Seems to be back to normal with just that action changed.
On Sat, Mar 21, 2026 at 7:48 AM Paul King <[email protected]> wrote: > > Looks like this breaks most of our builds with errors like: > The action gradle/actions/setup-gradle@v5 is not allowed in > apache/groovy because all actions must be from a repository owned by > your enterprise, created by GitHub, or match one of the patterns: > ...<incomplete list in error message>... > > I'll explore a bit further. We have known that best practice is to > lock down the version to a specific UUID but setup-gradle has > previously been one of the well-known plugins where that wasn't > required. > > ---------- Forwarded message --------- > From: Andrew Wetmore <[email protected]> > Date: Sat, Mar 21, 2026 at 6:59 AM > Subject: [ANNOUNCE] ASF Response to potential Trivy security breach > To: <[email protected]> > > > > Trivy, Agua Security's open-source vulnerability scanner, appears to have > experienced a security incident March 19, 2026, based on the details > available here: > > https://stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release > > ASF Infrastructure and ASF Security have provided the following summary > based on what we believe to be true: > > - Trivy version 0.69.4 contained malicious code that could potentially > steal credentials present in GitHub Secrets. > - The trivy-action GitHub Action and trivy-setup were also compromised. > > Impact on ASF projects > > - A small number of ASF projects include the trivy GitHub Action in their > build workflows. > > Infra response > > - ASF Infra and ASF Security agreed to disable all previously allowed > "verified creator" actions while the incident is being investigated > - This may cause build failures, and require projects request > newly-failed actions be added via the Infra GHA approval process: > > github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-version-to-the-allow-list > - Infra and the Security team are investigating if any secrets and Git > repositories of ASF projects may have been compromised. > > For further information: > > If you are involved in an ASF project that is impacted by this situation, > you can open a Jira ticket for Infra. You can also join the conversation in > the #asfinfra channel in the the-asf space on Slack, or send an email to > users AT infra.apache.org. > > Andrew Wetmore > Technical Writer-Editor, Infra
