@@ -116,8 +116,23 @@ var ghAwActionPrefixes = []string{
116116 "github/gh-aw-actions/" ,
117117}
118118
119+ // runtimeActionRepos is the set of action repos used by the runtime manager.
120+ // These are populated from knownRuntimes at init time so the trusted-action
121+ // list stays in sync with runtime_definitions.go automatically.
122+ var runtimeActionRepos map [string ]bool
123+
124+ func init () {
125+ runtimeActionRepos = make (map [string ]bool , len (knownRuntimes ))
126+ for _ , rt := range knownRuntimes {
127+ if rt .ActionRepo != "" {
128+ runtimeActionRepos [rt .ActionRepo ] = true
129+ }
130+ }
131+ }
132+
119133// isTrustedActionRepo reports whether a repo string belongs to a trusted org or project.
120- // Trusted repos include the "actions/" GitHub org and gh-aw's own infrastructure actions.
134+ // Trusted repos include the "actions/" GitHub org, gh-aw's own infrastructure actions,
135+ // and actions used by the runtime manager (e.g. ruby/setup-ruby, oven-sh/setup-bun).
121136func isTrustedActionRepo (repo string ) bool {
122137 if strings .HasPrefix (repo , githubActionsOrg + "/" ) {
123138 return true
@@ -127,15 +142,15 @@ func isTrustedActionRepo(repo string) bool {
127142 return true
128143 }
129144 }
130- return false
145+ return runtimeActionRepos [ repo ]
131146}
132147
133148// collectActionViolations compares the new action refs against the previous manifest
134149// and returns two sorted slices: repos that were added and repos that were removed.
135150// The comparison uses the action repo as the key, so SHA/version changes to an
136151// already-approved repo are not flagged.
137- // Actions belonging to the "actions/" GitHub org and gh-aw infrastructure repos are
138- // always trusted and never flagged.
152+ // Actions belonging to the "actions/" GitHub org, gh-aw infrastructure repos, and
153+ // runtime manager repos are always trusted and never flagged.
139154func collectActionViolations (manifest * GHAWManifest , actionRefs []string ) (added []string , removed []string ) {
140155 // Build known repo set from previous manifest.
141156 knownRepos := make (map [string ]bool , len (manifest .Actions ))
@@ -151,7 +166,7 @@ func collectActionViolations(manifest *GHAWManifest, actionRefs []string) (added
151166 }
152167
153168 // Find additions: repos present in the new compilation but absent from the manifest.
154- // Trusted actions (actions/ org, gh-aw infrastructure) are always allowed and never flagged.
169+ // Trusted actions (actions/ org, gh-aw infrastructure, runtime manager ) are always allowed and never flagged.
155170 for repo := range newRepos {
156171 if isTrustedActionRepo (repo ) {
157172 continue
@@ -162,7 +177,7 @@ func collectActionViolations(manifest *GHAWManifest, actionRefs []string) (added
162177 }
163178
164179 // Find removals: repos present in the previous manifest but absent from the new compilation.
165- // Trusted actions (actions/ org, gh-aw infrastructure) are always allowed, so their removal is not flagged.
180+ // Trusted actions (actions/ org, gh-aw infrastructure, runtime manager ) are always allowed, so their removal is not flagged.
166181 for repo := range knownRepos {
167182 if isTrustedActionRepo (repo ) {
168183 continue
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments