From 7e3ea85a931c82f96faf6f61deae212f0f5099e6 Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Sun, 12 Apr 2026 20:24:21 +0200 Subject: [PATCH 1/2] Use ALLOWLIST_WORKFLOW_TOKEN with fallback to github.token in workflows Add token details display (user/email/expiration/scopes) and use the token's identity for commit author. Falls back to github.token and asfgit defaults when the secret is not available. Generated-by: Claude Opus 4.6 (1M context) --- .github/workflows/remove_expired.yml | 24 ++++++++++++++++++++++-- .github/workflows/update_actions.yml | 25 +++++++++++++++++++++++-- .github/workflows/update_dummy.yml | 24 ++++++++++++++++++++++-- 3 files changed, 67 insertions(+), 6 deletions(-) diff --git a/.github/workflows/remove_expired.yml b/.github/workflows/remove_expired.yml index 8bc3c740..c32dc86e 100644 --- a/.github/workflows/remove_expired.yml +++ b/.github/workflows/remove_expired.yml @@ -40,6 +40,22 @@ jobs: # Use PAT so the commit triggers other actions token: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }} + - name: Print token details + if: ${{ github.event_name != 'pull_request' && secrets.ALLOWLIST_WORKFLOW_TOKEN }} + env: + GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN }} + run: | + echo "::group::Token details" + echo "Token user and permissions:" + gh api /user --jq '"Login: \(.login)\nName: \(.name)\nEmail: \(.email)"' + echo "" + echo "Token expiration:" + gh api /installation/token --jq '.expires_at' 2>/dev/null || echo "Token expiration not available (likely a PAT, not an installation token)" + echo "" + echo "Token scopes:" + curl -sS -H "Authorization: token ${GH_TOKEN}" -I https://api.github.com/ 2>/dev/null | grep -i 'x-oauth-scopes' || echo "No OAuth scopes header (fine-grained or app token)" + echo "::endgroup::" + - run: pipx install uv - name: Clean actions.yml @@ -55,9 +71,13 @@ jobs: - name: Commit and push changes if: ${{ github.event_name != 'pull_request' }} + env: + GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }} run: | - git config --local user.name "asfgit" - git config --local user.email "asfgit@users.noreply.github.com" + AUTHOR_NAME=$(gh api /user --jq '.login' 2>/dev/null || echo "asfgit") + AUTHOR_EMAIL=$(gh api /user --jq '.email // "\(.login)@users.noreply.github.com"' 2>/dev/null || echo "asfgit@users.noreply.github.com") + git config --local user.name "${AUTHOR_NAME}" + git config --local user.email "${AUTHOR_EMAIL}" git add -f actions.yml approved_patterns.yml git commit -m "Remove Expired Refs" -m "Generated by .github/workflows/remove_expired.yml" || echo "No changes" git push origin diff --git a/.github/workflows/update_actions.yml b/.github/workflows/update_actions.yml index b48851b2..75310cbd 100644 --- a/.github/workflows/update_actions.yml +++ b/.github/workflows/update_actions.yml @@ -46,6 +46,23 @@ jobs: - uses: actions/checkout@v6.0.2 with: persist-credentials: true + token: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }} + + - name: Print token details + if: ${{ github.event_name != 'pull_request' && secrets.ALLOWLIST_WORKFLOW_TOKEN }} + env: + GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN }} + run: | + echo "::group::Token details" + echo "Token user and permissions:" + gh api /user --jq '"Login: \(.login)\nName: \(.name)\nEmail: \(.email)"' + echo "" + echo "Token expiration:" + gh api /installation/token --jq '.expires_at' 2>/dev/null || echo "Token expiration not available (likely a PAT, not an installation token)" + echo "" + echo "Token scopes:" + curl -sS -H "Authorization: token ${GH_TOKEN}" -I https://api.github.com/ 2>/dev/null | grep -i 'x-oauth-scopes' || echo "No OAuth scopes header (fine-grained or app token)" + echo "::endgroup::" - run: pipx install uv @@ -62,9 +79,13 @@ jobs: - name: Commit and push changes if: ${{ github.event_name != 