Thank you Daniel. All, I have tried to debug and better understand the situation. This should be the list of all the actions currently allowed by Infra:
1) All the actions from the following namespaces are automatically allowed: apache/* github/* actions/* 2) All the actions explicitly listed in this file are also allowed: https://github.com/apache/infrastructure-actions/blob/main/actions.yml Since ofbiz-framework is using actions from step-security/*, that are not allowed by the above rules, our CI/CD pipeline is currently broken. My question is: do we really need to leverage step-security/* actions? When did we decide to onboard these external actions from Step Security? I assume we could configure our workflows to use the subset of actions that are used by the other ASF projects, and this would be my preference. Alternatively, I think we should ask Infra to review for approval the Step Security actions we need. Jacopo On Sat, Mar 21, 2026 at 11:28 AM Daniel Watford <[email protected]> wrote: > Apache INFRA recently disabled a number of GitHub Actions. I can't find a > link to the email in archives, but an announcement was sent to > > [email protected] yesterday at 21:00 (according to my mail client) > > The message stated that to request GHA be allowed we must submit a request > to the approval process: > > https://github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-version-to-the-allow-list > > > On Sat, 21 Mar 2026 at 08:58, Jacques Le Roux via dev < > [email protected]> > wrote: > > > I still don't stand understand why we get this error on GH trunk actions > > > > *Error* < > > > https://github.com/apache/ofbiz-framework/actions/runs/23375921548/workflow > > > > > The action > > step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 is > > not allowed in apache/ofbiz-framework because all actions must be > > from a repository owned by your enterprise, created by GitHub, or match > > one of the patterns: > > 1Password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6, > > 1Password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb, > > 1Password/load-secrets-action@dafbe7cb03502b260e2b2893c753c352eee545bf, > > AdoptOpenJDK/install-jdk@*, BobAnkh/auto-generate-changelog@*, > > > > > DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 > , > > > > > > > DavidAnson/markdownlint-cli2-action@30a0e04f1870d58f8d717450cc6134995f993c63 > , > > EnricoMi/publish-unit-test-result-action@*, > > > > > JamesIves/github-pages-deploy-action@4a3abc783e1a24aeb44c16e869ad83caf6b4cc23 > , > > > > > > > JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f > , > > Jimver/cuda-toolkit@6008063726ffe3309d1b22e413d9e88fed91a2f2, > > Jimver/cuda-toolkit@b6fc3a9f3f15256d9d94ffe1254f9c5a2565... > > Show less > > > > It seems that reverting pushes related to Java 21, ie those of this > morning > > https://github.com/apache/ofbiz-framework/commits/trunk/ > > should clear the situation. > > > > Maybe we need to change others location (from java 17 to 21) in our GH > > related code > > Or, reading the error above, have an Infra agreement to move to 21 > > > > If nobody has a better idea, I'll revert for now. > > > > Jacques > > > > Le 21/03/2026 à 09:36, Jacques Le Roux via dev a écrit : > > > Hi Jacopo, > > > > > > I'll have a look very soon. > > > > > > Jacques > > > > > > Le 21/03/2026 à 08:53, Jacopo Cappellato a écrit : > > >> Hi all, > > >> > > >> Dependabot has created five pull requests to bump various libraries > > used by > > >> GitHub Actions for CI/CD: > > >> > > >> https://github.com/apache/ofbiz-framework/pull/1000 > > >> https://github.com/apache/ofbiz-framework/pull/1001 > > >> https://github.com/apache/ofbiz-framework/pull/1002 > > >> https://github.com/apache/ofbiz-framework/pull/1003 > > >> https://github.com/apache/ofbiz-framework/pull/1003 > > >> > > >> Should we upgrade and merge these PRs? > > >> > > >> Jacopo > > > > -- > Daniel Watford >
