From e488982458426b457ad3a07ae6ca54cb948dbd4c Mon Sep 17 00:00:00 2001 From: Arnout Engelen Date: Tue, 14 Apr 2026 19:26:18 +0200 Subject: [PATCH] dependabot: apply cooldown except for action reviews Fixes #683 --- .../action.yml | 229 +++++++++++++++++ .github/dependabot.yml | 21 +- .../check-for-transitive-failures.yml | 38 +++ .github/workflows/dummy.yml | 239 ------------------ .github/workflows/update_actions.yml | 8 +- ..._dummy.yml => update_composite_action.yml} | 10 +- .../workflows/verify_dependabot_action.yml | 2 +- README.md | 8 +- actions.yml | 6 +- gateway/gateway.py | 69 +++-- 10 files changed, 328 insertions(+), 302 deletions(-) create mode 100644 .github/actions/for-dependabot-triggered-reviews/action.yml create mode 100644 .github/workflows/check-for-transitive-failures.yml delete mode 100644 .github/workflows/dummy.yml rename .github/workflows/{update_dummy.yml => update_composite_action.yml} (86%) diff --git a/.github/actions/for-dependabot-triggered-reviews/action.yml b/.github/actions/for-dependabot-triggered-reviews/action.yml new file mode 100644 index 00000000..561d5183 --- /dev/null +++ b/.github/actions/for-dependabot-triggered-reviews/action.yml @@ -0,0 +1,229 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# This file was generated from /actions.yml by gateway/gateway.py. +# It will be regenerated and committed as part of various workflows. +# DO NOT UPDATE MANUALLY. Update /actions.yml instead. + +# This action has two purposes: +# - dependabot will propose updates to this file, which after +# review will automatically flow into /actions.yml through a +# workflow +# - GHA will periodically 'run' this action (skipping every +# step), which will fail when any of the listed actions have +# a transitive action dependency that is not allowlisted +# (or is not anymore). +# Sadly the error message does not tell you *which* action +# has a missing transitive dependency, see +# https://github.com/apache/infrastructure-actions/issues/606 +name: Composite Action + +runs: + using: "composite" + steps: + - uses: 1Password/load-secrets-action@92467eb28f72e8255933372f1e0707c567ce2259 # v4.0.0 + if: false + - uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3 + if: false + - uses: advanced-security/dismiss-alerts@046d6b48d2e43cf563f96f67332c47c432eff83e # v2.0.2 + if: false + - uses: al-cheb/configure-pagefile-action@9b6da52fb72a3c6147c1aad2df22d8d905681adc # v1.5 + if: false + - uses: ana06/get-changed-files@25f79e676e7ea1868813e21465014798211fad8c # v2.3.0 + if: false + - uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 + if: false + - uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0 + if: false + - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 + if: false + - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 + if: false + - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 + if: false + - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0 + if: false + - uses: bazel-contrib/setup-bazel@c5acdfb288317d0b5c0bbd7a396a3dc868bb0f86 # 0.19.0 + if: false + - uses: betahuhn/repo-file-sync-action@8b92be3375cf1d1b0cd579af488a9255572e4619 # v1.21.1 + if: false + - uses: biomejs/setup-biome@4c91541eaada48f67d7dbd7833600ce162b68f51 # v2.7.1 + if: false + - uses: browser-actions/setup-firefox@fcf821c621167805dd63a29662bd7cb5676c81a8 # v1.7.1 + if: false + - uses: browser-actions/setup-geckodriver@5ef1526ed36211ab6cb531ec1cfb11f924ca2dee + if: false + - uses: burnett01/rsync-deployments@dc0d5d44c4728aad3f02154a87309809e62a960f # 8.0.4 + if: false + - uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3 # v1.0.10 + if: false + - uses: commit-check/commit-check-action@2fe41833054c561710099d8e3e22bbeab4fe204a # v2.4.2 + if: false + - uses: coursier/cache-action@90c37294538be80a558fd665531fcdc2b467b475 # v8.1.0 + if: false + - uses: coursier/setup-action@fd1707a76b027efdfb66ca79318b4d29b72e5a02 # v3.0.0 + if: false + - uses: cpp-linter/cpp-linter-action@0f6d1b8d7e38b584cbee606eb23d850c217d54f8 # v2.15.1 + if: false + - uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 + if: false + - uses: damccorm/tag-ur-it@6fa72bbf1a2ea157b533d7e7abeafdb5855dbea5 + if: false + - uses: DavidAnson/markdownlint-cli2-action@ce4853d43830c74c1753b39f3cf40f71c2031eb9 # v23.0.0 + if: false + - uses: dawidd6/action-send-mail@d38f3f7cd391cdebfe0d38efc3998b935e951c4f # v16 + if: false + - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + if: false + - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + if: false + - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + if: false + - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + if: false + - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 + if: false + - uses: docker://jekyll/jekyll@sha256:400b8d1569f118bca8a3a09a25f32803b00a55d1ea241feaf5f904d66ca9c625 + if: false + - uses: docker://pandoc/core@sha256:48e15e83db0df6fb39b24adb0210ecbde85003a3a8139d526e29c98f95ac0a93 # 3.7.0.2 + if: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 + if: false + - uses: dorny/test-reporter@a43b3a5f7366b97d083190328d2c652e1a8b6aa2 # v3.0.0 + if: false + - uses: editorconfig-checker/action-editorconfig-checker@840e866d93b8e032123c23bac69dece044d4d84c # v2.2.0 + if: false + - uses: erisu/apache-rat-action@46fb01ce7d8f76bdcd7ab10e7af46e1ea95ca01c # v2.0.0 + if: false + - uses: erisu/license-checker-action@04511f4c052b5773f11e1c65b42cda88235c62ae # v2.1.0 + if: false + - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 + if: false + - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + if: false + - uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1 + if: false + - uses: graalvm/setup-graalvm@60c26726de13f8b90771df4bc1641a52a3159994 # v1.5.2 + if: false + - uses: gradle/actions/dependency-submission@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 + if: false + - uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 + if: false + - uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 + if: false + - uses: gradle/develocity-actions/maven-publish-build-scan@974e8dbcbda40db6828fc35f349c80a7c0e71529 # v2.1 + if: false + - uses: gradle/develocity-actions/setup-maven@974e8dbcbda40db6828fc35f349c80a7c0e71529 # v2.1 + if: false + - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 + if: false + - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 + if: false + - uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0 + if: false + - uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0 + if: false + - uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0 + if: false + - uses: ilammy/setup-nasm@72793074d3c8cdda771dba85f6deafe00623038b # v1.5.2 + if: false + - uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0 + if: false + - uses: jasonetco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2 + if: false + - uses: JetBrains/qodana-action@89eb4357efd2b52e639f3216e63edaf33b82622b # v2025.3.2 + if: false + - uses: Jimver/cuda-toolkit@3d45d157f327c09c04b50ee6ccdea2d9d017ec76 # v0.2.35 + if: false + - uses: jrouly/scalafmt-native-action@a9c8e1032a02004c425d53ef8ce420fe2179eba7 # v5 + if: false + - uses: JustinBeckwith/linkinator-action@363572b2714d25a059fceb2fa332a98e7ea3baff # v2.4.1 + if: false + - uses: jwgmeligmeyling/pmd-github-action@322e346bd76a0757c4d54ff9209e245965aa066d # v1.2 + if: false + - uses: Kesin11/actions-timeline@e018cfefea60b4f44266998551211a35a58b8097 # v3.0.0 + if: false + - uses: leafo/gh-actions-luarocks@97053c556d6ce2c8e26eb7ac93743437c7af7248 # v6.0.0 + if: false + - uses: lhotari/sandboxed-trivy-action@555963036b2012b44c1071508a236e569db28ebb # v1.0.1 + if: false + - uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0 + if: false + - uses: manusa/actions-setup-minikube@96202dee4ae1c2f46a62fe197273aaf22b83f42d # v2.16.1 + if: false + - uses: matlab-actions/run-tests@353aee49b0edf62278c118a51b484d90bf6da1b7 # v3.1.0 + if: false + - uses: matlab-actions/setup-matlab@a0180c939fb1a28de13f44f7b778b912384ced1f # v3.0.1 + if: false + - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1 + if: false + - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 + if: false + - uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0 + if: false + - uses: nwtgck/actions-netlify@4cbaf4c08f1a7bfa537d6113472ef4424e4eb654 # v3.0.0 + if: false + - uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0 + if: false + - uses: orhun/git-cliff-action@c93ef52f3d0ddcdcc9bd5447d98d458a11cd4f72 # v4.7.1 + if: false + - uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 + if: false + - uses: phoenix-actions/test-reporting@f957cd93fc2d848d556fa0d03c57bc79127b6b5e # v15 + if: false + - uses: posit-dev/setup-air@63e80dedb6d275c94a3841e15e5ff8691e1ab237 # v1.0.0 + if: false + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 + if: false + - uses: pypa/cibuildwheel@8d2b08b68458a16aeb24b64e68a09ab1c8e82084 # v3.4.1 + if: false + - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0 # v2.1.0 + if: false + - uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4 + if: false + - uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22 + if: false + - uses: scacap/action-surefire-report@5609ce4db72c09db044803b344a8968fd1f315da # v1.9.1 + if: false + - uses: scalacenter/sbt-dependency-submission@f43202114d7522a4b233e052f82c2eea8d658134 # v3.2.1 + if: false + - uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 + if: false + - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1 + if: false + - uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7.1.0 + if: false + - uses: SonarSource/sonarqube-scan-action/install-build-wrapper@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7.1.0 + if: false + - uses: tcort/github-action-markdown-link-check@e7c7a18363c842693fadde5d41a3bd3573a7a225 # v1.1.2 + if: false + - uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2 + if: false + - uses: untitaker/hyperlink@fb5bb9c5011a3d143a54b4b30aedc30ec5bc0f89 # 0.2.0 + if: false + - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1 + if: false + - uses: vapier/coverity-scan-action@2068473c7bdf8c2fb984a6a40ae76ee7facd7a85 # v1.8.0 + if: false + - uses: vimtor/action-zip@5f1c4aa587ea41db1110df6a99981dbe19cee310 # v1 + if: false + - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + if: false + - run: echo Success! + shell: bash diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b1e9a637..34eaa2e2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,12 +18,9 @@ version: 2 updates: - package-ecosystem: "github-actions" commit-message: - prefix: "gateway" + prefix: "action-allowlist-review" directories: - - "/" - - "/pelican/" - - "/stash/restore" - - "/stash/save" + - "/.github/actions/for-dependabot-triggered-reviews" schedule: # 'daily' only runs on weekdays interval: "cron" @@ -35,8 +32,18 @@ updates: - dependency-name: "cpp-linter/cpp-linter-action" versions: ">=2.16" open-pull-requests-limit: 50 + - package-ecosystem: "github-actions" + schedule: + # 'daily' only runs on weekdays + interval: "cron" + cronjob: "45 13 * * *" + directories: + - "/.github/workflows" + - "/pelican/" + - "/stash/restore" + - "/stash/save" cooldown: - default-days: 4 + default-days: 7 - package-ecosystem: "uv" directories: - "/" @@ -44,4 +51,4 @@ updates: schedule: interval: "weekly" cooldown: - default-days: 4 + default-days: 7 diff --git a/.github/workflows/check-for-transitive-failures.yml b/.github/workflows/check-for-transitive-failures.yml new file mode 100644 index 00000000..950d8279 --- /dev/null +++ b/.github/workflows/check-for-transitive-failures.yml @@ -0,0 +1,38 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +name: Check for transitive failures in current latest actions + +on: + workflow_dispatch: + pull_request: + paths: + - .github/actions/for-dependabot-triggered-reviews/action.yml + push: + paths: + - .github/actions/for-dependabot-triggered-reviews/action.yml + +permissions: {} + +jobs: + check-for-transitive-failures: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: ./.github/actions/for-dependabot-triggered-reviews diff --git a/.github/workflows/dummy.yml b/.github/workflows/dummy.yml deleted file mode 100644 index bbd64399..00000000 --- a/.github/workflows/dummy.yml +++ /dev/null @@ -1,239 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -# This file was generated from /actions.yml by gateway/gateway.py. -# It will be regenerated and committed as part of various workflows. -# DO NOT UPDATE MANUALLY. Update /actions.yml instead. - -# This workflow has two purposes: -# - dependabot will propose updates to this file, which after -# review will automatically flow into /actions.yml through a -# workflow -# - GHA will periodically 'run' this workflow (skipping every -# step), which will fail when any of the listed actions have -# a transitive action dependency that is not allowlisted -# (or is not anymore). -name: Dummy Workflow - -on: - workflow_dispatch: - pull_request: - paths: - - .github/workflows/dummy.yml - push: - paths: - - .github/workflows/dummy.yml - -permissions: {} - -jobs: - dummy: - runs-on: ubuntu-latest - steps: - - uses: 1Password/load-secrets-action@92467eb28f72e8255933372f1e0707c567ce2259 # v4.0.0 - if: false - - uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3 - if: false - - uses: advanced-security/dismiss-alerts@046d6b48d2e43cf563f96f67332c47c432eff83e # v2.0.2 - if: false - - uses: al-cheb/configure-pagefile-action@9b6da52fb72a3c6147c1aad2df22d8d905681adc # v1.5 - if: false - - uses: ana06/get-changed-files@25f79e676e7ea1868813e21465014798211fad8c # v2.3.0 - if: false - - uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 - if: false - - uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0 - if: false - - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - if: false - - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 - if: false - - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 - if: false - - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0 - if: false - - uses: bazel-contrib/setup-bazel@c5acdfb288317d0b5c0bbd7a396a3dc868bb0f86 # 0.19.0 - if: false - - uses: betahuhn/repo-file-sync-action@8b92be3375cf1d1b0cd579af488a9255572e4619 # v1.21.1 - if: false - - uses: biomejs/setup-biome@4c91541eaada48f67d7dbd7833600ce162b68f51 # v2.7.1 - if: false - - uses: browser-actions/setup-firefox@fcf821c621167805dd63a29662bd7cb5676c81a8 # v1.7.1 - if: false - - uses: browser-actions/setup-geckodriver@5ef1526ed36211ab6cb531ec1cfb11f924ca2dee - if: false - - uses: burnett01/rsync-deployments@dc0d5d44c4728aad3f02154a87309809e62a960f # 8.0.4 - if: false - - uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3 # v1.0.10 - if: false - - uses: commit-check/commit-check-action@2fe41833054c561710099d8e3e22bbeab4fe204a # v2.5.0 - if: false - - uses: coursier/cache-action@90c37294538be80a558fd665531fcdc2b467b475 # v8.1.0 - if: false - - uses: coursier/setup-action@fd1707a76b027efdfb66ca79318b4d29b72e5a02 # v3.0.0 - if: false - - uses: cpp-linter/cpp-linter-action@0f6d1b8d7e38b584cbee606eb23d850c217d54f8 # v2.15.1 - if: false - - uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 - if: false - - uses: damccorm/tag-ur-it@6fa72bbf1a2ea157b533d7e7abeafdb5855dbea5 - if: false - - uses: DavidAnson/markdownlint-cli2-action@ce4853d43830c74c1753b39f3cf40f71c2031eb9 # v23.0.0 - if: false - - uses: dawidd6/action-send-mail@d38f3f7cd391cdebfe0d38efc3998b935e951c4f # v16 - if: false - - uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 # v3.0.0 - if: false - - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 - if: false - - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 - if: false - - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 - if: false - - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - if: false - - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - if: false - - uses: docker://jekyll/jekyll@sha256:400b8d1569f118bca8a3a09a25f32803b00a55d1ea241feaf5f904d66ca9c625 - if: false - - uses: docker://pandoc/core@sha256:48e15e83db0df6fb39b24adb0210ecbde85003a3a8139d526e29c98f95ac0a93 # 3.7.0.2 - if: false - - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 - if: false - - uses: dorny/test-reporter@a43b3a5f7366b97d083190328d2c652e1a8b6aa2 # v3.0.0 - if: false - - uses: editorconfig-checker/action-editorconfig-checker@840e866d93b8e032123c23bac69dece044d4d84c # v2.2.0 - if: false - - uses: erisu/apache-rat-action@46fb01ce7d8f76bdcd7ab10e7af46e1ea95ca01c # v2.0.0 - if: false - - uses: erisu/license-checker-action@04511f4c052b5773f11e1c65b42cda88235c62ae # v2.1.0 - if: false - - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 - if: false - - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 - if: false - - uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1 - if: false - - uses: graalvm/setup-graalvm@60c26726de13f8b90771df4bc1641a52a3159994 # v1.5.2 - if: false - - uses: gradle/actions/dependency-submission@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - if: false - - uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - if: false - - uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - if: false - - uses: gradle/develocity-actions/maven-publish-build-scan@974e8dbcbda40db6828fc35f349c80a7c0e71529 # v2.1 - if: false - - uses: gradle/develocity-actions/setup-maven@974e8dbcbda40db6828fc35f349c80a7c0e71529 # v2.1 - if: false - - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 - if: false - - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 - if: false - - uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0 - if: false - - uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0 - if: false - - uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0 - if: false - - uses: ilammy/setup-nasm@72793074d3c8cdda771dba85f6deafe00623038b # v1.5.2 - if: false - - uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0 - if: false - - uses: jasonetco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2 - if: false - - uses: JetBrains/qodana-action@89eb4357efd2b52e639f3216e63edaf33b82622b # v2025.3.2 - if: false - - uses: Jimver/cuda-toolkit@3d45d157f327c09c04b50ee6ccdea2d9d017ec76 # v0.2.35 - if: false - - uses: jrouly/scalafmt-native-action@a9c8e1032a02004c425d53ef8ce420fe2179eba7 # v5 - if: false - - uses: JustinBeckwith/linkinator-action@363572b2714d25a059fceb2fa332a98e7ea3baff # v2.4.1 - if: false - - uses: jwgmeligmeyling/pmd-github-action@322e346bd76a0757c4d54ff9209e245965aa066d # v1.2 - if: false - - uses: Kesin11/actions-timeline@e018cfefea60b4f44266998551211a35a58b8097 # v3.0.0 - if: false - - uses: leafo/gh-actions-luarocks@4c082a5fad45388feaeb0798dbd82dbd7dc65bca # v5 - if: false - - uses: lhotari/sandboxed-trivy-action@555963036b2012b44c1071508a236e569db28ebb # v1.0.1 - if: false - - uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0 - if: false - - uses: manusa/actions-setup-minikube@96202dee4ae1c2f46a62fe197273aaf22b83f42d # v2.16.1 - if: false - - uses: matlab-actions/run-tests@353aee49b0edf62278c118a51b484d90bf6da1b7 # v3.1.0 - if: false - - uses: matlab-actions/setup-matlab@a0180c939fb1a28de13f44f7b778b912384ced1f # v3.0.1 - if: false - - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1 - if: false - - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - if: false - - uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0 - if: false - - uses: nwtgck/actions-netlify@4cbaf4c08f1a7bfa537d6113472ef4424e4eb654 # v3.0.0 - if: false - - uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0 - if: false - - uses: orhun/git-cliff-action@c93ef52f3d0ddcdcc9bd5447d98d458a11cd4f72 # v4.7.1 - if: false - - uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 - if: false - - uses: phoenix-actions/test-reporting@f957cd93fc2d848d556fa0d03c57bc79127b6b5e # v15 - if: false - - uses: posit-dev/setup-air@63e80dedb6d275c94a3841e15e5ff8691e1ab237 # v1.0.0 - if: false - - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 - if: false - - uses: pypa/cibuildwheel@8d2b08b68458a16aeb24b64e68a09ab1c8e82084 # v3.4.1 - if: false - - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0 # v2.1.0 - if: false - - uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4 - if: false - - uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22 - if: false - - uses: scacap/action-surefire-report@5609ce4db72c09db044803b344a8968fd1f315da # v1.9.1 - if: false - - uses: scalacenter/sbt-dependency-submission@f43202114d7522a4b233e052f82c2eea8d658134 # v3.2.1 - if: false - - uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 - if: false - - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1 - if: false - - uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7.1.0 - if: false - - uses: SonarSource/sonarqube-scan-action/install-build-wrapper@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7.1.0 - if: false - - uses: tcort/github-action-markdown-link-check@e7c7a18363c842693fadde5d41a3bd3573a7a225 # v1.1.2 - if: false - - uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2 - if: false - - uses: untitaker/hyperlink@fb5bb9c5011a3d143a54b4b30aedc30ec5bc0f89 # 0.2.0 - if: false - - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1 - if: false - - uses: vapier/coverity-scan-action@2068473c7bdf8c2fb984a6a40ae76ee7facd7a85 # v1.8.0 - if: false - - uses: vimtor/action-zip@5f1c4aa587ea41db1110df6a99981dbe19cee310 # v1 - if: false - - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 - if: false - - run: echo Success! diff --git a/.github/workflows/update_actions.yml b/.github/workflows/update_actions.yml index 331b9eb4..c3fa5363 100644 --- a/.github/workflows/update_actions.yml +++ b/.github/workflows/update_actions.yml @@ -23,11 +23,11 @@ on: branches: - main paths: - - ".github/workflows/dummy.yml" + - ".github/actions/for-dependabot-triggered-reviews/action.yml" pull_request: paths: - ".github/workflows/update_actions.yml" - - ".github/workflows/dummy.yml" + - ".github/actions/for-dependabot-triggered-reviews/action.yml" - gateway/* permissions: @@ -73,7 +73,7 @@ jobs: sys.path.append("./gateway/") import gateway as g - g.update_actions(".github/workflows/dummy.yml", "actions.yml") + g.update_actions(".github/actions/for-dependabot-triggered-reviews/action.yml", "actions.yml") g.update_patterns("approved_patterns.yml", "actions.yml") PYEOF @@ -87,5 +87,5 @@ jobs: git config --local user.name "${AUTHOR_NAME}" git config --local user.email "${AUTHOR_EMAIL}" git add -f actions.yml approved_patterns.yml - git commit -m "Update actions.yml and approved_patterns.yml based on .github/workflows/dummy.yml" -m "Generated by .github/workflows/update_actions.yml" || echo "No changes" + git commit -m "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml" -m "Generated by .github/workflows/update_actions.yml" || echo "No changes" git push origin diff --git a/.github/workflows/update_dummy.yml b/.github/workflows/update_composite_action.yml similarity index 86% rename from .github/workflows/update_dummy.yml rename to .github/workflows/update_composite_action.yml index af8735bf..19df8a21 100644 --- a/.github/workflows/update_dummy.yml +++ b/.github/workflows/update_composite_action.yml @@ -16,7 +16,7 @@ # specific language governing permissions and limitations # under the License. # -name: Update Dummy workflow +name: Update Approved Patterns and Composite Action on: workflow_dispatch: push: @@ -26,7 +26,7 @@ on: - "actions.yml" pull_request: paths: - - ".github/workflows/update_dummy.yml" + - ".github/workflows/update_composite_action.yml" - "actions.yml" - gateway/* @@ -72,7 +72,7 @@ jobs: sys.path.append("./gateway/") import gateway as g - g.update_workflow(".github/workflows/dummy.yml", "actions.yml") + g.update_workflow(".github/actions/for-dependabot-triggered-reviews/action.yml", "actions.yml") g.update_patterns("approved_patterns.yml", "actions.yml") PYEOF @@ -85,6 +85,6 @@ jobs: AUTHOR_EMAIL=$(gh api /user --jq '.email // "\(.login)@users.noreply.github.com"' 2>/dev/null || echo "asfgit@users.noreply.github.com") git config --local user.name "${AUTHOR_NAME}" git config --local user.email "${AUTHOR_EMAIL}" - git add -f .github/workflows/dummy.yml approved_patterns.yml - git commit -m "Update approved_patterns.yml and .github/workflows/dummy.yml based on actions.yml" -m "Generated by .github/workflows/update_dummy.yml" || echo "No changes" + git add -f .github/actions/for-dependabot-triggered-reviews/action.yml