > >>>>>> https://github.com/apache/ofbiz-framework/commits/trunk/ > >>>>>> should clear the situation. > >>>>>> > >>>>>> Maybe we need to change others location (from java 17 to 21) in our > GH > >>>>>> related code > >>>>>> Or, reading the error above, have an Infra agreement to move to 21 > >>>>>> > >>>>>> If nobody has a better idea, I'll revert for now. > >>>>>> > >>>>>> Jacques > >>>>>> > >>>>>> Le 21/03/2026 à 09:36, Jacques Le Roux via dev a écrit : > >>>>>>> Hi Jacopo, > >>>>>>> > >>>>>>> I'll have a look very soon. > >>>>>>> > >>>>>>> Jacques > >>>>>>> > >>>>>>> Le 21/03/2026 à 08:53, Jacopo Cappellato a écrit : > >>>>>>>> Hi all, > >>>>>>>> > >>>>>>>> Dependabot has created five pull requests to bump various > libraries > >>>>>> used by > >>>>>>>> GitHub Actions for CI/CD: > >>>>>>>> > >>>>>>>> https://github.com/apache/ofbiz-framework/pull/1000 > >>>>>>>> https://github.com/apache/ofbiz-framework/pull/1001 > >>>>>>>> https://github.com/apache/ofbiz-framework/pull/1002 > >>>>>>>> https://github.com/apache/ofbiz-framework/pull/1003 > >>>>>>>> https://github.com/apache/ofbiz-framework/pull/1003 > >>>>>>>> > >>>>>>>> Should we upgrade and merge these PRs? > >>>>>>>> > >>>>>>>> Jacopo > >>>>> > >>>>> -- > >>>>> Daniel Watford > >>>>> >
