ppkarwasz commented on PR #419: URL: https://github.com/apache/logging-parent/pull/419#issuecomment-4251217704
Sure, happy to wait a bit, though I'll note this PR has been open since June last year, mostly blocked on the `dependabot/fetch-metadata` side. Now that a new release finally landed on March 26th, I took the opportunity to bring it back in shape and strip it down to the bare essentials: no GPG signing, no unnecessary inputs or dependencies. I think it's about as simple as it gets at this point. PR ppkarwasz/logging-log4j2#606 tests this in practice if you want to see how it behaves end-to-end. I'm genuinely happy to look at alternative proposals, but one heads-up: please don't suggest collapsing this into a single `pull_request_target` workflow just to save a step or two. Even setting aside whether it'd be safe in this specific case, `pull_request_target` is a hard no under the ASF GitHub Actions policy: https://infra.apache.org/github-actions-policy.html Getting an exception through INFRA would create way more churn than the two-workflow split is worth. If the policy ever tightens up around `workflow_run` too (as it should), we can revisit, but for now, the split is both policy-compliant and the right call. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