approved_patterns.yml + git commit -m "Update approved_patterns.yml and .github/actions/for-dependabot-triggered-reviews/action.yml based on actions.yml" -m "Generated by .github/workflows/update_composite_action.yml" || echo "No changes" git push origin diff --git a/.github/workflows/verify_dependabot_action.yml b/.github/workflows/verify_dependabot_action.yml index f03f78dc..0ccb6758 100644 --- a/.github/workflows/verify_dependabot_action.yml +++ b/.github/workflows/verify_dependabot_action.yml @@ -21,7 +21,7 @@ name: Verify Dependabot Action Build on: pull_request: paths: - - .github/workflows/dummy.yml + - .github/actions/for-dependabot-triggered-reviews/action.yml permissions: contents: read diff --git a/README.md b/README.md index 1336743f..ad89586b 100644 --- a/README.md +++ b/README.md @@ -80,9 +80,9 @@ All other actions must be explicitly added to the allow list after undergoing a ```mermaid graph TD; manual["manual PRs"]--new entries-->actions.yml - dependabot--updates (after review)-->dummy[".github/workflows/dummy.yml"]; - dummy--updates-->actions.yml - actions.yml--new entries-->dummy + dependabot--updates (after review)-->composite-action[".github/actions/for-dependabot-triggered-reviews/action.yml"]; + composite-action--updates-->actions.yml + actions.yml--new entries-->composite-action actions.yml--generates-->approved_patterns.yml ``` @@ -192,7 +192,7 @@ The `--no-gh` mode supports all the same features as the default `gh`-based mode #### Automated Verification in CI -Dependabot PRs that modify `dummy.yml` are automatically verified by the `verify_dependabot_action.yml` workflow. It extracts the action reference from the PR, rebuilds the compiled JavaScript in Docker, and compares it against the published version. The workflow reports success or failure but does **not** auto-approve or merge — a human reviewer must still approve. +Dependabot PRs that modify `.github/actions/for-dependabot-triggered-reviews/action.yml` are automatically verified by the `verify_dependabot_action.yml` workflow. It extracts the action reference from the PR, rebuilds the compiled JavaScript in Docker, and compares it against the published version. The workflow reports success or failure but does **not** auto-approve or merge — a human reviewer must still approve. The script exits with code **1** (failure) when something is unexpectedly broken — for example, the action cannot be compiled, the rebuilt JavaScript is invalid, or required tools are missing. In all other cases it exits with code **0** and produces reviewable diffs: a large diff does not by itself cause an error (e.g. major version bumps will naturally have big diffs). It is always up to a human reviewer to inspect the output, assess the changes, and decide whether the update is safe to approve. diff --git a/actions.yml b/actions.yml index 3dc7669e..d3c6488e 100644 --- a/actions.yml +++ b/actions.yml @@ -592,11 +592,11 @@ leafo/gh-actions-lua: '*': keep: true leafo/gh-actions-luarocks: - 97053c556d6ce2c8e26eb7ac93743437c7af7248: - expires_at: 2026-08-01 - tag: v5 4c082a5fad45388feaeb0798dbd82dbd7dc65bca: tag: v5 + expires_at: 2026-08-01 + 97053c556d6ce2c8e26eb7ac93743437c7af7248: + tag: v6.0.0 lhotari/sandboxed-trivy-action: 555963036b2012b44c1071508a236e569db28ebb: tag: v1.0.1 diff --git a/gateway/gateway.py b/gateway/gateway.py index 8a85c649..de9529b7 100644 --- a/gateway/gateway.py +++ b/gateway/gateway.py @@ -130,15 +130,15 @@ def gha_print(content: str, title: str = ""): print("::endgroup::") -def generate_workflow(actions: ActionsYAML) -> str: +def generate_composite_action(actions: ActionsYAML) -> str: """ - Generate a GitHub workflow file as a string from the actions.yml dictionary. + Generate a composite GitHub action file as a string from the actions.yml dictionary. Args: actions: Dictionary of actions and their references Returns: - str: Generated workflow file content + str: Generated action file content """ # Github Workflow 'yaml' has slight deviations from the yaml spec. (e.g. keys with no values) # Because