'pull_request' }} + env: + GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }} run: | - git config --local user.name "asfgit" - git config --local user.email "asfgit@users.noreply.github.com" + AUTHOR_NAME=$(gh api /user --jq '.login' 2>/dev/null || echo "asfgit") + AUTHOR_EMAIL=$(gh api /user --jq '.email // "\(.login)@users.noreply.github.com"' 2>/dev/null || echo "asfgit@users.noreply.github.com") + git config --local user.name "${AUTHOR_NAME}" + git config --local user.email "${AUTHOR_EMAIL}" git add -f actions.yml approved_patterns.yml git commit -m "Update actions.yml and approved_patterns.yml based on .github/workflows/dummy.yml" -m "Generated by .github/workflows/update_actions.yml" || echo "No changes" git push origin diff --git a/.github/workflows/update_dummy.yml b/.github/workflows/update_dummy.yml index 32b439ce..25913de1 100644 --- a/.github/workflows/update_dummy.yml +++ b/.github/workflows/update_dummy.yml @@ -47,6 +47,22 @@ jobs: # We have to use a PAT to commit the workflow file token: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }} + - name: Print token details + if: ${{ github.event_name != 'pull_request' && secrets.ALLOWLIST_WORKFLOW_TOKEN }} + env: + GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN }} + run: | + echo "::group::Token details" + echo "Token user and permissions:" + gh api /user --jq '"Login: \(.login)\nName: \(.name)\nEmail: \(.email)"' + echo "" + echo "Token expiration:" + gh api /installation/token --jq '.expires_at' 2>/dev/null || echo "Token expiration not available (likely a PAT, not an installation token)" + echo "" + echo "Token scopes:" + curl -sS -H "Authorization: token ${GH_TOKEN}" -I https://api.github.com/ 2>/dev/null | grep -i 'x-oauth-scopes' || echo "No OAuth scopes header (fine-grained or app token)" + echo "::endgroup::" + - run: pipx install uv - name: Update Workflow @@ -62,9 +78,13 @@ jobs: - name: Commit and push changes if: ${{ github.event_name != 'pull_request' }} + env: + GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }} run: | - git config --local user.name "asfgit" - git config --local user.email "asfgit@users.noreply.github.com" + AUTHOR_NAME=$(gh api /user --jq '.login' 2>/dev/null || echo "asfgit") + AUTHOR_EMAIL=$(gh api /user --jq '.email // "\(.login)@users.noreply.github.com"' 2>/dev/null || echo "asfgit@users.noreply.github.com") + git config --local user.name "${AUTHOR_NAME}" + git config --local user.email "${AUTHOR_EMAIL}" git add -f .github/workflows/dummy.yml approved_patterns.yml git commit -m "Update approved_patterns.yml and .github/workflows/dummy.yml based on actions.yml" -m "Generated by .github/workflows/update_dummy.yml" || echo "No changes" git push origin From 162bee26b17a11c7a03918478b03cc28a9b8bf47 Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Sun, 12 Apr 2026 20:28:15 +0200 Subject: [PATCH 2/2] Restore branch protection for main Re-enable required PR reviews (1 approval) and status checks that were reverted in #697. Generated-by: Claude Opus 4.6 (1M context) --- .asf.yaml | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/.asf.yaml b/.asf.yaml index 0004ba8d..79c2452c 100644 --- a/.asf.yaml +++ b/.asf.yaml @@ -21,17 +21,13 @@ github: features: issues: true protected_branches: - # revert #642 - # main: - # required_status_checks: - # # strict means "Require branches to be up to date before merging". - # strict: false - # required_pull_request_reviews: - # dismiss_stale_reviews: false - # required_approving_review_count: 1 - # #bypass_pull_request_allowances: - # # users: - # # - asfgit + main: + required_status_checks: + # strict means "Require branches to be up to date before merging". + strict: false + required_pull_request_reviews: + dismiss_stale_reviews: false + required_approving_review_count: 1 notifications: commits: commits@infra.apache.org