FNA-1286: fix release workflow blocked by enterprise Actions policy#559
Merged
Conversation
- Replace changesets/action@v1 (third-party, blocked) with equivalent shell commands - Pin actions/checkout and actions/setup-node to full commit SHAs - Disable noresponse.yml which uses blocked lee-dohm/no-response action
|
jacobdanner
approved these changes
Jun 26, 2026
jacobdanner
approved these changes
Jun 26, 2026
AndreLars
approved these changes
Jun 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Jira: https://twilio-engineering.atlassian.net/browse/FNA-1286
Background
This repo uses Changesets to manage versioning and npm publishing. The flow is:
What broke
After PR #555 was merged, the `Merge to main` workflow failed immediately with `startup_failure` — GitHub could not even start the workflow, zero jobs ran.
The error was:
This is Twilio's enterprise GitHub Actions security policy, which requires:
`startup_failure` runs cannot be re-run, and the workflow only triggers on push to `main`, so the release was completely stuck.
What each blocked action was doing
`changesets/action@v1` (third-party — fully blocked)
This is the main Changesets GitHub Action maintained by the Changesets project, not GitHub. It automated the entire release cycle:
Replacement: Rewrote this as a shell script in the workflow that does the same two-branch logic using the `npm run version-packages` and `npm run npm:publish` scripts that already exist in `package.json`, plus `gh pr create` to open the version PR.
`actions/checkout@v3` / `actions/checkout@v4` (GitHub-owned — allowed but not pinned)
These are GitHub's official action for checking out the repository code onto the runner. They are allowed by policy (GitHub-owned), but were referenced by floating tag (`@v3`, `@v4`) rather than a full commit SHA.
Fix: Pinned both to their exact commit SHAs:
`actions/setup-node@v3` (GitHub-owned — allowed but not pinned)
GitHub's official action for installing a specific Node.js version on the runner. Same issue as `checkout` — allowed by policy but used a floating tag.
Fix: Pinned to its exact commit SHA:
`lee-dohm/no-response@v0.5.0` in `noresponse.yml` (third-party — fully blocked)
This action automatically closes GitHub issues that have been labelled `question` but received no response from the author after 30 days. It runs on a daily cron schedule and on new issue comments.
It is a third-party action (not GitHub-owned) and therefore fully blocked by policy. Since this is a housekeeping feature with no impact on releases or CI correctness, the `noresponse.yml` workflow was disabled by replacing its trigger with `workflow_dispatch` (manual only, never fires automatically), preserving the file in case it is ever replaced with a compliant alternative.
Changes in this PR
Test plan