adityamparikh opened a new pull request, #145: URL: https://github.com/apache/solr-mcp/pull/145
## Problem Every run of **Native Image** (`native.yml`) shows `startup_failure` and **build-and-publish.yml** shows `failure`, on every branch including `main` — with valid YAML and zero check-runs. The annotation on the run page is: > The action `graalvm/setup-graalvm@v1` is not allowed in apache/solr-mcp because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns… ## Root cause The `apache` org [allow-lists Actions](https://infra.apache.org/github-actions-policy.html) and matches third-party actions by **exact commit SHA**. These workflows referenced third-party actions by **mutable tag** (`graalvm/setup-graalvm@v1`, `docker/login-action@v3`, `docker/setup-buildx-action@v3`, `softprops/action-gh-release@v1`, `peter-evans/repository-dispatch@v2`). A tag never matches a SHA-based allow-list entry, so the whole workflow fails to load before any job starts. Notably `graalvm/setup-graalvm` **is already allow-listed** — at specific SHAs in [`apache/infrastructure-actions`](https://github.com/apache/infrastructure-actions/blob/main/actions.yml). The `@v1` tag just resolved to a commit that wasn't one of them. So **no infrastructure-actions PR is needed** — pinning to an already-listed SHA is sufficient. (`CI` showing `action_required` is unrelated — that's the normal fork-PR approval gate.) ## Fix — minimize third-party actions, SHA-pin the one we keep | Workflow | Change | |---|---| | `native.yml`, `release-publish.yml` | pin `graalvm/setup-graalvm` → `@329c42c…` (**v1.5.4, no `expires_at`** — chosen over v1.5.3 which expires 2026-08-28) | | `build-and-publish.yml`, `release-publish.yml` | `docker/login-action` → `docker login --password-stdin` | | `release-publish.yml` | drop `docker/setup-buildx-action` (default buildx handles `docker buildx imagetools create`) | | `nightly-build.yml`, `atr-release.yml` | `softprops/action-gh-release` → `gh release create --notes-file` | | `atr-release.yml` | `peter-evans/repository-dispatch` → `gh api repos/<r>/dispatches --input -` | `${{ }}` contexts moved onto `run:` lines are passed via `env:` and referenced as `"$VAR"` to avoid shell injection. After this change the only non-`actions/*`/`apache/*` action in the tree is the SHA-pinned, allow-listed `graalvm/setup-graalvm`; everything else is inline `gh`/`docker` or the local `./.github/actions/setup-java` composite. ## Note This unblocks `native.yml` from *starting*. The `nativeTest` job may then surface a separate, pre-existing native-test failure (it's been masked by `startup_failure` and also fails on `main`); the `native-image` + `benchmark` jobs and the JVM workflows should go green. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
