This is an automated email from the ASF dual-hosted git repository.

morningman pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/doris-cli.git


The following commit(s) were added to refs/heads/main by this push:
     new bb44c80  ci(release-npm): replace allowlist-blocked actions with local 
ones
bb44c80 is described below

commit bb44c80344e077b5747fecefdfbd1b431efe9300
Author: Mingyu Chen (Rayner) <[email protected]>
AuthorDate: Sat May 30 11:36:56 2026 +0800

    ci(release-npm): replace allowlist-blocked actions with local ones
    
    apache/doris-cli enforces an org-level GitHub Actions allowlist that
    rejects third-party actions such as dtolnay/rust-toolchain and
    ilammy/setup-nasm. Reimplement both as local composite actions under
    .github/actions, referenced by in-repo relative path, following the
    apache/doris .github/actions pattern.
    
    The allowlist is enforced transitively, so the local actions do the work
    directly via the rustup/choco that ship on the runners instead of
    wrapping the blocked actions.
    
    Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
---
 .github/actions/setup-nasm/action.yml           | 17 +++++++++++++
 .github/actions/setup-rust-toolchain/action.yml | 32 +++++++++++++++++++++++++
 .github/workflows/release-npm.yml               |  9 +++++--
 3 files changed, 56 insertions(+), 2 deletions(-)

diff --git a/.github/actions/setup-nasm/action.yml 
b/.github/actions/setup-nasm/action.yml
new file mode 100644
index 0000000..05072ff
--- /dev/null
+++ b/.github/actions/setup-nasm/action.yml
@@ -0,0 +1,17 @@
+name: Setup NASM
+description: >-
+  Install the NASM assembler on Windows runners (required to build the vendored
+  OpenSSL pulled in by openssl-sys). This is a local replacement for
+  ilammy/setup-nasm, which the apache org GitHub Actions allowlist blocks.
+  Intended to be called only on Windows runners.
+
+runs:
+  using: composite
+  steps:
+    # choco ships on GitHub-hosted Windows runners. The package installs to
+    # C:\Program Files\NASM but does not reliably add it to PATH, so do it here
+    # to make nasm.exe available to later steps in the job.
+    - shell: pwsh
+      run: |
+        choco install nasm --no-progress --yes
+        Add-Content -Path $env:GITHUB_PATH -Value 'C:\Program Files\NASM'
diff --git a/.github/actions/setup-rust-toolchain/action.yml 
b/.github/actions/setup-rust-toolchain/action.yml
new file mode 100644
index 0000000..5394490
--- /dev/null
+++ b/.github/actions/setup-rust-toolchain/action.yml
@@ -0,0 +1,32 @@
+name: Setup Rust toolchain
+description: >-
+  Install a Rust toolchain (and optional cross-compilation targets) using the
+  rustup that ships on GitHub-hosted runners. This is a local replacement for
+  dtolnay/rust-toolchain, which the apache org GitHub Actions allowlist blocks.
+
+inputs:
+  toolchain:
+    description: Toolchain to install and set as the default (e.g. stable, 
1.79.0).
+    required: false
+    default: stable
+  targets:
+    description: Space-separated list of additional compilation targets to add.
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    # `shell: bash` works on every runner, including Windows (Git Bash).
+    - shell: bash
+      env:
+        TOOLCHAIN: ${{ inputs.toolchain }}
+        TARGETS: ${{ inputs.targets }}
+      run: |
+        set -eux
+        rustup toolchain install "${TOOLCHAIN}" --profile minimal 
--no-self-update
+        rustup default "${TOOLCHAIN}"
+        if [ -n "${TARGETS}" ]; then
+          # Unquoted on purpose: allow a space-separated list of targets.
+          rustup target add ${TARGETS}
+        fi
diff --git a/.github/workflows/release-npm.yml 
b/.github/workflows/release-npm.yml
index acb5167..d6c710e 100644
--- a/.github/workflows/release-npm.yml
+++ b/.github/workflows/release-npm.yml
@@ -35,14 +35,19 @@ jobs:
           - { runner: windows-latest, key: win32-x64, target: 
x86_64-pc-windows-msvc }
     runs-on: ${{ matrix.runner }}
     steps:
+      # checkout must run first: the steps below use local composite actions
+      # (referenced by in-repo relative path) that live in this repository.
+      # The apache org action allowlist blocks third-party actions such as
+      # dtolnay/rust-toolchain and ilammy/setup-nasm, so they are reimplemented
+      # under .github/actions and used via ./.github/actions/<name>.
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: ./.github/actions/setup-rust-toolchain
         with:
           targets: ${{ matrix.target }}
       # The crate builds OpenSSL from source (openssl `vendored`); on Windows 
that
       # needs NASM + Perl (Perl ships on the windows runner).
       - if: runner.os == 'Windows'
-        uses: ilammy/setup-nasm@v1
+        uses: ./.github/actions/setup-nasm
       - uses: actions/setup-node@v4
         with:
           node-version: 20


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to