rzo1 opened a new pull request, #1133: URL: https://github.com/apache/opennlp/pull/1133
## Change Adds a new `ASF Allowlist Check` workflow (`.github/workflows/allowlist-check.yml`) that runs [`apache/infrastructure-actions/allowlist-check`](https://github.com/apache/infrastructure-actions/tree/main/allowlist-check). The action scans the `uses:` references in `.github/**/*.yml` against ASF's approved-actions allowlist and fails if a disallowed GitHub Action is referenced. ## Why Dependabot's `github-actions` ecosystem opens PRs that modify our workflow files. This check ensures such updates (and any other workflow change) cannot introduce a GitHub Action that is not on the ASF allowlist before it gets merged. ## Triggers - `pull_request` touching `.github/**` (covers Dependabot Actions PRs) - `push` to `main` / `opennlp-2.x` touching `.github/**` - manual `workflow_dispatch` Runs with `contents: read` only; `actions/checkout` is SHA-pinned with `persist-credentials: false`. The ASF action is referenced at `@main` per ASF infra guidance (it is itself allowlisted, so it won't trip its own check). > [!NOTE] > To make this *block* merges, `asf-allowlist-check` should be added as a required > status check in the branch protection rules for `main`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
