Skip to content

Fix allowlist-check to use latest approved_patterns.yml from main#662

Merged
raboof merged 1 commit intomainfrom
fix/allowlist-check-use-latest-approved-patterns
Apr 4, 2026
Merged

Fix allowlist-check to use latest approved_patterns.yml from main#662
raboof merged 1 commit intomainfrom
fix/allowlist-check-use-latest-approved-patterns

Conversation

@potiuk
Copy link
Copy Markdown
Member

@potiuk potiuk commented Apr 4, 2026

Summary

  • When projects pin the allowlist-check action to a specific commit hash (as recommended by GitHub for security), the action was reading the approved_patterns.yml bundled at that pinned commit. This meant any actions/versions approved after that commit were not recognized, causing false-positive check failures until the project bumped their pin.
  • Now the action fetches approved_patterns.yml from the main branch at runtime via curl, so the allowlist check always uses the most up-to-date list regardless of which version of the action the caller has pinned.

Test plan

  • Verify the action fetches approved_patterns.yml successfully from raw.githubusercontent.com at runtime
  • Verify that a newly added allowlist entry is recognized even when the action is pinned to an older commit

🤖 Generated with Claude Code

@potiuk
Fix allowlist-check to always use latest approved_patterns.yml from main
74ff950 
When projects pin the allowlist-check action to a specific commit hash,
the action was reading the approved_patterns.yml bundled at that commit.
This meant newly approved actions/versions added to the allowlist after
that commit would not be recognized, causing false-positive failures
for projects that had not yet bumped their pin.

Now the action fetches approved_patterns.yml from the main branch at
runtime via curl, so the check always uses the most up-to-date allowlist
regardless of which version of the action the caller has pinned.

Generated-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@potiuk potiuk requested review from dave2wave and raboof April 4, 2026 11:58
@potiuk
Copy link
Copy Markdown
Member Author

potiuk commented Apr 4, 2026

cc: @kevinjqliu

potiuk added a commit to potiuk/airflow that referenced this pull request Apr 4, 2026
@potiuk
Temporarily upgrade allowlist-check to latest version
fb2dcb3 
Temporary switch to the latest commit of infrastructure-actions
allowlist-check until apache/infrastructure-actions#662 is merged,
which will provide a proper tagged release.
@potiuk potiuk mentioned this pull request Apr 4, 2026
Merged
1 task
@potiuk
Copy link
Copy Markdown
Member Author

potiuk commented Apr 4, 2026
edited
Loading

Example failure in Airflow: setup-uv is already approved - https://github.com/apache/airflow/actions/runs/23975731105/job/69932380864?pr=64684 failed becasue it was chekcing approved patters in the same hash as the action was checked out from:

python3 "/home/runner/work/_actions/apache/infrastructure-actions/493edcdbd80d9e78a767f256a877b1cc6c9712ba/allowlist-check/check_asf_allowlist.py" 
"/home/runner/work/_actions/apache/infrastructure-actions/493edcdbd80d9e78a767f256a877b1cc6c9712ba/allowlist-check/../approved_patterns.yml"

raboof
raboof approved these changes Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@raboof raboof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sensible 👍

@raboof raboof merged commit dd47f3d into main Apr 4, 2026
6 checks passed
@raboof raboof deleted the fix/allowlist-check-use-latest-approved-patterns branch April 4, 2026 12:51
potiuk added a commit to apache/airflow that referenced this pull request Apr 4, 2026
@potiuk
Temporarily upgrade allowlist-check to latest version (#64713)
04b3dd0 
Temporary switch to the latest commit of infrastructure-actions
allowlist-check until apache/infrastructure-actions#662 is merged,
which will provide a proper tagged release.
github-actions bot pushed a commit to apache/airflow that referenced this pull request Apr 4, 2026
@potiuk
[v3-2-test] Temporarily upgrade allowlist-check to latest version (#6…
f510a3c 
…4713)

Temporary switch to the latest commit of infrastructure-actions
allowlist-check until apache/infrastructure-actions#662 is merged,
which will provide a proper tagged release.
(cherry picked from commit 04b3dd0)

Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
@github-actions github-actions bot mentioned this pull request Apr 4, 2026
Merged
potiuk added a commit to apache/airflow that referenced this pull request Apr 4, 2026
@github-actions @potiuk
[v3-2-test] Temporarily upgrade allowlist-check to latest version (#6…
7bb81e0 
…4713) (#64717)

Temporary switch to the latest commit of infrastructure-actions
allowlist-check until apache/infrastructure-actions#662 is merged,
which will provide a proper tagged release.
(cherry picked from commit 04b3dd0)

Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
@kevinjqliu
Copy link
Copy Markdown
Contributor

kevinjqliu commented Apr 4, 2026

make sense, thanks!

This would allow projects to pin apache/infrastructure-actions/allowlist-check to a commit hash while still using the latest approved_patterns.yml

I was previously just pinning the action to main but this is better hygiene

@potiuk
Copy link
Copy Markdown
Member Author

potiuk commented Apr 4, 2026

This would allow projects to pin apache/infrastructure-actions/allowlist-check to a commit hash while still using the latest approved_patterns.yml

Yeah, and we might in the future even release the action then :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@raboof raboof raboof approved these changes

@dave2wave dave2wave Awaiting requested review from dave2wave

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@potiuk @kevinjqliu @raboof