This is an automated email from the ASF dual-hosted git repository.
epugh pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-mcp.git
The following commit(s) were added to refs/heads/main by this push:
new 564ee63 ci: fix workflows blocked by the ASF GitHub Actions
allow-list (#145)
564ee63 is described below
commit 564ee63a5938c7271ffaa2a29b4681e8daa06293
Author: Aditya Parikh <[email protected]>
AuthorDate: Sat Jun 13 14:27:59 2026 -0400
ci: fix workflows blocked by the ASF GitHub Actions allow-list (#145)
This commit fixes CI workflows that were failing to start because they
violated the ASF GitHub Actions allow-list.
**Root cause:** The Apache org only allows `actions/*`, `apache/*`, and
`github/*` actions to run freely; all third-party actions must be pinned to an
exact, explicitly allow-listed commit SHA. The workflows referenced third-party
actions by mutable tag (`graalvm/setup-graalvm@v1`, `docker/login-action@v3`,
etc.), which never match SHA-based allow-list entries — so `native.yml` and
`build-and-publish.yml` were rejected at startup with no check runs at all.
---------
Signed-off-by: adityamparikh <[email protected]>
Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
---
.github/workflows/atr-release.yml | 82 +++++++++++++++++----------------
.github/workflows/build-and-publish.yml | 4 +-
.github/workflows/native.yml | 6 +--
.github/workflows/nightly-build.yml | 53 +++++++++++----------
.github/workflows/release-publish.yml | 9 ++--
5 files changed, 79 insertions(+), 75 deletions(-)
diff --git a/.github/workflows/atr-release.yml
b/.github/workflows/atr-release.yml
index bbb2b86..9053e1c 100644
--- a/.github/workflows/atr-release.yml
+++ b/.github/workflows/atr-release.yml
@@ -374,48 +374,50 @@ jobs:
announce-path-suffix: "solr/mcp/${{ inputs.release_version
}}"
- name: Create GitHub Release
- uses: softprops/action-gh-release@v1
- with:
- tag_name: v${{ inputs.release_version }}
- name: Apache Solr MCP ${{ inputs.release_version }}
- draft: false
- prerelease: false
- body: |
- ## Apache Solr MCP ${{ inputs.release_version }}
-
- This release was approved through the Apache voting
process.
-
- ### Installation
-
- **Docker:**
- ```bash
- docker pull apache/solr-mcp:${{ inputs.release_version
}}
- ```
-
- **JAR:**
- Download from [Apache
Mirrors](https://www.apache.org/dyn/closer.lua/solr/mcp/${{
inputs.release_version }}/)
-
- ### Verification
-
- All release artifacts are signed. Verify using:
- ```bash
- gpg --verify solr-mcp-${{ inputs.release_version
}}.jar.asc
- sha512sum -c solr-mcp-${{ inputs.release_version
}}.jar.sha512
- ```
-
- ### Release Notes
- See
[CHANGES.txt](https://github.com/apache/solr-mcp/blob/v${{
inputs.release_version }}/CHANGES.txt)
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ RELEASE_VERSION: ${{ inputs.release_version }}
+ run: |
+ cat > "${RUNNER_TEMP}/release-notes.md" <<'NOTES'
+ ## Apache Solr MCP ${{ inputs.release_version }}
+
+ This release was approved through the Apache voting
process.
+
+ ### Installation
+
+ **Docker:**
+ ```bash
+ docker pull apache/solr-mcp:${{ inputs.release_version }}
+ ```
+
+ **JAR:**
+ Download from [Apache
Mirrors](https://www.apache.org/dyn/closer.lua/solr/mcp/${{
inputs.release_version }}/)
+
+ ### Verification
+
+ All release artifacts are signed. Verify using:
+ ```bash
+ gpg --verify solr-mcp-${{ inputs.release_version }}.jar.asc
+ sha512sum -c solr-mcp-${{ inputs.release_version
}}.jar.sha512
+ ```
+
+ ### Release Notes
+ See
[CHANGES.txt](https://github.com/apache/solr-mcp/blob/v${{
inputs.release_version }}/CHANGES.txt)
+ NOTES
+ gh release create "v${RELEASE_VERSION}" \
+ --title "Apache Solr MCP ${RELEASE_VERSION}" \
+ --notes-file "${RUNNER_TEMP}/release-notes.md"
- name: Trigger Docker publishing workflow
- uses: peter-evans/repository-dispatch@v2
- with:
- token: ${{ secrets.GITHUB_TOKEN }}
- event-type: release-approved
- client-payload: |
- {
- "release_version": "${{ inputs.release_version }}",
- "release_candidate": "${{ inputs.release_candidate
}}"
- }
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ RELEASE_VERSION: ${{ inputs.release_version }}
+ RELEASE_CANDIDATE: ${{ inputs.release_candidate }}
+ REPO: ${{ github.repository }}
+ run: |
+ printf
'{"event_type":"release-approved","client_payload":{"release_version":"%s","release_candidate":"%s"}}'
\
+ "$RELEASE_VERSION" "$RELEASE_CANDIDATE" \
+ | gh api "repos/${REPO}/dispatches" --input -
- name: Final summary
run: |
diff --git a/.github/workflows/build-and-publish.yml
b/.github/workflows/build-and-publish.yml
index d195b76..54b2e77 100644
--- a/.github/workflows/build-and-publish.yml
+++ b/.github/workflows/build-and-publish.yml
@@ -287,7 +287,7 @@ jobs:
# Authenticate to GitHub Container Registry
# Uses built-in GITHUB_TOKEN (no configuration needed)
- name: Log in to GitHub Container Registry
- uses: docker/login-action@v3
+ uses:
docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
(ASF-allow-listed, no expiry)
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -320,7 +320,7 @@ jobs:
#
# Note: `GITHUB_TOKEN` is provided automatically for GHCR; do
not store it manually.
# - name: Log in to Docker Hub
- # uses: docker/login-action@v3
+ # uses:
docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
(ASF-allow-listed, no expiry)
# with:
# username: ${{ secrets.DOCKERHUB_USERNAME }}
# password: ${{ secrets.DOCKERHUB_TOKEN }}
diff --git a/.github/workflows/native.yml b/.github/workflows/native.yml
index 8888dbc..0d28c6f 100644
--- a/.github/workflows/native.yml
+++ b/.github/workflows/native.yml
@@ -54,7 +54,7 @@ jobs:
uses: actions/checkout@v4
- name: Set up GraalVM JDK 25
- uses: graalvm/setup-graalvm@v1
+ uses:
graalvm/setup-graalvm@329c42c5f4c343bceb505f0b28cc8499bc2bf174 # v1.5.4
(ASF-allow-listed, no expiry)
with:
java-version: '25'
distribution: 'graalvm'
@@ -84,7 +84,7 @@ jobs:
uses: actions/checkout@v4
- name: Set up GraalVM JDK 25
- uses: graalvm/setup-graalvm@v1
+ uses:
graalvm/setup-graalvm@329c42c5f4c343bceb505f0b28cc8499bc2bf174 # v1.5.4
(ASF-allow-listed, no expiry)
with:
java-version: '25'
distribution: 'graalvm'
@@ -118,7 +118,7 @@ jobs:
uses: actions/checkout@v4
- name: Set up GraalVM JDK 25
- uses: graalvm/setup-graalvm@v1
+ uses:
graalvm/setup-graalvm@329c42c5f4c343bceb505f0b28cc8499bc2bf174 # v1.5.4
(ASF-allow-listed, no expiry)
with:
java-version: '25'
distribution: 'graalvm'
diff --git a/.github/workflows/nightly-build.yml
b/.github/workflows/nightly-build.yml
index d2121e1..5f70074 100644
--- a/.github/workflows/nightly-build.yml
+++ b/.github/workflows/nightly-build.yml
@@ -173,31 +173,36 @@ jobs:
ls -la build/distributions/
- name: Create GitHub pre-release
- uses: softprops/action-gh-release@v1
- with:
- tag_name: nightly-${{ steps.version.outputs.date }}
- name: Nightly Build ${{ steps.version.outputs.date }}
- prerelease: true
- draft: false
- files: |
- build/distributions/solr-mcp-*.tar.gz
- build/distributions/solr-mcp-*.sha512
+ # ASF policy disallows non-allow-listed third-party actions; use the gh
+ # CLI (already used below to prune old nightlies) instead of
+ # softprops/action-gh-release.
