Fix allowlist-check to use latest approved_patterns.yml from main#662
Conversation
When projects pin the allowlist-check action to a specific commit hash, the action was reading the approved_patterns.yml bundled at that commit. This meant newly approved actions/versions added to the allowlist after that commit would not be recognized, causing false-positive failures for projects that had not yet bumped their pin. Now the action fetches approved_patterns.yml from the main branch at runtime via curl, so the check always uses the most up-to-date allowlist regardless of which version of the action the caller has pinned. Generated-by: Claude Opus 4.6 (1M context) <[email protected]>
|
cc: @kevinjqliu |
Temporary switch to the latest commit of infrastructure-actions allowlist-check until apache/infrastructure-actions#662 is merged, which will provide a proper tagged release.
|
Example failure in Airflow: python3 "/home/runner/work/_actions/apache/infrastructure-actions/493edcdbd80d9e78a767f256a877b1cc6c9712ba/allowlist-check/check_asf_allowlist.py"
"/home/runner/work/_actions/apache/infrastructure-actions/493edcdbd80d9e78a767f256a877b1cc6c9712ba/allowlist-check/../approved_patterns.yml" |
Temporary switch to the latest commit of infrastructure-actions allowlist-check until apache/infrastructure-actions#662 is merged, which will provide a proper tagged release.
…4713) Temporary switch to the latest commit of infrastructure-actions allowlist-check until apache/infrastructure-actions#662 is merged, which will provide a proper tagged release. (cherry picked from commit 04b3dd0) Co-authored-by: Jarek Potiuk <[email protected]>
…4713) (#64717) Temporary switch to the latest commit of infrastructure-actions allowlist-check until apache/infrastructure-actions#662 is merged, which will provide a proper tagged release. (cherry picked from commit 04b3dd0) Co-authored-by: Jarek Potiuk <[email protected]>
|
make sense, thanks! This would allow projects to pin I was previously just pinning the action to |
Yeah, and we might in the future even release the action then :) |
…4713) (#64717) Temporary switch to the latest commit of infrastructure-actions allowlist-check until apache/infrastructure-actions#662 is merged, which will provide a proper tagged release. (cherry picked from commit 04b3dd0) Co-authored-by: Jarek Potiuk <[email protected]>
…4713) (#64717) Temporary switch to the latest commit of infrastructure-actions allowlist-check until apache/infrastructure-actions#662 is merged, which will provide a proper tagged release. (cherry picked from commit 04b3dd0) Co-authored-by: Jarek Potiuk <[email protected]>
…4713) (#64717) Temporary switch to the latest commit of infrastructure-actions allowlist-check until apache/infrastructure-actions#662 is merged, which will provide a proper tagged release. (cherry picked from commit 04b3dd0) Co-authored-by: Jarek Potiuk <[email protected]>
Summary
allowlist-checkaction to a specific commit hash (as recommended by GitHub for security), the action was reading theapproved_patterns.ymlbundled at that pinned commit. This meant any actions/versions approved after that commit were not recognized, causing false-positive check failures until the project bumped their pin.approved_patterns.ymlfrom themainbranch at runtime viacurl, so the allowlist check always uses the most up-to-date list regardless of which version of the action the caller has pinned.Test plan
approved_patterns.ymlsuccessfully fromraw.githubusercontent.comat runtime🤖 Generated with Claude Code