Re: Should we merge Dependabot CI/CD dependency updates?

Sun, 22 Mar 2026 11:06:19 -0700 

Hi Jacopo,

I have created https://issues.apache.org/jira/browse/OFBIZ-13375 as a task 
related to that

Jacques

Le 22/03/2026 à 11:27, Jacopo Cappellato a écrit :

Thank you Daniel.

All, I have tried to debug and better understand the situation.
This should be the list of all the actions currently allowed by Infra:

1) All the actions from the following namespaces are automatically allowed:
apache/*
github/*
actions/*

2) All the actions explicitly listed in this file are also allowed:
https://github.com/apache/infrastructure-actions/blob/main/actions.yml

Since ofbiz-framework is using actions from step-security/*, that are not
allowed by the above rules, our CI/CD pipeline is currently broken.

My question is: do we really need to leverage step-security/* actions? When
did we decide to onboard these external actions from Step Security? I
assume we could configure our workflows to use the subset of actions that
are used by the other ASF projects, and this would be my preference.
Alternatively, I think we should ask Infra to review for approval the Step
Security actions we need.

Jacopo

On Sat, Mar 21, 2026 at 11:28 AM Daniel Watford <[email protected]> wrote:


Apache INFRA recently disabled a number of GitHub Actions.   I can't find a
link to the email in archives, but an announcement was sent to

[email protected] yesterday at 21:00 (according to my mail client)

The message stated that to request GHA be allowed we must submit a request
to the approval process:

https://github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-version-to-the-allow-list


On Sat, 21 Mar 2026 at 08:58, Jacques Le Roux via dev <
[email protected]>
wrote:


I still don't stand understand why we get this error on GH trunk actions

*Error* <


https://github.com/apache/ofbiz-framework/actions/runs/23375921548/workflow

The action
step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 is
not allowed in apache/ofbiz-framework because all actions must be
from a repository owned by your enterprise, created by GitHub, or match
one of the patterns:
1Password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6,
1Password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb,
1Password/load-secrets-action@dafbe7cb03502b260e2b2893c753c352eee545bf,
AdoptOpenJDK/install-jdk@*, BobAnkh/auto-generate-changelog@*,



DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101
,




DavidAnson/markdownlint-cli2-action@30a0e04f1870d58f8d717450cc6134995f993c63
,

EnricoMi/publish-unit-test-result-action@*,



JamesIves/github-pages-deploy-action@4a3abc783e1a24aeb44c16e869ad83caf6b4cc23
,




JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f
,

Jimver/cuda-toolkit@6008063726ffe3309d1b22e413d9e88fed91a2f2,
Jimver/cuda-toolkit@b6fc3a9f3f15256d9d94ffe1254f9c5a2565...
Show less

It seems that reverting pushes related to Java 21, ie those of this

morning

https://github.com/apache/ofbiz-framework/commits/trunk/
should clear the situation.

Maybe we need to change others location (from java 17  to 21) in our GH
related code
Or, reading the error above, have an Infra agreement to move to 21

If nobody has a better idea, I'll revert for now.

Jacques

Le 21/03/2026 à 09:36, Jacques Le Roux via dev a écrit :

Hi Jacopo,

I'll have a look very soon.

Jacques

Le 21/03/2026 à 08:53, Jacopo Cappellato a écrit :

Hi all,

Dependabot has created five pull requests to bump various libraries

used by

GitHub Actions for CI/CD:

https://github.com/apache/ofbiz-framework/pull/1000
https://github.com/apache/ofbiz-framework/pull/1001
https://github.com/apache/ofbiz-framework/pull/1002
https://github.com/apache/ofbiz-framework/pull/1003
https://github.com/apache/ofbiz-framework/pull/1003

Should we upgrade and merge these PRs?

Jacopo



--
Daniel Watford

Reply via email to