rzo1 opened a new pull request, #1134:
URL: https://github.com/apache/opennlp/pull/1134

   Backport of the `ASF Allowlist Check` workflow to the `opennlp-2.x` branch.
   
   ## Change
   
   Adds a new `ASF Allowlist Check` workflow 
(`.github/workflows/allowlist-check.yml`)
   that runs 
[`apache/infrastructure-actions/allowlist-check`](https://github.com/apache/infrastructure-actions/tree/main/allowlist-check).
   
   The action scans the `uses:` references in `.github/**/*.yml` against ASF's
   approved-actions allowlist and fails if a disallowed GitHub Action is 
referenced.
   
   ## Why
   
   Dependabot's `github-actions` ecosystem opens PRs that modify our workflow 
files.
   This check ensures such updates (and any other workflow change) cannot 
introduce a
   GitHub Action that is not on the ASF allowlist before it gets merged.
   
   ## Triggers
   
   - `pull_request` touching `.github/**` (covers Dependabot Actions PRs)
   - `push` to `main` / `opennlp-2.x` touching `.github/**`
   - manual `workflow_dispatch`
   
   Runs with `contents: read` only; `actions/checkout` is SHA-pinned with
   `persist-credentials: false`. The ASF action is referenced at `@main` per 
ASF infra
   guidance (it is itself allowlisted, so it won't trip its own check).
   
   > [!NOTE]
   > To make this *block* merges, `asf-allowlist-check` should be added as a 
required
   > status check in the branch protection rules for `main`.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to