Re: Should we merge Dependabot CI/CD dependency updates?

Sat, 21 Mar 2026 01:58:45 -0700 

I still don't stand understand why we get this error on GH trunk actions

*Error* 
<https://github.com/apache/ofbiz-framework/actions/runs/23375921548/workflow>
The action step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 is not allowed in apache/ofbiz-framework because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: 1Password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6, 1Password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb, 1Password/load-secrets-action@dafbe7cb03502b260e2b2893c753c352eee545bf, AdoptOpenJDK/install-jdk@*, BobAnkh/auto-generate-changelog@*, DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101, DavidAnson/markdownlint-cli2-action@30a0e04f1870d58f8d717450cc6134995f993c63, EnricoMi/publish-unit-test-result-action@*, JamesIves/github-pages-deploy-action@4a3abc783e1a24aeb44c16e869ad83caf6b4cc23, JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f, Jimver/cuda-toolkit@6008063726ffe3309d1b22e413d9e88fed91a2f2, Jimver/cuda-toolkit@b6fc3a9f3f15256d9d94ffe1254f9c5a2565... 
Show less

It seems that reverting pushes related to Java 21, ie those of this morning
https://github.com/apache/ofbiz-framework/commits/trunk/
should clear the situation.

Maybe we need to change others location (from java 17  to 21) in our GH related 
code
Or, reading the error above, have an Infra agreement to move to 21

If nobody has a better idea, I'll revert for now.

Jacques

Le 21/03/2026 à 09:36, Jacques Le Roux via dev a écrit :

Hi Jacopo,

I'll have a look very soon.

Jacques

Le 21/03/2026 à 08:53, Jacopo Cappellato a écrit :

Hi all,

Dependabot has created five pull requests to bump various libraries used by
GitHub Actions for CI/CD:

https://github.com/apache/ofbiz-framework/pull/1000
https://github.com/apache/ofbiz-framework/pull/1001
https://github.com/apache/ofbiz-framework/pull/1002
https://github.com/apache/ofbiz-framework/pull/1003
https://github.com/apache/ofbiz-framework/pull/1003

Should we upgrade and merge these PRs?

Jacopo

Reply via email to