I have now fixed our CI/CD workflows, including Docker image builds. Jacopo
On Sun, Mar 22, 2026 at 7:05 PM Jacques Le Roux via dev < [email protected]> wrote: > Hi Jacopo, > > I have created https://issues.apache.org/jira/browse/OFBIZ-13375 as a > task related to that > > Jacques > > Le 22/03/2026 à 11:27, Jacopo Cappellato a écrit : > > Thank you Daniel. > > > > All, I have tried to debug and better understand the situation. > > This should be the list of all the actions currently allowed by Infra: > > > > 1) All the actions from the following namespaces are automatically > allowed: > > apache/* > > github/* > > actions/* > > > > 2) All the actions explicitly listed in this file are also allowed: > > https://github.com/apache/infrastructure-actions/blob/main/actions.yml > > > > Since ofbiz-framework is using actions from step-security/*, that are not > > allowed by the above rules, our CI/CD pipeline is currently broken. > > > > My question is: do we really need to leverage step-security/* actions? > When > > did we decide to onboard these external actions from Step Security? I > > assume we could configure our workflows to use the subset of actions that > > are used by the other ASF projects, and this would be my preference. > > Alternatively, I think we should ask Infra to review for approval the > Step > > Security actions we need. > > > > Jacopo > > > > On Sat, Mar 21, 2026 at 11:28 AM Daniel Watford <[email protected]> > wrote: > > > >> Apache INFRA recently disabled a number of GitHub Actions. I can't > find a > >> link to the email in archives, but an announcement was sent to > >> > >> [email protected] yesterday at 21:00 (according to my mail > client) > >> > >> The message stated that to request GHA be allowed we must submit a > request > >> to the approval process: > >> > >> > https://github.com/apache/infrastructure-actions?tab=readme-ov-file#adding-a-new-version-to-the-allow-list > >> > >> > >> On Sat, 21 Mar 2026 at 08:58, Jacques Le Roux via dev < > >> [email protected]> > >> wrote: > >> > >>> I still don't stand understand why we get this error on GH trunk > actions > >>> > >>> *Error* < > >>> > >> > https://github.com/apache/ofbiz-framework/actions/runs/23375921548/workflow > >>> The action > >>> step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 > is > >>> not allowed in apache/ofbiz-framework because all actions must be > >>> from a repository owned by your enterprise, created by GitHub, or match > >>> one of the patterns: > >>> 1Password/load-secrets-action@13f58eec611f8e5db52ec16247f58c508398f3e6 > , > >>> 1Password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb > , > >>> 1Password/load-secrets-action@dafbe7cb03502b260e2b2893c753c352eee545bf > , > >>> AdoptOpenJDK/install-jdk@*, BobAnkh/auto-generate-changelog@*, > >>> > >>> > >> > DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 > >> , > >>> > >>> > >> > DavidAnson/markdownlint-cli2-action@30a0e04f1870d58f8d717450cc6134995f993c63 > >> , > >>> EnricoMi/publish-unit-test-result-action@*, > >>> > >>> > >> > JamesIves/github-pages-deploy-action@4a3abc783e1a24aeb44c16e869ad83caf6b4cc23 > >> , > >>> > >>> > >> > JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f > >> , > >>> Jimver/cuda-toolkit@6008063726ffe3309d1b22e413d9e88fed91a2f2, > >>> Jimver/cuda-toolkit@b6fc3a9f3f15256d9d94ffe1254f9c5a2565... > >>> Show less > >>> > >>> It seems that reverting pushes related to Java 21, ie those of this > >> morning > >>> https://github.com/apache/ofbiz-framework/commits/trunk/ > >>> should clear the situation. > >>> > >>> Maybe we need to change others location (from java 17 to 21) in our GH > >>> related code > >>> Or, reading the error above, have an Infra agreement to move to 21 > >>> > >>> If nobody has a better idea, I'll revert for now. > >>> > >>> Jacques > >>> > >>> Le 21/03/2026 à 09:36, Jacques Le Roux via dev a écrit : > >>>> Hi Jacopo, > >>>> > >>>> I'll have a look very soon. > >>>> > >>>> Jacques > >>>> > >>>> Le 21/03/2026 à 08:53, Jacopo Cappellato a écrit : > >>>>> Hi all, > >>>>> > >>>>> Dependabot has created five pull requests to bump various libraries > >>> used by > >>>>> GitHub Actions for CI/CD: > >>>>> > >>>>> https://github.com/apache/ofbiz-framework/pull/1000 > >>>>> https://github.com/apache/ofbiz-framework/pull/1001 > >>>>> https://github.com/apache/ofbiz-framework/pull/1002 > >>>>> https://github.com/apache/ofbiz-framework/pull/1003 > >>>>> https://github.com/apache/ofbiz-framework/pull/1003 > >>>>> > >>>>> Should we upgrade and merge these PRs? > >>>>> > >>>>> Jacopo > >> > >> > >> -- > >> Daniel Watford > >> >
