Skip to content

Commit 5b521a8

Browse files
rzo1claude
andcommitted
ci: add ASF allowlist check for GitHub Actions
Adds a workflow running apache/infrastructure-actions/allowlist-check on PRs touching .github/** (which is what Dependabot's github-actions updater modifies) so that bumps to actions not on the ASF allowlist are caught before merge. Also marks asf-allowlist-check as a required status check on master via .asf.yaml so such PRs are blocked from merging. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent ed8adf6 commit 5b521a8

2 files changed

Lines changed: 48 additions & 1 deletion

File tree

.asf.yaml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,12 @@ github:
77
homepage: https://storm.apache.org/
88
protected_branches:
99
# Prevent force pushes to primary branches
10-
master: {}
10+
master:
11+
# Block merges when the ASF allowlist check fails (e.g. a Dependabot
12+
# PR that bumps a GitHub Action to a version not on the ASF allowlist).
13+
required_status_checks:
14+
contexts:
15+
- asf-allowlist-check
1116
custom_subjects:
1217
new_pr: "[PR] {title} ({repository})"
1318
close_pr: "Re: [PR] {title} ({repository})"
Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
# Licensed to the Apache Software Foundation (ASF) under one or more
2+
# contributor license agreements. See the NOTICE file distributed with
3+
# this work for additional information regarding copyright ownership.
4+
# The ASF licenses this file to You under the Apache License, Version 2.0
5+
# (the "License"); you may not use this file except in compliance with
6+
# the License. You may obtain a copy of the License at
7+
#
8+
# http://www.apache.org/licenses/LICENSE-2.0
9+
#
10+
# Unless required by applicable law or agreed to in writing, software
11+
# distributed under the License is distributed on an "AS IS" BASIS,
12+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
# See the License for the specific language governing permissions and
14+
# limitations under the License.
15+
16+
name: ASF Allowlist Check
17+
18+
on:
19+
workflow_dispatch:
20+
pull_request:
21+
paths:
22+
- ".github/**"
23+
push:
24+
branches: [ "master", "2.x" ]
25+
paths:
26+
- ".github/**"
27+
28+
permissions:
29+
contents: read
30+
31+
jobs:
32+
asf-allowlist-check:
33+
runs-on: ubuntu-latest
34+
steps:
35+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
36+
with:
37+
persist-credentials: false
38+
39+
- uses: apache/infrastructure-actions/allowlist-check@main
40+
with:
41+
# Storm uses both .yml and .yaml workflow files.
42+
scan-glob: ".github/**/*.{yml,yaml}"

0 commit comments

Comments
 (0)