asf-tooling commented on issue #606:
URL:
https://github.com/apache/tooling-trusted-releases/issues/606#issuecomment-4410154357
<!-- gofannon-issue-triage-bot v2 -->
**Automated triage** — analyzed at `main@2da7807a`
**Type:** `discussion` • **Classification:** `no_action` •
**Confidence:** `high`
**Application domain(s):** `authentication_authorization`,
`web_api_infrastructure`
### Summary
This issue is about ensuring Dependabot PRs in this repository are validated
against the Apache infrastructure GitHub Actions allow list. The discussion
reveals that the primary fix lives in an external repository: @dave2wave
identified PR apache/infrastructure-actions#486 as the promising solution. The
file `atr/tasks/gha.py` handles triggering/monitoring distribution workflows
and is not where this fix would be implemented. The actual work needed in THIS
repo would be adding a `.github/workflows/` configuration that uses the
allowlist-checking action once it ships from `infrastructure-actions`.
### Where this lives in the code today
#### `atr/tasks/gha.py` — `trigger_workflow` (lines 116-122)
_currently does this_
This function handles ATR's own workflow dispatching to
apache/tooling-actions for distribution automation. It is tangentially related
(both involve GitHub Actions) but is NOT where Dependabot allowlist checking
would be implemented.
```python
@checks.with_model(args.DistributionWorkflow)
async def trigger_workflow(
task_args: args.DistributionWorkflow, *, task_id: int | None = None
) -> results.Results | None:
unique_id = f"atr-dist-{task_args.name}-{uuid.uuid4()}"
project = safe.ProjectKey(task_args.project_key)
safe.VersionKey(task_args.version_key)
```
### Where new code would go
- `.github/workflows/check-allowlist.yml` — new file
Once apache/infrastructure-actions#486 ships, a new workflow file would be
added here to run the allowlist check on Dependabot PRs. This is CI/CD
configuration, not application code.
### Proposed approach
The solution identified by the team lives primarily in the external
repository `apache/infrastructure-actions` (PR #486). Once that PR ships, this
repository would need to add a GitHub Actions workflow (in
`.github/workflows/`) that triggers on pull requests from Dependabot and
validates the proposed action versions against the approved allowlist. No
changes to the Python application code (`atr/`) are needed.
Since the locus of work is the external PR in
`apache/infrastructure-actions`, no diff should be proposed here until that
work lands. At that point, a simple workflow configuration file referencing the
new action would be added to this repository.
### Open questions
- Has apache/infrastructure-actions#486 been merged yet? The fix in this
repo depends on it.
- Should the allowlist check be a separate workflow or integrated into the
existing pre-commit workflow that @sebbASF noted already partially detects this?
- Why did the pre-commit check detect the biomejs/setup-biome issue but NOT
the astral-sh/setup-uv issue (as @sbp reported)?
_The agent reviewed this issue and is not proposing patches in this run.
Review the existing-code citations and open questions above before deciding
next steps._
### Files examined
- `atr/tasks/gha.py`
---
*Draft from a triage agent. A human reviewer should validate before merging
any change. The agent did not run tests or verify diffs apply.*
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