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ NIGHTLY_DATE: ${{ steps.version.outputs.date }}
+ run: |
+ cat > "${RUNNER_TEMP}/nightly-notes.md" <<'NOTES'
+ ## Nightly Build
+
+ **Date**: ${{ steps.version.outputs.date }}
+ **Commit**: ${{ github.sha }}
+
+ ### Docker Image
+ ```bash
+ docker pull apache/solr-mcp-nightly:${{
steps.version.outputs.version }}
+ ```
+
+ ### Source Distribution
+ - [solr-mcp-${{ steps.version.outputs.version
}}-src.tar.gz](https://github.com/${{ github.repository
}}/releases/download/nightly-${{ steps.version.outputs.date }}/solr-mcp-${{
steps.version.outputs.version }}-src.tar.gz)
+
+ **Note**: This is a nightly build and not an official Apache release.
+ NOTES
+ gh release create "nightly-${NIGHTLY_DATE}" \
+ --title "Nightly Build ${NIGHTLY_DATE}" \
+ --prerelease \
+ --notes-file "${RUNNER_TEMP}/nightly-notes.md" \
+ build/distributions/solr-mcp-*.tar.gz \
+ build/distributions/solr-mcp-*.sha512 \
build/libs/solr-mcp-*.jar
- body: |
- ## Nightly Build
-
- **Date**: ${{ steps.version.outputs.date }}
- **Commit**: ${{ github.sha }}
-
- ### Docker Image
- ```bash
- docker pull apache/solr-mcp-nightly:${{
steps.version.outputs.version }}
- ```
-
- ### Source Distribution
- - [solr-mcp-${{ steps.version.outputs.version
}}-src.tar.gz](https://github.com/${{ github.repository
}}/releases/download/nightly-${{ steps.version.outputs.date }}/solr-mcp-${{
steps.version.outputs.version }}-src.tar.gz)
-
- **Note**: This is a nightly build and not an official Apache
release.
- name: Clean up old nightly releases
run: |
diff --git a/.github/workflows/release-publish.yml
b/.github/workflows/release-publish.yml
index f4eb779..3f8015d 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -389,7 +389,7 @@ jobs:
ref: "v${{ inputs.release_version }}-${{ inputs.release_candidate }}"
- name: Set up GraalVM JDK 25
- uses: graalvm/setup-graalvm@v1
+ uses: graalvm/setup-graalvm@329c42c5f4c343bceb505f0b28cc8499bc2bf174 #
v1.5.4 (ASF-allow-listed, no expiry)
with:
java-version: '25'
distribution: 'graalvm'
@@ -403,7 +403,7 @@ jobs:
sed -i "s/version = \".*\"/version = \"${RELEASE_VERSION}\"/"
build.gradle.kts
- name: Log in to GHCR
- uses: docker/login-action@v3
+ uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee #
v4.2.0 (ASF-allow-listed, no expiry)
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -452,15 +452,12 @@ jobs:
packages: write
steps:
- name: Log in to GHCR
- uses: docker/login-action@v3
+ uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee #
v4.2.0 (ASF-allow-listed, no expiry)
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- - name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v3
-
- name: Create version manifest lists
env:
REPO_OWNER: ${{ github.repository_owner }}
