Code of Conduct
Search before asking
Describe the proposal
The Apache Software Foundation has a specific policy for using GitHub Actions, which can be found at GitHub Actions Policy. We need to review existing CI workflows and make the necessary changes to ensure the project remains compliant and avoids potential risks.
Task list
Code of Conduct
Search before asking
Describe the proposal
The Apache Software Foundation has a specific policy for using GitHub Actions, which can be found at GitHub Actions Policy. We need to review existing CI workflows and make the necessary changes to ensure the project remains compliant and avoids potential risks.
Task list
Review
pull_request_targetusageEvaluate the risk in
.github/workflows/labeler.yml, which usespull_request_targettrigger and accessesGITHUB_TOKEN.While this is common for labelers, the ASF policy is strict about "ANY confidential credentials". So, we need to confirm if the labeler can be moved to a safer trigger or if its current usage is acceptable under the "very limited circumstances" mentioned in the policy.
Ensure job concurrency levels
Make sure the job concurrency level is less than or equal to 20 (or 15). Configuring an explicit
max-parallelvalue for all workflows with a matrix can be a good solution to respect these concurrency limits.Enable automatic dependency management for GitHub Actions
All repositories using GitHub Actions must have automatic dependency management in place.
Create
.github/dependabot.ymlto manage updates for GitHub Actions, which will also maintain the SHA hashes required/recommended by the pinning policy.Ensure GitHub Actions in ASF org-level allowlist
Add ASF Allowlist Check to verify all
uses:refs in the project workflows are on the ASF Infrastructure approved allowlist.