of that it's much easier to generate this as a string rather @@ -166,31 +166,22 @@ def generate_workflow(actions: ActionsYAML) -> str: # It will be regenerated and committed as part of various workflows. # DO NOT UPDATE MANUALLY. Update /actions.yml instead. -# This workflow has two purposes: +# This action has two purposes: # - dependabot will propose updates to this file, which after # review will automatically flow into /actions.yml through a # workflow -# - GHA will periodically 'run' this workflow (skipping every +# - GHA will periodically 'run' this action (skipping every # step), which will fail when any of the listed actions have # a transitive action dependency that is not allowlisted # (or is not anymore). -name: Dummy Workflow - -on: - workflow_dispatch: - pull_request: - paths: - - .github/workflows/dummy.yml - push: - paths: - - .github/workflows/dummy.yml - -permissions: {} - -jobs: - dummy: - runs-on: ubuntu-latest - steps: +# Sadly the error message does not tell you *which* action +# has a missing transitive dependency, see +# https://github.com/apache/infrastructure-actions/issues/606 +name: Gateway Action + +runs: + using: "composite" + steps: """ steps = [] for name, refs in actions.items(): @@ -208,26 +199,26 @@ def is_updatable(ref): elif len(ref_to_update) == 1: ref = ref_to_update[0] details = refs[ref] - steps.append(f" - uses: {name}@{ref}" + (f" # {details['tag']}" if details and 'tag' in details else '')) - steps.append( " if: false") + steps.append(f" - uses: {name}@{ref}" + (f" # {details['tag']}" if details and 'tag' in details else '')) + steps.append( " if: false") - return header + "\n".join(steps) + "\n" + " - run: echo Success!\n" + return header + "\n".join(steps) + "\n" + " - run: echo Success!\n" + " shell: bash\n" def update_refs( - dummy_steps: list[dict[str, str]], action_refs: ActionsYAML + composite_steps: list[dict[str, str]], action_refs: ActionsYAML ) -> ActionsYAML: """ - Update action references based on steps from a dummy workflow. + Update action references based on steps from the composite action. Args: - dummy_steps: List of steps from a dummy workflow + composite_steps: List of steps from the composite action action_refs: Current action references Returns: ActionsYAML: Updated action references """ - for step in dummy_steps: + for step in composite_steps: uses = step.get("uses", None) if uses is None: # The last step is - run: @@ -256,16 +247,16 @@ def update_refs( return action_refs -def update_actions(dummy_path: Path, actions_path: Path): +def update_actions(composite_action_path: Path, actions_path: Path): """ - Update actions file based on a dummy workflow. + Update actions file based on the composite actions. Args: - dummy_path: Path to the dummy workflow file + composite_action_path: Path to the composite action file actions_path: Path to the actions list file """ - dummy = load_yaml(dummy_path) - steps: list[dict[str, str]] = dummy["jobs"]["dummy"]["steps"] + composite_action = load_yaml(composite_action_path) + steps: list[dict[str, str]] = composite_action["runs"]["steps"] actions: ActionsYAML = load_yaml(actions_path) @@ -332,19 +323,19 @@ def update_patterns(pattern_path: Path, list_path: Path): write_str(pattern_path, patterns_str) -def update_workflow(dummy_path: Path, list_path: Path): +def update_workflow(composite_action_path: Path, list_path: Path): """ - Update the dummy workflow file based on the actions list. + Update the composite action file based on the actions list. This will overwrite the existing file, so any manual changes will be lost! Args: - dummy_path: Path to write the dummy workflow file + composite_action_path: Path to write the composite action file list_path: Path to the actions list file """ actions: ActionsYAML = load_yaml(list_path) - workflow = generate_workflow(actions) + workflow = generate_composite_action(actions) gha_print(workflow, "Generated Workflow") - write_str(dummy_path, workflow) + write_str(composite_action_path, workflow) def remove_expired_refs(actions: ActionsYAML):