Looks like this breaks most of our builds with errors like: The action gradle/actions/setup-gradle@v5 is not allowed in apache/groovy because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: ...<incomplete list in error message>...
I'll explore a bit further. We have known that best practice is to lock down the version to a specific UUID but setup-gradle has previously been one of the well-known plugins where that wasn't required. ---------- Forwarded message --------- From: Andrew Wetmore <[email protected]> Date: Sat, Mar 21, 2026 at 6:59 AM Subject: [ANNOUNCE] ASF Response to potential Trivy security breach To: <[email protected]> Trivy, Agua Security's open-source vulnerability scanner, appears to have experienced a security incident March 19, 2026, based on the details available here: https://stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release ASF Infrastructure and ASF Security have provided the following summary based on what we believe to be true: - Trivy version 0.69.4 contained malicious code that could potentially steal credentials present in GitHub Secrets. - The trivy-action GitHub Action and trivy-setup were also compromised. Impact on ASF projects - A small number of ASF projects include the trivy GitHub Action in their build workflows. Infra response - ASF Infra and ASF Security agreed to disable all previously allowed "verified creator" actions while the incident is being investigated - This may cause build failures, and require projects request newly-failed actions be added via the Infra GHA approval process: github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-version-to-the-allow-list - Infra and the Security team are investigating if any secrets and Git repositories of ASF projects may have been compromised. For further information: If you are involved in an ASF project that is impacted by this situation, you can open a Jira ticket for Infra. You can also join the conversation in the #asfinfra channel in the the-asf space on Slack, or send an email to users AT infra.apache.org. Andrew Wetmore Technical Writer-Editor, Infra
