acelyc111 opened a new pull request, #2403: URL: https://github.com/apache/incubator-pegasus/pull/2403
## Summary Backport of #2398 to **v2.5**, adapted to v2.5's workflow structure (which predates master's #1791 composite-action refactor). ## Why this is needed The ASF GitHub Actions Policy ([infra.apache.org/github-actions-policy.html](https://infra.apache.org/github-actions-policy.html), [INFRA-27084](https://issues.apache.org/jira/browse/INFRA-27084)) blocks third-party actions in `apache/*` repositories unless they appear in the ASF organization-wide allow-list at [apache/infrastructure-actions](https://github.com/apache/infrastructure-actions). Only actions in `apache/*` and `actions/*` namespaces are auto-allowed; everything else must be pinned to a commit SHA explicitly listed in that allow-list. On v2.5, action refs like `dorny/paths-filter@v2`, `docker/build-push-action@v6`, `hadolint/[email protected]`, `gaurav-nelson/[email protected]`, etc. are not on the allow-list, so workflow runs end in **`conclusion: startup_failure` with an empty jobs array** — meaning no logs, no PR check entry, the workflow appears \"silent\" but is actually being blocked. This is exactly what happens to existing v2.5 PRs like #2394, where the \`Cpp CI\` run [24079456724](https://github.com/apache/incubator-pegasus/actions/runs/24079456724) failed to start with the message: > \`The action dorny/paths-filter@v2 is not allowed in apache/incubator-pegasus because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: ...\` ## What this PR does Pin every action ref in v2.5's workflows to a commit SHA approved by the current ASF allow-list. SHAs match those used on master (#2398) where the ASF allow-list still accepts them; where master's SHA has since been expired/replaced in the allow-list, the latest non-expired SHA from the same major version line is used (notably \`docker/[email protected]\` and \`golangci/[email protected]\`). Two non-mechanical adjustments mirror master: - **Drop \`codecov/codecov-action@v2\` step in \`lint_and_test_go-client.yml\`** — master removed it in #1790 (Dec 2023); v2.5 was never updated. The moving \`@v2\` tag is also a supply-chain risk. - **Replace \`gaurav-nelson/[email protected]\` → \`tcort/github-action-markdown-link-check@<sha>\`** in \`standardization_lint.yaml\` — master switched via #2329 because gaurav-nelson is not in the ASF allow-list. Both actions take zero parameters here, so the swap is API-compatible. \`apache/skywalking-eyes@main\` is intentionally left untouched (master also keeps \`@main\`; the \`apache/*\` namespace is auto-allowed regardless of ref). ## Verification - ✅ All 16 workflow YAMLs parse successfully (\`yaml.safe_load\`) - ✅ Every \`uses:\` ref in this branch was checked against ASF \`approved_patterns.yml\` from \`apache/infrastructure-actions\` — **all pass** - ✅ Diff is mechanical: 13 files, +184/-95 lines, dominated by \`# vendor/[email protected]\` comment lines preceding each pinned SHA (matching master's #2398 style) ## Expected outcome After merge, PRs targeting v2.5 should see \`Cpp CI\`, \`Standardization Lint\`, \`Lint and Test - admin-cli\`, \`Lint and Test - go-client\`, etc. **actually run** instead of silently failing at startup. This unblocks #2394 and any future v2.5 cherry-pick PRs. ## What this PR does NOT do - Does not introduce master's composite-action architecture (\`.github/actions/build_pegasus\`, etc. from #1791/#1812). v2.5's workflows remain self-contained, which is the minimum-risk change for a release branch. - Does not pull in master's other CI evolutions (build-push-thirdparty.yml split #2346, ASan-dedicated thirdparty images #2350, etc.). Those are out of scope for this allow-list policy fix. ## Related - master fix: #2398 - ASF policy: [INFRA-27084](https://issues.apache.org/jira/browse/INFRA-27084) - Triggering example: PR #2394 \`Cpp CI\` startup_failure -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
